After onboarding into Prisma Access, Cortex XDR live terminal connections were no longer working. There is an existing support document relating to these sort of issues: Enable Access to Cortex XDR There is a section for decryption issues (step 2); what is not clear on this page is that to allow live terminal to work you also need to exclude the following URL: lrc-eu.paloaltonetworks.com It is referred to in Step 3 but only from a point of view of access.
Due to a firewall issue, I needed to see if an update to PANOS was related to a change in behaviour. I wasn’t sure exactly when the firewall had been upgraded. Searching through the system logs did not seem to show PANOS version changes. Finally I found a mention in a support forum of debug swm history. In short: debug swm history | match 'install panos' Will give you the history of upgrades.
In a fully wired VMware lab using a virtual Palo Alto (PANOS 8.1.14-h2) VM-50 I could see really rather high latency: That did not make sense for a wired LAN. After some internet based digging I found this: Is higher latency normal on a VM compared to hardware? This referred to some rare issues with virtual Esxi Palo Alto’s and intel’s DPDK. Following the referenced link takes you to a Palo Alto support page showing you how to disable the DPDK which as it states in enabled as default.
This is my process for upgrading HA Palo Alto firewalls. Some steps will depend on your HA configuration; if you are not using preemption then you can’t disable it etc. So where possible refer to the official documentation. To start off you should take named snapshots of the config and export them off the firewall just to be safe. Below are the steps: Primary Disable preemption, commit Fail over the firewall, CLI: request high-availability state suspend Note this will fail over the firewall Check connectivity now the secondary is active Install update and reboot After device has rebooted log in and check the tasks for a successful autocommit, CLI: show jobs all Enable HA, CLI: request high-availability state functional Secondary
The Palo Alto Networks Logging Service enables firewalls to push their logs to Cortex Data Lake (CDL). If a firewall is having issues connecting you can try the following. Check the logging service license is installed: request license info You should at least see the logging service license among the returned licenses. If not then things are not going to work. If the license is there and you still have issues then try the following to refresh the key and the certificate.