Prisma Cloud: How to resolve Azure Cloud account Flow-logs status error "Storage Account access failed"?

Prisma Cloud: How to resolve Azure Cloud account Flow-logs status error "Storage Account access failed"?

21903
Created On 03/07/22 14:53 PM - Last Modified 10/26/25 22:36 PM


Symptom


Flow-logs status error 'Storage Account access failed'

Environment


  • Prisma Cloud
  • Microsoft Azure
  • Flow logs

Cause


When Azure storage has missing permission you'll experience Flow-logs status error 'Storage Account access failed'.

Resolution


Enable Prisma Cloud to obtain network traffic data from network security group (NSG) flow logs: NSG flow logs are a feature of Network Watcher, which allows you to view information about ingress and egress IP traffic through an NSG.
  • Create one or more network security groups if you have none.
  • Create Azure Network Watcher instances for the virtual networks in every region where you collect NSG flow logs.
    Network Watcher enables you to monitor, diagnose, and view metrics to enable and disable logs for resources in an Azure virtual network.
  • Create storage accounts to collect NSG flow logs. If you are storing flow logs in a storage account that belongs to a different subscription than the one that is generating the flow logs and is being onboarded, Prisma Cloud can ingest flow logs only when:
    • The subscriptions belong to the same Azure AD or Root Management Group (for example, Azure Org).
    • The Service Principle that you use to onboard the subscription on Prisma Cloud has access to read the contents of the storage account.
  • Add only the IP addresses for your Prisma Cloud instance from NAT Gateway IP Addresses for Prisma Cloud. For example, if your instance is on 
    app.prismacloud.io use the IP addresses associated with that.
  • On the Azure Portal, you must include the source and the DR Prisma Cloud IP addresses for your Prisma Cloud instance. Select Azure services > Storage accounts > (your storage account) > Networking > Selected networks 

Storage.png

Replace your storage account with the name of your actual storage account in Azure portal.
  • Enable Network Watcher and register Microsoft.InsightsResource Provider. Microsoft.Insights is the resource provider namespace for Azure Monitor, which provides features such as metrics, diagnostic logs, and activity logs.
  • Enable NSG flow logs version 1 or 2, based on the regions where NSG flow logs version 2 is supported on Azure.
  • Verify that you can view the flow logs.

Additional Information


Documentation  to view the step by step guide Azure Cloud Account Onboarding Checklist.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NU8CAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language