Endpoints display Partially Protected or Unprotected Operational Status.
46333
Created On 04/24/22 14:01 PM - Last Modified 07/19/24 14:49 PM
Symptom
In the Endpoints > All Endpoints page, some endpoints display Partially Protected or Unprotected Operational Status.
Environment
- Cortex XDR 3.3 or later.
- Operational Status Data
- XSIAM agent
Cause
As documented, the agent may suffer from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications.
To start the troubleshooting, view the Operational Status Data by Right-clicking the Operational Status cell of the affected endpoint > Endpoint Data > View Operational Status Data.
Thereafter, rectify according to the problem stated in the Operational Status Data dialog view.
Resolution
Below are the resolution for the common problems faced:
Windows
- Agent running, without any valid content
Possible Cause : Agent was not able to download Content package due to connectivity issue.
Resolution : Allow access to various Palo Alto resources.
Resolution : Allow access to various Palo Alto resources.
- Agent is not running
Possible Cause (1): Agent was stopped deliberately.
Resolution (1): Start the XDR agent service.
1. Launch Command Prompt in Administrator mode.
2. Execute "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start
Possible Cause (2): Agent had paused Endpoint Protection.
Resolution (2): Resume Endpoint Protection.
Resolution (1): Start the XDR agent service.
1. Launch Command Prompt in Administrator mode.
2. Execute "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start
Possible Cause (2): Agent had paused Endpoint Protection.
Resolution (2): Resume Endpoint Protection.
- Xdr Data Collection Not Running or Not Sent - Agent is not running due to disk space
Possible Cause : EDR Collection was stopped due to disk quota limit on EDR storage (Default = 200MB). This happens usually when the agent fails to upload the EDR data to Cortex XDR faster than the EDR generation, e.g Network failure, Massive endpoint operations.
Resolution : Resolve any potential network connectivity issues from the agent to Cortex XDR.
Note : EDR storage is not part of the Disk Quota specified in the Agent Settings, and are only configurable via Support Exception.
Linux
- Kernel module incompatibility error
Cause : The kernel version on this endpoint is currently not supported.
Resolution : As documented in this KB article - Getting support on an unsupported Linux Kernel version for Cortex XDR .
Resolution : As documented in this KB article - Getting support on an unsupported Linux Kernel version for Cortex XDR .
- Linux kernel module failed to load
Possible Cause : SecureBoot is enabled but kernel module is not signed.
Resolution : Refer to Step 5 - Load SecureBoot Certificates .
Resolution : Refer to Step 5 - Load SecureBoot Certificates .
- Linux kernel module detected repeated ungraceful shutdown/s
Possible Cause : Machine shuts down ungracefully multiple times in an hour.
Resolution : As documented in this KB article - Linux kernel module detected repeated ungraceful shutdown/s.
macOS
Possible Cause : The Cortex XDR System Extensions were not approved.
Resolution : Refer to Step 8 - Approve Cortex XDR System Extensions .
Resolution : Refer to Step 8 - Approve Cortex XDR System Extensions .
Additional Information
Do note that this article does not list all possible causes as it serves only as a basic troubleshooting for customers to resolve common problems on their own.