Tips and Tricks: Strata Cloud Manager (Formerly Known as AIOps for NGFW)

Tips and Tricks: Strata Cloud Manager (Formerly Known as AIOps for NGFW)

24438
Created On 01/06/23 04:26 AM - Last Modified 10/12/23 04:00 AM


Question


 
  1. General Information
    1. To easily understand the relationships between Features / Free and Premium licenses / customer-owned CDL, where can I get the table for it?
    2. How do I determine the appropriate sizing of my paid CDL storage for Strata Cloud Manager? 
    3. Under the same CSP account, how can we have separate Strata Cloud Manager instances for different subgroups or separate a production environment with the lab?
    4. What are the main types of data that Strata Cloud Manager consume, and where are they stored?
    5. We have our (owned/paid) CDL and activated a Strata Cloud Manager instance. If we delete the existing Strata Cloud Manager instance and create a new one, will the old data from the old Strata Cloud Manager instance migrate?
    6. Can we run Strata Cloud Manager running in region X and CDL in region Y?
    7. Can we migrate the Strata Cloud Manager data from region X to region Y?
    8. Can Strata Cloud Manager consolidate the data between the two regions?
    9. Can I change an existing Strata Cloud Manager CDL instance (ex., US) to point it to a new CDL instance (ex., UK)?
    10. What is the 3rd party applications/services integration that Strata Cloud Manager can support?
    11. Do Strata Cloud Manager supports PA-VM Firewalls/Panoramas?
    12. Where can I get the info on questions like, How is the telemetry data handled in the cloud, how long is the data retention, and other similar information?
    13. What is new with Strata Cloud Manager Tenant Service Group (TSG) migration, and where can I find more information?
 
  1. Configuration / Verification
    1. How do I activate Strata Cloud Manager? What is the procedure to move from Free to Trial/Eval/Premium?
    2. We recently RMA'ed a defective device and onboarded the replacement to Strata Cloud Manager; now, we want to expunge the faulty device information from Strata Cloud Manager; how do we do it?
 
  1. Operations
    1. For a newly provisioned Strata Cloud Manager, how long do we have to wait until we see data?
    2. How can we acknowledge an alert so that it stops reporting, and how can we make it go away?
    3. The firewalls show onboarded, and we have some alerts, but there is neither Feature Configuration nor Feature Adoption data, which are both under Adoption Summary; why is this so?
    4. What is the impact, and how much bandwidth is consumed when the firewall pushes the telemetry data to Strata Cloud Manager?
    5. Where does Strata Cloud Manager derive its data for the device's data throughput value from?
    6. Our Trial/Eval/Premium license has expired. What happens now?
    7. We want to delete an Strata Cloud Manager instance. How do we do this?
    8. Where can I get our CSP ID / Tenant ID / Strata Cloud Manager instance ID?
 
  1. Troubleshooting
    1. I am trying to execute Activate AIOps for NGFW (Free) ,and under step 3, I don't have the Activate option and only see Learn More. Why is it so?
    2. We are trying to spin up a new Strata Cloud Manager instance and, during activation, received the error "Unknown Region Global".
    3. We are trying to enable Strata Cloud Manager, however; from CDL the device shows as Disconnected.
    4. We are getting "reason: CDL Receiver Key Empty" from the output of > show device-telemetry stats all
    5. How can we address "Send File to CDL Receiver Failed"? 
 

Environment


  • Strata Cloud Manager for NGFW (Next Generation Firewall)
  • PAN-OS version 10.0 and above
  • Cortex Data Lake (CDL) is optional

Answer


  1. General Information
    1. The snapshot is the latest as of Jan 31, 2023, and please refer to AIOps for NGFW Solution Brief for the latest update.
aiops-table.png
  1. Use HOW TO TROUBLESHOOT CDL LOG STORAGE APPROACHING LIMITS
  2. Create an Strata Cloud Manager instance in the same region where your production is located, then create another Strata Cloud Manager instance in another region for the lab.
  3. There are two types of data that Strata Cloud Manager consume.
    1. Device telemetry , associated with the Firewall's config/MP logs and stored in (free) telemetry-only CDL (Free, Trial, Evaluation, and Premium licenses use this.)
    2. Firewall logs , related to the Firewall's DP logs and are held in (paid) customer-owned CDL.
  4. Data residing in the telemetry-only CDL, which is associated with the Strata Cloud Manager instance, will not be migrated. In comparison, Data residing in the customer-owned CDL will be maintained.
    Note: Please refer to Q&A 1.D. for added context. 
  5. It depends on the availability of the Strata Cloud Manager infrastructure concerning CDL. 
    Yes, For regions with CDL instance that don't support Strata Cloud Manager, the requirement is to spin up a US-based Strata Cloud Manager instance.
    If both CDL and Strata Cloud Manager instances exist in the same region, then both must be running under the same region.
    See Regions for AIOps for NGFW
  6. No, due to regulations like GDPR / CCPA, which prohibit the movement of data, for further info please see AIOps for NGFW Privacy
  7. No, due to regulations like GDPR / CCPA, which prohibit the movement of data, for further info please see AIOps for NGFW Privacy
  8. Strata Cloud Manager do not support the modification of an existing Strata Cloud Manager instance to associate with a different CDL instance. As a solution, you'll need to create a new Strata Cloud Manager instance to associate with the recent CDL.
  9. As of Jan 10, 2023, ServiceNow is supported
  10. As of Feb 24, 2023, VM-FW series are supported on a Free license but not on a Premium license; VM-Panorama is supported on Free and Premium licenses.
  11. Please see Privacy & Product Datasheets or specifically AIOps for NGFW Privacy
  12. click here
 
 
  1. Configuration / Verification
    1. Watch the different onboarding scenarios below: 
      1. New Activation, onboarding and upgrade processes for AIOps as of 2023-02-09
    2. Log in to apps.paloaltonetworks.com/hub. Ensure that you are in the correct Tenant ID. Then, navigate to Common Services > Tenant Management > Device Associations. Next, place a checkmark next to the Serial Number of the RMAed device. Finally, select 'Remove Association', followed by 'Remove Tenant Association', and then 'Remove'.
remove1.png
remove2.png

 
  1. Operations
    1. The health-related insights should show up in a couple of hours, and the security insights within about 24 hours; refer to Q&A 3.D. for added context.
    2. You can change the status to snooze, as seen below. Alerts will be closed/removed once the root cause has been addressed.
snooze.png
 
  1. If Panorama manages the firewalls, this is working as expected. The Adoption Summary is only for panorama devices and unmanaged firewalls.
  2. On lower-end devices, PA-220 has a slight performance impact, but on higher-end models, the impact is negligible in performance
Bandwidth is a few KBs to MBs (depending on the configuration of the given firewall). Please note that the file is compressed to reduce bandwidth consumption.
Frequency
PANOS 10.x : Every hour
PANOS 11.x : Every 5 min
Besides these, there is a daily (2:00 AM of configured TimeZone of Device) upload of configuration.
  1. from CLI, execute > show session info | match Throughput
  2. The device with an expired license is automatically transferred to the Free Strata Cloud Manager instance. Therefore, keeping the Free Strata Cloud Manager instance running even without any device will be a good idea.
  3. Open a case with TAC and upload the Metadata , then reference this KB in the case; an internal note Q&A #1 is provided with the instruction for the internal process.
  4.  Download the Metadata , extract the downloaded file, then open Instance_Info_xxxxxxxx_xxxx.json 
tenantid2.png
 
 
  1. Troubleshooting
    1. The hub requires the user to have App Administrator privileges to show the Activate button. To enable the instantiation of the AIOps app, use Assign the App Administrator Role .
    2. Try reinitiating it again and wait for at least an hour; if the problem persists, please open a case with TAC and provide the CSP-ID / Tenant-ID / AIOps Instance ID, then reference this KB in the case; an internal note Q&A #1 is provided with the instruction for the internal process. Please refer to Q&A 3.H. for added context. 
    3. Use How To Troubleshoot A Connection Failure Between The Firewall and CDL
    4. Use Domains Required for AIOps for NGFW
    5. Use TCP Ports and FQDNs Required for Cortex Data Lake
 
 

Additional Information


What is the needed information to open a ticket for AIOps-related issues?

10 Jan 23 (Vijay) - Article published external.
15 Sept 23 - Updated 'AIOps for NGFW' to 'Strata Cloud Manager' wherever possible.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG6SCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language