How to Troubleshoot gRPC Connection Failure from the Firewall Dataplane to the Content Cloud Server (Filemgr)

• How to troubleshoot connection failure from the firewall dataplane to the Content Cloud Server (aka Cloud Services File Manager - Filemgr) starting PAN-OS 11.0.

• NGFW
• ATP
• AUF
• ACE
• DLP
• AWF
• PAN-OS 11.0 and later releases

1. Check that a device certificate is valid and present on the FW. 

   show device-certificate status

2. Check that the Data Services service route is properly configured. It is recommended to configure a dataplane interface with connectivity to cloud services as the Source Interface and Source Address for data services. (Default is management)
3. Check whether the upstream firewall allows the application oscp (for certificate validation) and the application needed for each affected feature:
   1. For ATP: (Advanced Threat Prevention’s deep learning engines support analysis of C2-based threats over SSL, unknown-UDP, and unknown-TCP applications).
   2. For ACE: paloalto-ace. (Palo Alto Networks App-ID Cloud Engine (ACE) is a service that provides visibility and control into thousands of App-IDs in a constantly expanding cloud-based catalog. ACE not only provides App-IDs for the existing applications, but also helps to develop and deliver App-IDs for brand-new or previously unknown applications. This App-ID covers the traffic of the filemanager service.)
   3. For AUF: paloalto-aurl-idl. (Palo Alto Networks Advanced URL Filtering utilizes the Inline Deep Learning service to provide real-time analysis of web content to detect and prevent never-before-seen web-based attacks. This App-ID covers the traffic from the firewall to the AURL cloud service).
   4. For DLP: paloalto-dlp-service. (Palo Alto Networks DLP is a cloud-delivered service embedded in your security platform for consistent and highly reliable protection of sensitive data for all traffic, applications, and users).
4. Troubleshoot the connection between Firewall Dataplane (DP) and the Content Cloud Server:
   1. Check the cloud connection status to the Firewall dataplane:

      show ctd-agent status security-client

      1. Under the section "Security Client WifUpload(0)" the cloud connection should show connected and Pool state should show Ready (2).
      2. If showing Pool state: Invalid License (6), then go back to step 2
      3. If showing Pool state: Invalid Config (7), then check that you have followed the steps:
         1. For ATP: Configure Inline Cloud Analysis.
         2. For ACE: Prepare to Deploy App-ID Cloud Engine.
         3. For AUF: Configure Inline Categorization.
         4. For DLP: Enable Enterprise DLP.
      4. If showing Pool state: Closed (4)
         1. Check the network connection between the Firewall Data Services service route, source IP, and the Content Cloud Server, destination FQDN.
            1. Note: This command is valid in case Management is used as Data Services service route and the hawkeye.services-edge.paloaltonetworks.com is the FQDN of the Content Cloud Server found in the output of 9.a. Otherwise, add the source to the command, followed by the IP address of the dataplane interface used as the service route and the proper FQDN depending on your region.
            2. Check if the connection is established on port 443 between the Firewall and the Content Cloud Server:

               show netstat numeric-hosts yes numeric-ports yes | match 34.111.222.75

               1. Where 34.11.222.75 would be the IP address of the Content Cloud Server resolved by the DNS server in 9.d.i
            3. Check Firewall system logs related to this DP connection:

               show log system subtype equal ctd-agent-connection direction equal backward

            4. As a last resort, and if needing to restart the connection between FW DP and Content Cloud Server, use the following CLI with great caution, knowing that it is very disruptive as it also affects other Firewalls' inline cloud analysis services.

               debug software restart process ctd-agent

               Note: Restarting ctd-agent will reset the connection between Firewall DP and the Content Cloud Server.

• paloalto-ace-kcs: This App-ID covers the traffic between the PAN-OS Firewall and App-ID Cloud Engine (ACE) Knowledge Cloud Service (KCS). Firewall uses this connection to download the App-ID catalog and related App-ID information from the ACE cloud.

• Example of a valid output when the connection is up between the firewall and the Content Cloud Server (Filemgr) :

DP dp0:

Security Client WifUpload(0)
        Current cloud server:   hawkeye.services-edge.paloaltonetworks.com:443
        Cloud connection:       connected
        Config:
                Number of gRPC connections: 2, Number of workers: 6
                Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 306
                Maximum number of workers: 10
                Maximum number of sessions a worker should process before reconnect: 1024
                Maximum number of messages per worker: 0
                Skip cert verify: false
        Grpc Connection Status:
                State Ready (3), last err <nil>
                Pool state: Ready (2)
                     last update: 2025-11-10 10:17:25.262704682 -0800 PST m=+19.650668381
                     last connection retry: 2025-11-10 10:17:21.69822088 -0800 PST m=+16.086184541
                     last pool close: 0001-01-01 00:00:00 +0000 UTC

• For each of the CDSS features mentioned in this article to function as expected, verify that the licenses for each feature: ATP, ACE, AUF, and DLP are present and valid on the firewall:

  request license info

  1. For ATP: Check the Advanced Threat Prevention license.
  2. For ACE: Check the SaaS Security Inline license.
  3. For AUF: Check the Advanced URL Filtering license.
  4. For DLP: Check the Enterprise Data Loss Prevention license.
  5. For AWF: Check the Advanced Wildfire License.
• For AWF (Advanced Wildfire): This Cloud-Delivered Security Service works in conjunction with Advanced Threat Prevention (ATP), as the two features are closely integrated. ATP handles known inline threats, while AWF analyzes and classifies previously unseen files in the cloud. Both ATP and AWF rely on a secure gRPC connection from the firewall to the Content Cloud Server (Filemgr) to perform analysis and receive threat verdicts.