To remove the Palo Alto Prisma Integration completely, first delete the policy containing the plugin from the Policies view, and then delete the plugin details on the Decoder host.

Important: If you have deployed the plugin using CCM, you must perform steps 1 and 2 procedures. If you have deployed the plugin using NwConsole, you can proceed directly to step 2 and complete the procedure.

Step 1: Remove the Policy containing Palo Alto Prisma Integration

  1. Go to ConfigureIcon.png (Configure) > Policies.
  2. In the policies panel, click Content.
  3. Click Policies. The available policies are displayed.
  4. Select one or more policies and in the More Actions drop-down list in the tool bar, click Delete.

    1251_DeletePaloALtoPlugin_1024.png

    The Delete Policies dialog is displayed.
  5. To delete the deployed content from the group’s services upon deleting the policy, select the option Delete deployed content from the group's services on policy removal.

    Note: Removing the policy will delete only the Palo Alto Prisma Configuration details and not the plugin on the Decoder host.

  6. Click Delete to permanently delete the selected policy.
    Deletion will take immediate effect and the policy will no longer be available in any group.

    Note: 
    - You can also delete a policy from the Policy Details view. For more information on deleting a policy from the Policy Details view, see View a Policy topic.
    - The policy status changes to Failed if policy deletion fails for any particular reason.

Step 2: Remove the Palo Alto Prisma Plugin Details from the Decoder Host

  1. SSH to the Packet Decoder Host.

  2. Run the following command to stop the Decoder service:

    systemctl stop nwdecoder

  3. Navigate to the following path:

    /etc/netwitness/ng/hosted

  4. Delete the paloalto folder.

  5. Run the following command to start the Decoder service:

    systemctl start nwdecoder

  6. Connect to the Decoder host by using the Decoder IP address and Port 50104 as follows:<decoder-ip>:50104

  7. Navigate to the following path: /decoder/hosted/paloalto

  8. Select the delete operation from the drop-down list and click Send.

    12.4_delete_operation_0124.jpg

    The plugin details are removed from the decoder.