Hi All,

I'm currently trying to integrate Palo Alto's Primsa Cloud with our on-prem HEC on an on-prem HF (via documentation: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrat...) and I get the following error when I try to test the connection:

Failed to send a test notification to the event collector URL with the provided auth token. Please check integration details and try again.

On the Splunk HF, I have configured the HEC with the following:
Global Settings:
All Tokens: Enabled
Default Source Type: _json
Default Index: Default
Default Output Group: None
Use Deployment Server: Checked
Enable SSL: Checked
HTTP Port Number: 8088

Created a token:
Name: prisma_hec
Source: prismacloud
Set Source Type: _json
Select Allowed Indexes: prisma

On the Prisma Cloud side (based on that link above):

Integration Type: Splunk
Integration Name: prisma_hec
Splunk HTTP event collector URL: https://hec_ip:8088/services/collector/event
Auth Token: token

When I test the connection, I get that error above.

Since we have the incoming IP addresses locked down to the Cloud Prisma server, we can't simply test. I'm going to submit a request to allow another local IP address for testing the connection. From the doc: https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/UsetheHTTPEventCollector, I have the right configuration and URL. Has anyone see this before and can point me in the right direction for troubleshooting?

I appreciate any help.

Thanks,
Herman