topic Issues fixed as recommended by AIOPS Premium console are still being reported negatively in AIOps for NGFW Discussions

Issues fixed as recommended by AIOPS Premium console are still being reported negatively

bahan — Fri, 26 May 2023 15:12:54 GMT

1: I have critical alerts in AIOPS that when corrected are still being reported in the console and not configured:

Outbound High Risk IP Addresses Not Blocked:

Follow these steps to resolve the issue:

Configure and enable a deny rule with the 'Palo Alto Networks - High risk IP addresses' EDL in the destination address, Log at Session End enabled, along with a Log Forwarding Profile OR an allow rule with the same configurations along with Antivirus, Vulnerablility Protection, Anti-Spyware and URL Filtering profiles configured

I also have similar for the "Inbound".

2: Undecrypted Traffic Settings Not Set To Recommended

Follow these steps to resolve the issue: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile

The following options need to be enabled: block_expired_certificate, block_untrusted_issuer

If I follow the recommended steps in AIOPS the non-decrypted excluded sites are blocked.

3: File Blocking Profile Not Strict

I have one user that uses the website Canva.com and if I put the Strict File Blocking profile of that specific userid Canva.com stops working because it uses Windows PE to display images in the site.

How can I get these sorted? I am pulling my hair our double and triple checking configs.

Finally, AIOPS is grading the default "READ ONLY" Objects like URL Filtering, Antispyware, Antivirus etc: and preventing the Firewall from moving from Orange(Fair) to Good(Green) in the Device Security Dashboard.

Can you do a forced manual AIOPS scan of the firewall instead of having to wait on the automatic scan every 24hrs?

Please help

Re: Issues fixed as recommended by AIOPS Premium console are still being reported negatively

DopedWafer — Tue, 06 Jun 2023 18:44:55 GMT

Have you found an answer to this? I'm also curious

Re: Issues fixed as recommended by AIOPS Premium console are still being reported negatively

bahan — Tue, 06 Jun 2023 19:21:14 GMT

My Friend,

Not a single person replied. Worse yet you are not allowed to call tech support for AIOPS issues.

You are directed bck to the Community where the support is located, but still no answers.

It seems as if you literally have to wait 30 days for the console to refresh so you can get answers to the changes.

I will upload a tech cupport file to the BPA section so see if this will trigger and update and regrading in AIOPS cloud console.

Re: Issues fixed as recommended by AIOPS Premium console are still being reported negatively

cchristiansen — Tue, 06 Jun 2023 20:45:53 GMT

Bahan, sorry for the delayed response. Here are answers to your questions:

Q. Outbound High Risk IP Addresses Not Blocked

A. The likely reason is that if there are any rules with an action of "allow" above the rule in question, the check will fail. We are doing a full review of BP checks now, and that requirement (for this check) is being removed.

Q. Undecrypted Traffic Settings Not Set To Recommended

A. This is a best practice. If you continue to have issues with this setting it is best to open a ticket with TAC to investigate why the settings are not working as the documentation describes.

Q. File Blocking Profile Not Strict

A. This check is being removed as part of our ongoing BP check review.

Q. Finally, AIOPS is grading the default "READ ONLY" Objects like URL Filtering, Antispyware, Antivirus etc: and preventing the Firewall from moving from Orange(Fair) to Good(Green) in the Device Security Dashboard.

A. As part of our ongoing BP check review we are working with the PAN-OS team to change "defaults" (where possible) to align with best practices. We will be working to resolve this issue going forward.

Q. Can you do a forced manual AIOPS scan of the firewall instead of having to wait on the automatic scan every 24hrs?

A. Not currently (via telemetry). There is an "on-demand" TSF upload feature now, which you can use to force a re-evaluation for that TSF which was uploaded.

Re: Issues fixed as recommended by AIOPS Premium console are still being reported negatively

bahan — Wed, 07 Jun 2023 00:18:35 GMT

There is an "on-demand" TSF upload feature now, which you can use to force a re-evaluation for that TSF which was uploaded.

Please sir, where exactly is this feature? Is it the upload in Posture/On-Demand BPA? or another location?

Re: Issues fixed as recommended by AIOPS Premium console are still being reported negatively

kaymorrison — Wed, 11 Oct 2023 16:34:34 GMT

Not sure if you still need an answer to this, but if you go to Dashboards > On Demand BPA > Generate New BPA Report - Here is where you would upload the TSF file. The On Demand BPA feature only allows usage of the Best Practices dashboard and Feature adoption dashboard. Although this would allow you to refresh the best practice assessment, it is my understanding that this would not refresh the rest of the information in AIOps that is being received through telemetry.