article Greenfield Security Policies Generation (Video) in Expedition Articles

Greenfield Security Policies Generation (Video)

alestevez — Mon, 08 Jul 2019 15:34:49 GMT

Take a look to the new Greenfield security policy generation based on PanOS logs.

Re: Greenfield Security Policies generation. Video 6min

ShawnSlater — Thu, 07 Jun 2018 12:27:15 GMT

Will this be spelled out in the hopefully forthcoming User Guide for Expedition? Also, will this be something I can just pull out of the Palo device direct? It seems unnecessary to have to go to a syslog server when the Palo device has them essentially in the device or in Panorama. Maybe I missed that in the video. You moved pretty quick which I appreciate.

Re: Greenfield Security Policies generation. Video 6min

didel0815 — Fri, 29 Jun 2018 15:52:45 GMT

There's no link to the video anymore.

Re: Greenfield Security Policies generation. Video 6min

dgildelaig — Wed, 04 Jul 2018 14:43:43 GMT

In further User Guides we will describe in deeper detail the process of Learning from Logs.

The video shows how to export the logs via SCP (not syslog server), preprocess the logs to convert them into an internal format (parquet) enhanced for paralell processing and machine learning, and crunching this parquet for identifying traffic behaviors and suggest security policies.

Notice that I mentioned the parquet format. This is the reason we require exporting the logs into Expedition, as we need to convert the original log format into a parquet format that will enable us for the ML processes. So, we can't directly work with internal DB in a PANOS device. Additionally, we don't want to stress the PANOS devices with this intense data analytics process, but we can stress a VM hosting Expedition.

The video was originally intended for a presentation at Ignite, therefore it is condensed to show a rapid view of the process in only 6 minutes. And the video seems to be available now.

Re: Greenfield Security Policies generation. Video 6min

Abdeljalil-AGNAOU — Fri, 13 Jul 2018 09:52:31 GMT

Hi Team,

I'm trying to test Greenfield ML in order to have a flow matrix of my Firewalls and have an idea about security policies, but the phase called "Spark: Process CSV files to Parquet" takes too long (more than 6 hours), is that normal ? or should i stop it and repeat again ?

The status shown is "Pending", so i don't know if it's already started or not ! samething as in security policies, when i try to analyze data from specific security policy (CONTENT LEARNED FROM expedition ML), the status also shown is "pending" for too long without any reaction ! can you please help to resolve that issue ?

Thanks a lot,

Re: Greenfield Security Policies generation. Video 6min

dgildelaig — Fri, 13 Jul 2018 09:57:42 GMT

If the status is "Pending" most probably the process did not start.

I guess you do have a version of Expedition prior to 1.0.99.

I would suggest to update Expedition via the apt-get commands and try again.

I will provide you better information if something is not correctly set up.

Re: Greenfield Security Policies generation. Video 6min

ederg — Sat, 22 Dec 2018 21:05:56 GMT

Hi.

I just prepired all my collected CSV-Files. and tryed to do an analysis, but I cant add an logcollector, because of not reachable PA.

Is there a possibility do do the analysis offline?

thanks in advance

Gernot

Re: Greenfield Security Policies generation. Video 6min

Bomi — Thu, 04 Apr 2019 08:23:32 GMT

It seems there is no link to the video.

Re: Greenfield Security Policies generation. Video 6min

dgildelaig — Thu, 04 Apr 2019 08:33:12 GMT

The video is embedded in the post.

Either check with another browser or wait a bit for the video to load.

Re: Greenfield Security Policies generation. Video 6min

sabrawy — Fri, 17 May 2019 12:54:56 GMT

Hello,

i need to know how we know which rules from transformed rules (in vsys2) refered to which original wide open rules (in vsys1)?

if the tool ML analysis three rules as example, how we determine which rules from the output rules refered to which one of the three orignal rules?

Ahmed sabry.

Re: Greenfield Security Policies generation. Video 6min

dgildelaig — Fri, 17 May 2019 13:00:03 GMT

The ML won’t provide this information.

Due to the logic of the process, we aggregate the log info for all the selected rules and look for patterns from that dataset.

If you want to determine it by rule, you would have to apply ML with only one rule at a time.

Re: Greenfield Security Policies generation. Video 6min

sabrawy — Fri, 17 May 2019 13:16:31 GMT

so what is the best approach if we need to tune a production firewall rules (200 rules as example) ?

Re: Greenfield Security Policies generation. Video 6min

dgildelaig — Fri, 17 May 2019 14:08:40 GMT

Unless you are fine doing Rule Enrichment (RE), you would have to do Ml having only one rule selected at a time.

Do you have a clear idea regarding the goal of ML and RE?

because maybe you actually want to do RE and then you have no problems selecting the 200 and doing one single apps. The result of RE will tell you which rule got enriched.