topic Re: Expedition unable to process security rule for Rule Enrichment in Expedition Discussions

Expedition unable to process security rule for Rule Enrichment

jamesshelley — Fri, 22 May 2020 15:18:58 GMT

Hi guys,

I'm working with a customer who has Expedition installed on their network on Ubuntu 16.04. Expedition is on the latest version (1.1.68).

I've setup a traffic log forwarder from one of their firewalls which connects to their Expedition just fine. I've added their Panorama device, pulled in the managed devices and running config. I've processed the logs in /home/expedition/logs.

I've created a new project, imported the config and created a log connector for the last 7 days. But whenever I try to run Rule Enrichment on a security rule and hit process it stalls and nothing happens. I've read through the quick start guide which has told me to use this command but it's saying it cannot create connection to the database server, does anyone know how to fix this error?

####@####:/tmp$ tail PAN_RuleEnrichment.log
2020-05-22 14:12:40 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:29:50 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:45:43 ERROR RuleAutoCompleter$:812 - Fininshed
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:810 - Could not create connection to database server.
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:811 - Log analysis could not be performed. java.lang.ArrayIndexOutOfBoundsException: 92
2020-05-22 14:52:16 ERROR RuleAutoCompleter$:812 - Fininshed

Thanks!

Re: Expedition unable to process security rule for Rule Enrichment

jamesshelley — Fri, 29 May 2020 09:05:25 GMT

Anyone please?

Re: Expedition unable to process security rule for Rule Enrichment

lychiang — Fri, 29 May 2020 16:07:11 GMT

Hi Jamesshelley,

Can you please follow the steps below to see if it helps

1. In ML. Setting, trying to set the Expedition IP to 127.0.0.1 , this will fall back to Expedition server IP and click “Save”. This step will re-initiate the database connections. (If Expedition is behind a different IP or NATed IP , you would need to put the real IP as ML IP not the NATed IP ) , check the IP using ifconfig.

2 Go to #more /home/userSpace/userDefinitions.php review the parameters in the files look like below:

define ('DBServer' , '127.0.0.1');

define ('DBUser', 'root');

define ('DBPass', 'paloalto');

define ('DBName' ,'project_schema');

define ('PARSER_max_execution_time','10000');

define ('PARSER_max_execution_memory','1G');

define ('DBSQL_LOG_BIN', 0);

3. Issue SQL commands to check which IPs were being allowed.

#mysql -uroot -ppaloalto

expedition@expedition-documentation:~$ mysql -uroot -ppaloalto

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 319026

Server version: 10.1.44-MariaDB-1~xenial mariadb.org binary distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select host,user from mysql.user;

+--------------------------+------------------+

| host | user |

+--------------------------+------------------+

| 10.8.200.34 | root |

| 127.0.0.1 | root |

| ::1 | root |

| expedition-documentation | root |

| localhost | debian-sys-maint |

| localhost | root |

+--------------------------+------------------+

6 rows in set (0.00 sec)

Verified Expedition IP and User Root is showing up as above

4. Check that /etc/mysql/my.cnf is correctly setup not bind to 127.0.0.1. There is a health check in the dashboard that checks this as well.

Make sure "bind-address = 127.0.0.1" is commented out:

# The following values assume you have at least 32M ram

/127.0.0.1

...skipping

# Instead of skip-networking the default is now to listen only on

# localhost which is more compatible and is not less secure.

#bind-address = 127.0.0.1

Please let me know if it helps.

Re: Expedition unable to process security rule for Rule Enrichment

jamesshelley — Tue, 02 Jun 2020 08:21:18 GMT

It turned out to be the first step that fixed the issue, thanks for your help!