topic Re: Trouble doing ML on security policy from panorama? in Expedition Discussions

Trouble doing ML on security policy from panorama?

devincallaway — Mon, 09 Jul 2018 23:00:09 GMT

Can you use the ML and rule enhancements on security policy that is located in panorama. Im struggling a bit to get it to work. I set my project up to use panorama and then brought in the firewalls. There is not a schedule log export function to panorama to csv so I am exporting from firewall. I tried fwd syslog but the tool did not recognize the files. I get deferent results if i point my log connecter to panorama or the firewall. I get no devices in this connector If I point it at the firewall I If point the connector at the firewall I get No rules selected for learning.

Here are some screenshots. Thanks for you help in advance: I did the lab at ignite and am really excited about this tool, I'm a partner and plan on demoing it at one of our customer events in a couple of weeks. I would really like to do it on panorama and a larger firewall.

Re: Trouble doing ML on security policy from panorama?

Esfeld — Tue, 10 Jul 2018 15:18:52 GMT

What version of Expedition are you using? I had the same issue, but it resolved itself when I upgraded to 1.0.99.

Re: Trouble doing ML on security policy from panorama?

devincallaway — Tue, 10 Jul 2018 16:30:10 GMT

Im running 1.0.99.1 . I did get syslog working, I had to rename my log files to csv, I can now run ML and RE but there is no ouput after it is done.

Re: Trouble doing ML on security policy from panorama?

dgildelaig — Tue, 10 Jul 2018 17:21:22 GMT

Yes, it is possible, but a couple of things which may get tricky:

As we are going to work from a policy located in the Panorama device, we need to import the Panorama config.
The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail.

Re: Trouble doing ML on security policy from panorama?

dgildelaig — Tue, 10 Jul 2018 17:21:54 GMT

Yes, it is possible, but a couple of things which may get tricky:

As we are going to work from a policy located in the Panorama device, we need to import the Panorama config.
The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail (fwmigrate at paloaltonetworks dot com).

Re: Trouble doing ML on security policy from panorama?

Sec101 — Tue, 14 Aug 2018 14:18:50 GMT

I get the same as described above and I'm running 1.0.101

Re: Trouble doing ML on security policy from panorama?

thomas.busse — Mon, 20 Aug 2018 08:01:20 GMT

Hi Esfeld, could you tell me how to upgrade the Tool ? I could not find a reference in the Admin/User Guides and "sudo apt-get update && apt-get upgrade" does not seem to work.

Thanks.

Regards,

Thomas

Re: Trouble doing ML on security policy from panorama?

Esfeld — Mon, 20 Aug 2018 16:13:50 GMT

Those are the correct commands to run for it to get the updates. Make sure it is allowed through your firewall.

Re: Trouble doing ML on security policy from panorama?

alestevez — Mon, 27 Aug 2018 08:54:29 GMT

sudo apt-get update
sudo apt-get install expedition-beta