Real-time update tab in Devices

rodvand_de — Wed, 23 Jan 2019 13:09:39 GMT

Under a device in Expedition there is a tab called Real-time updates. It seems to be a syslog receiver for changes.

Can someone confirm how to use this feature?

Re: Real-time update tab in Devices

dgildelaig — Wed, 23 Jan 2019 16:22:30 GMT

This feature is not complete, unfortunatelly.

What does feature this do?

Let me explain what it is meant to do when complete:

If you define in your PA to send Config syslog entries to Expedition, Expedition will parse such changes and check which modifications it would require into your policies to keep them in synch.
It will require the System syslog entries as well, to determine when a Commit has been applied and know then that the changes need to me transferrerd into the projects. If the System info would report that you went back to Running Config, the pending changes would be discarded. However, if a specific config is loaded (for instance, a saved config in the PA), the project will get into an unsynch state, as we would not know which changes are present in the new config.

Notice that the controls to keep the projects in synch with the policies are very complex. We need to identify which objects are changing, which rules are being modified or moved, etc. and to know how would that effect to the current changes that you may have in the Expedition project.

Let's put one example:

Imagine you decided to delete an address object in the Expedition project, because you are doing some cleaning (you decided that using a range instead of multiple IP addresses as a source would increase the readability of the config).

However, somebody in the PA, decided to modify the address object and convert it into a subrange.

What should Expedition do in such case? Create the address object again? Verify that the new object is still redundant given the changes in your project? Raise a warning because you may overwrite some "interesting" changes in your PA?

In Which state is this feature now?

We have been covering quite a large subset of these changes, and only for Security Rules and Nat Rules (including address, services, apps, etc.) but there are several features that we have not covered, such as network settings.

For this reason, this feature has not been promoted and we may retake its implementation for PANOS 9.0, where we expect to be able to track the changes better.

What does it require to activate it?

Take a look into the rsyslog file in

/var/www/html/OS/rsyslog/rsyslog.conf

You will see that this config in rsyslog has a logic to identify different types of Config and System syslog actions, and executes some database inserts to report seen config modifications. It requires of the module

mmnormalize

to know how to read the syslog messages, which are defined in

/var/www/html/OS/rsyslog/palo_alto_networks.rb

However, we will have to extend thaose schemas to support PANOS 9.0 when we retake this task, as we were doing this implementation during PANOS 7.1.

I want to help

Suggestions or coding hands will be welcome to help into this feature completeness. 😉

You can contact us at fwmigrate at paloaltonetworks dot com or directly to me at dgildelaig at paloaltonetworks dot com

Re: Real-time update tab in Devices

jasonwa — Tue, 02 Mar 2021 10:23:35 GMT

Hi is there an update to whether this is available on 9.x of PAN-OS or available now with the latest release of expedition?

topic Re: Real-time update tab in Devices in Expedition Discussions

Real-time update tab in Devices

Re: Real-time update tab in Devices

Re: Real-time update tab in Devices