topic Re: APP-ID adoption doesn't output any app-IDs in Expedition Discussions

APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Tue, 09 Mar 2021 17:00:23 GMT

I'm using expedition 1.1.93

When I target my any/any rule for app-id adoption, the adoption process finishes, but no app-ids are displayed. This occurs whether I request a slow retrieval or a fast retrieval.

The same rule(s) work fine with ML and RE (app-ids show up as expected).

Any ideas? I'm not even sure how to troubleshoot this. Any help is appreciated. Thanks!

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Tue, 09 Mar 2021 16:57:49 GMT

something to add...

Initially I didn't have the "APP-ID via LOG" column showing in the security policies table. I've added that column.

Oddly enough, now when I retrieve apps (fast or slow) the "APP-ID via LOG" column disappears from the table. If I add the column again, it's empty.

Re: APP-ID adoption doesn't output any app-IDs

lychiang — Tue, 09 Mar 2021 17:27:53 GMT

Hi @Eric.Hernandez

For APP-ID Adoption, the important part will be the log connector, please specify the correct PAN-OS device that contains the security policy and logs, make sure Expedition can connect to it via API. To verify that, you can try to click "Retrieve content -> running configuration and see if the latest configuration has been downloaded. For more detailed steps, please review Module 1,2,6,7 of the below video playlist for APP-ID adoptions:

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqXAfspousboWn6AllrOWVMi

Regards,

Lynn

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Tue, 09 Mar 2021 19:21:30 GMT

Thank you Lynn.

I'm using Panorama, and I have two log connectors each mapped to their respective device group (and devices).

e.g.:

LC1 = DG1 = devices 1 and 2

LC2 = DG2 = devices 3 and 4

I could be wrong, but I don't think the log connectors are mis-configure. ML and RE work flawlessly across both DGs (thus invoking both LCs).

Do you have any other suggestions or ideas? Thank you again.

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Tue, 09 Mar 2021 19:31:22 GMT

Oddly enough if I exit the project and go into devices, I only see the Panorama device. Retrieving the running configuration of the Panorama device works fine. I can also retrieve connected devices and the content of those devices with no errors.

If I go back into devices and select "show all devices", I now see the FW devices underneath the Panorama instance. If I drill into the FW device directly, and try to retrieve the running config, I receive a remote exception error stating "Please generate an admin API key first".

I was under the impression that I would perform all interaction via Panorama, and that I didn't need to worry about generating API keys at the device level. What do you think?

I'm going to look through the config logs and see if the admin user pw was changed anywhere.

Re: APP-ID adoption doesn't output any app-IDs

lychiang — Tue, 09 Mar 2021 20:34:23 GMT

@Eric.Hernandez

Couple of things you can check :

1. Where is the security policy defined under? If it's defined in DG1 , the log connector you need to use is LC1, you should delete LC2 since you don't need it for app-id adoption.

2. Is there any traffic logs matching your security policy that you want to analyze for app-id ? Is there app-id shown in the traffic logs?

3. Make sure your expedition is running the latest version v1.1.92.

4. Trying to remove the Panorama from the device tab and re-add it in, re-retrieve the contents and create a new project, assign the panorama to the project, and re-add the log connector.

Re: APP-ID adoption doesn't output any app-IDs

lychiang — Tue, 09 Mar 2021 20:36:18 GMT

If your security policy defined in Panorama, you do not need api key nor connections to firewalls at all. The only interactions is between Expedition and Panorama, please make sure the firewall logs are forwarding to Panorama.

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Tue, 09 Mar 2021 20:59:12 GMT

Thanks @lychiang I appreciate your help!

1. Without getting too much into design, I have four NGFW devices. Each device pair (HA pair) has it's own device group. There are 'permit any/any' rules within both device groups, and I'd like to analyze all for app-ID adoption. So it's fair to say that I'm attempting app-ID adoption for rules within multiple device groups. This is the reason why I setup two log connectors (one per device group).

2. yes, there are traffic logs for the ip any/any rules, and app-IDs are 'seen' within the traffic logs

3. I just updated to 1.1.92 this morning

4. (remove Panorama, re-add and re-create project) - I will try this tomorrow

Logs are being shipped from the NGFW devices themselves to the Expedition server via 'scheduled log export'.

Thank you for answering my question about connecting via Panorama vs connecting via the devices themselves. Based on your answer, I am doing everything correctly as I can retrieve the connected devices and the connected device content via the 'top level' Panorama device.

My next step (tomorrow) is to delete the project, remove Panorama from the global devices, re-add Panorama, and re-create the project and log connector. I'm confused about this issue as the other features (ML and RE) are currently working fine within this project.

I'll post here tomorrow after I re-create everything. Thank you again for your help!

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Wed, 10 Mar 2021 18:56:38 GMT

Today I deleted the project, deleted my panorama device, and deleted all parquet processed logs.

I re-added the Panorama instance, re-created the project, and recreated the log connectors.

After processing logs, I'm getting the same exact symptoms. ML and RE works fine, both display the expected apps for my PERMIT any/any rule. When I try to retrieve apps for APP-ID adoption (within my any/any rule), nothing shows up.

Is there a log that I can look at to see what's going on? Any debug or tshooting info would be helpful.

Re: APP-ID adoption doesn't output any app-IDs

lychiang — Thu, 11 Mar 2021 18:11:52 GMT

Hi @Eric.Hernandez , could you please send an email to 'fwmigrate@paloaltonetworks.com' and my team can schedule a live session to take a look at your issue. Thanks!

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Fri, 12 Mar 2021 14:15:30 GMT

OK, will do. Thanks @lychiang

Re: APP-ID adoption doesn't output any app-IDs

Eric.Hernandez — Fri, 12 Mar 2021 19:20:47 GMT

Thank you so much for your help @lychiang

In summary, (in case anybody else runs into this issue), I first needed to send traffic logs from my devices into Panorama, as the app-id adoption makes a call to Panorama to gather the app-id statistics. Previously I only had my devices sending their traffic logs to Expedition. This worked fine for ML and RE. For APP-ID, the device traffic logs need to be in Panorama.

Secondly, Lynn was spot on when she suggested that the log connectors were probably the culprit. I have an Active/Passive pair, and the passive node has a lower serial number than the active node. In the LC, the devices are listed (top-down) based on serial number. The passive node was on top of the Active node (due to the lower serial number). It seems that the LC will check the first device in the list, and if there are no app-id stats, then it won't return anything. As soon as we only selected the active node, the APP-ID stats started working. This is the same with Active/Active devices (if one of the AA devices isn't passing traffic). The device passing traffic must be up top, otherwise you should only select the single device (the device passing traffic) within the LC.