topic Re: Panorama log import in Expedition Discussions

Panorama log import

Alex_Kalbfell — Sun, 05 Sep 2021 00:25:02 GMT

I have firewalls managed by Panorama that I want to do some ML and RE on traffic logs. Right now I have this setup for 2 firewalls using the log export feature on the firewalls. Each firewall exports traffic logs to a different folder on my Expedition server. In Expedition I have added my Panorama and from the devices tab, I show all devices to see the firewalls managed by Panorama. Within the firewalls, I have setup the appropriate folder on the M. Learning tab and all of that works as expected.

My issue is when I go to the Panorama object under Devices and click on the M. Learning tab, I see all the logs from the 2 firewalls but under the "Device" column, it shows a totally different firewall that has nothing to do with this other than the fact it's also managed by Panorama. When I try to do any ML or RE for the firewalls that are sending logs, it fails, I assume because Panorama thinks those logs are for the other firewall.

Has anyone seen this before or know how to fix it?

Re: Panorama log import

Alex_Kalbfell — Sun, 05 Sep 2021 18:20:21 GMT

I noticed when I went to the Devices tab, double clicked my Panorama, then went to the Panorama Devices tab and clicked Retrieve Connected Devices, when that finishes, the logs all now show for a different firewall so still not correct, but changed.

Re: Panorama log import

azuniga — Tue, 07 Sep 2021 15:18:49 GMT

Hello @Alex_Kalbfell

It is kinda hard to understand the issue here, but usually the serial number is the separate firewall identifier we use to isolate the log files. Can you provide screenshots of what you are saying? If you're unable to do that please email us at fwmigrate@paloaltonetworks.com

Also please include your version of expedition I know we had some problems with ML on 1.1.104 so if you're running that version of expedition please upgrade to the latest version.

Re: Panorama log import

Alex_Kalbfell — Fri, 10 Sep 2021 14:19:54 GMT

Hi @azuniga

Thanks for replying and my apologies if the original posts were confusing. I did reach out to that email address over the weekend and am waiting to hear back.

Hopefully this is a better explanation of the issue...

The firewalls are set to export traffic logs to the expedition server which works fine. Before Expedition processes the logs, if I look at the ML.Learning tab for Panorama, I see the logs there and the device column matches up to the correct device, but when the logs get processed, the device name changes to a totally different firewall. If I try to run ML or RE on any of the firewalls that have had logs processed, it just sits on initializing forever so it seems as if because after processing of logs, the logs are "assigned" to a different firewall.

Attached are a couple of screenshots although I had to scrub out full names. One shows a log file for a firewall with DC-MDF1-FW01 in the name and the device column is correct. This is before that log file is processed. The next screenshot shows after processing and you can see that the device column now shows a totally different firewall.

Re: Panorama log import

BenKnorr2 — Fri, 10 Sep 2021 15:19:34 GMT

Instead of going Devices>Panorama>M.Learning , go Devices>Panorama>expand list>[FW in question]

Not sure if you're doing this already but your screenshots show Panorama instead of FWs themselves. I'm not sure how the GUI is supposed to work where Panorama is managing firewalls in this regard, but in my experience with ML and Panorama, I go this route to configure the log ingestion processing for ML on each FW. Config for rules comes via syncing it from Devices>Panorama as normal.

Re: Panorama log import

Alex_Kalbfell — Tue, 21 Sep 2021 13:53:36 GMT

Hi @BenKnorr2

Thanks. I have it configured for each device like that. I think the issue I am running into is the right way to get Panorama, the firewall and expedition to all work together. If I try this on a firewall not connected to Panorama, I have no issues.