topic Re: Rule enrichment help in Expedition Discussions

Rule enrichment help

Joshua-Nezat — Mon, 14 Nov 2022 16:34:34 GMT

Hi all,

This is my first time attempting rule-enrichment on expedition. I followed the LIVEcommunity youtube videos for instructions. Logs exporting from the firewall for the last 90 days, and have already processed the logs. I have now enabled RE monitoring on a security policy, and when I got to RE discovery, the analyze data button brings up a log connector window. I can select the device here, but nothing else. Could somebody please let me know what steps I'm missing?

This first time I tried it, there was an xml file on the source dropdown, but it is no longer an option.

Re: Rule enrichment help

lychiang — Mon, 14 Nov 2022 16:42:56 GMT

@Joshua-Nezat If your config is panorama config, you will add panorama device in the device tab and click "show all device " on the top right corner. find the firewalls that have logs, and process the logs there. Then you will need to select panorama device and select the specific device group that contain the firewalls that you have processed the logs.

Re: Rule enrichment help

Joshua-Nezat — Mon, 14 Nov 2022 17:22:01 GMT

Thanks for your recommendation, but I do not have a panorama in this deployment. These firewalls are managed locally. Does that change anything?

Re: Rule enrichment help

lychiang — Mon, 14 Nov 2022 17:42:39 GMT

If your config is in firewall, you can use firewall as log connector, just select the firewall device and the config in the source, vsys1 in virtual system field, assume this is a single vsys firewall.

Re: Rule enrichment help

Joshua-Nezat — Mon, 14 Nov 2022 19:42:29 GMT

Okay I think I understand. The problem is, I am not able to select the firewall device config in the source field. The source drop-down menu (circled in blue below) gives me no options to select.

Re: Rule enrichment help

Joshua-Nezat — Mon, 14 Nov 2022 20:41:56 GMT

So I deleted the project, rebooted expedition, created new project, reimported device config, selected policy for rule enrichment monitoring, and now I have an option for the source.

After clicking save, it takes me back to the rule enrichment window, but nothing has changed. It still says "no devices in the logConnector" at the bottom of the window.

Re: Rule enrichment help

lychiang — Tue, 15 Nov 2022 21:24:48 GMT

You might want to delete the device and re-add the firewall, retrieve the running config again.