topic Re: Issues with ML with Logs Forward from Panorama in Expedition Discussions

Issues with ML with Logs Forward from Panorama

ChrisHammock — Tue, 31 Jan 2023 11:04:27 GMT

I am doing ML in Expedition for the first time. The setup is, all FWs managed by single Panorama, logs forward from FWs to panorama. I have setup panorama collector to forward the firewall logs to Expedition via syslog.

I have followed the online "Log Analysis Features of Expedition" and am getting stuck at Module 9 Machine learning. When I click the "Discovery" button -> Machine Learning. The window pops up but the connectors just has a Loading... listed rather than the panorama or device serial number. If I just ignore this and click analyze data it seems to quickly go to the completed stage with no information in the Learning results.

I have tried Firefox and Chrome just in case this is a browser issue with basically the same results. Obvioulsy the guide works on the basis of logs being sent direct from the firewall but I assume there is no reason I can't send the logs from panorama?

Thanks for any help

Re: Issues with ML with Logs Forward from Panorama

ChrisHammock — Tue, 31 Jan 2023 11:51:20 GMT

Additional information, below is a screenshot, note the connector status.

I have also attempted to use Rule Enrichment on the same rules, although the window does not contain a collector, when I click "Analyze Data" I still get completed with no results.

Could the issue be because the Device Group that contains the rules in panorama is not the same device group the firewalls are a member of, it is a parent of that device group. I assume not as everything else in Expedition seems to understand this.

Re: Issues with ML with Logs Forward from Panorama

lychiang — Tue, 31 Jan 2023 17:59:40 GMT

Hi @ChrisHammock For log connector, you will need to make sure the serial# of the firewall device you selected under panorama device group match the serial# of the firewall logs you had processed in the early steps. And when you enable the ML , you will need to enable it on the device group where the policy located

Re: Issues with ML with Logs Forward from Panorama

ChrisHammock — Wed, 01 Feb 2023 09:35:37 GMT

Thanks for the response, I am sure specifics are important, please see below the processed logs window, the device serial is underneath the window in black, not sure if its visible in the screenshot

this matches what is in the csv logs in the PALogs folder header below

2023-01-26T16:21:36+00:00 RH-MGT-01.CustomerName.net 1,2023/01/26 16:21:36,012001053440,TRAFFIC,end,2305,2023/01/26 16:15:17

Let me know if you need me to confirm settings anywhere else.

Re: Issues with ML with Logs Forward from Panorama

ChrisHammock — Wed, 01 Feb 2023 12:37:06 GMT

Thought this might be of use also

Re: Issues with ML with Logs Forward from Panorama

lychiang — Wed, 01 Feb 2023 16:46:02 GMT

@ChrisHammock Yes, those seems to be correct setting, you could try only select ITE-FW-01 in the log connector see if it makes any difference. If it still not working , please send an email to fwmigrate@paloaltonetworks.com

Re: Issues with ML with Logs Forward from Panorama

ChrisHammock — Wed, 01 Feb 2023 17:04:56 GMT

Thanks @lychiang that seemed to be the problem, if I remove the passive device, the connectors windows still just says "Loading..." as per the screenshot but the anayze actually provides results.