topic Re: M.Learning Analysis results empty in Expedition Discussions

M.Learning Analysis results empty

chris.weakland — Wed, 24 Apr 2024 21:14:25 GMT

Currently I have a Panorama managed firewall, I have added Panorama to Expedition (Running v1.2.86), and I am sending syslogs from the firewall to Expedition. Logs are showing up and are being processed:

I have a project created, Panorama configuration imported, I can see the ruleset for the firewall in question. I have the log connector set to Panorama and the device group for the firewall selected.

In the policy, I have enabled ML on the rules I am interested in. However, when I run the analysis, I get an empty result:

Can anyone chime in on how to resolve this issue?

Thanks,

Chris

Re: M.Learning Analysis results empty

sanandh — Wed, 24 Apr 2024 22:33:14 GMT

There are couple of things to double check:
- Verify the logs have the serial number matching the serial used to initiate the ML analysis. In case of HA pairs, the logs could be using a different serial.

- Verify there are logs for the rule you are analyzing . If there are no matching logs, the analysis result will be empty

Re: M.Learning Analysis results empty

dpuigdomenec — Thu, 25 Apr 2024 09:05:11 GMT

Hi @chris.weakland I guess your issue is related to what @sanandh mentions regarding the FW serials matching. So besides his comments, please do below:

1) Edit your Panorama and set it up as "vm-panorama".

2) Open your project again, go to plugins and create a new log connector, in this case you should be able to select the device, the source file and the DG but also selecting the FWs. See attached screenshot for reference.

Hope this helps,

David

Re: M.Learning Analysis results empty

chris.weakland — Thu, 25 Apr 2024 13:38:47 GMT

Thank you David, that did the trick!