Expedition Documentation

Printer Friendly Page

Expedition Documentation

Here are all the Documents related to Expedition use and adminsitrations

 

  1. Hardening Expedition – Follow to secure your Instance.
  2. Admin Guide – Describes the Admin section and provides advise on how to configure and properly setup.
  3. User Guide  v1.1 (will be improved)
  4. Using Machine Learning – Create policies from logs (1st version)
Comments

when we should expect User Guide for Expedition ?

we expect to have first release this week.

Problems getting export of set commands with full configuration.  Dashboard reflects no invalid objects and no duplicates but still unable to get the set commands.

hi @DSchlosser-GSD Please open a new thread under Discussions please

Is Expedition the successor to the Migration Tool (OVA) listed at the following URL?

 

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles-old/Download-the-Migration-Tool/ta-p/56...

 

I see that the download is just a tarball of VMWare files...

 

What's the difference and can either tool convert ASA config to partial Palo Alto config (or set commands) to deploy to an existing multi-tenent PA device?

Yes it is. This version is to run under vmware workstation or with VMPlayer, if you need to convert to ESXi you can use VMware Converter.

Any sign of that User Document yet?

I have customers asking about this.

User Guide???

Is it possible to have this new version in an OVA.

 

Its a bit risky just adding a thirdparty host on our VM farm, OVA's are a more accpetable risk.

 

 

I'm simply trying to import an xml into a project that my account created and as soon as the % import basically finishes, I get a message that says "you do not have rights in the project" ??  Any assistance would be great!

I m having same issues, when importing checkpoint firewall configuration on R77.30.  I am logged in admin but still receies the message "failed : you do not rights in this project"

We are reviewing it, thanks

If someone can send us an email to fwmigrate at paloaltonetworks dot com to describe how to reproduce the problem, we are unable to reproduce it sorry. Thanks

Is the BPA feature in expedition functioning? I tried to import a running config.xml and run but nothing came out. Is there any steps that i missed out?


@yctan are you in the latest version 1.0.103?

Im at 1.0.84. I saw this thread on BPA:

 

https://live.paloaltonetworks.com/t5/Expedition-Discussions/Best-Practices-Analysis-Not-Running/td-p...

 

I have problem updating when running this cli to update.

 

sudo apt-get update

After that command just run the next one (ignore any error)

 

sudo apt-get install expedition-beta

@yctan and you have to run after everything this command as well:

 

sudo bash /var/www/html/OS/BPA/updateBPA306.sh

Its working now. Thanks!

Updates have passed in Ubuntuland, and Expedition(-beta) did not survive.

 

- The conversionupdates repository was removed from sources.list

- After re-enabling it again:

 

expedition@Expedition:~$ sudo apt-get install expedition-beta
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
bc libexporter-tiny-perl liblist-moreutils-perl libsodium23 php-common php-radius php7.2-cli php7.2-common php7.2-json php7.2-opcache php7.2-phpdbg php7.2-readline
Suggested packages:
php-pear
The following NEW packages will be installed:
bc expedition-beta libexporter-tiny-perl liblist-moreutils-perl libsodium23 php-common php-radius php7.2-cli php7.2-common php7.2-json php7.2-opcache php7.2-phpdbg php7.2-readline
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,289 kB/46.0 MB of archives.
After this operation, 18.3 MB of additional disk space will be used.
Do you want to continue? [Y/n]
WARNING: The following packages cannot be authenticated!
expedition-beta
Install these packages without verification? [y/N] y
Get:1 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 bc amd64 1.07.1-2 [86.2 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 libexporter-tiny-perl all 1.000000-2 [34.6 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 liblist-moreutils-perl amd64 0.416-1build3 [55.5 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 php-common all 1:60ubuntu1 [12.1 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 php7.2-common amd64 7.2.7-0ubuntu0.18.04.2 [879 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 php7.2-json amd64 7.2.7-0ubuntu0.18.04.2 [18.8 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 php7.2-opcache amd64 7.2.7-0ubuntu0.18.04.2 [164 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 php7.2-readline amd64 7.2.7-0ubuntu0.18.04.2 [12.1 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 libsodium23 amd64 1.0.16-2 [143 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 php7.2-cli amd64 7.2.7-0ubuntu0.18.04.2 [1,406 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 php7.2-phpdbg amd64 7.2.7-0ubuntu0.18.04.2 [1,445 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 php-radius amd64 1.4.0~b1-6build2 [31.8 kB]
Fetched 4,289 kB in 6s (728 kB/s)
Selecting previously unselected package bc.
(Reading database ... 85832 files and directories currently installed.)
Preparing to unpack .../00-bc_1.07.1-2_amd64.deb ...
Unpacking bc (1.07.1-2) ...
Selecting previously unselected package libexporter-tiny-perl.
Preparing to unpack .../01-libexporter-tiny-perl_1.000000-2_all.deb ...
Unpacking libexporter-tiny-perl (1.000000-2) ...
Selecting previously unselected package liblist-moreutils-perl.
Preparing to unpack .../02-liblist-moreutils-perl_0.416-1build3_amd64.deb ...
Unpacking liblist-moreutils-perl (0.416-1build3) ...
Selecting previously unselected package php-common.
Preparing to unpack .../03-php-common_1%3a60ubuntu1_all.deb ...
Unpacking php-common (1:60ubuntu1) ...
Selecting previously unselected package php7.2-common.
Preparing to unpack .../04-php7.2-common_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-common (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package php7.2-json.
Preparing to unpack .../05-php7.2-json_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-json (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package php7.2-opcache.
Preparing to unpack .../06-php7.2-opcache_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-opcache (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package php7.2-readline.
Preparing to unpack .../07-php7.2-readline_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-readline (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package libsodium23:amd64.
Preparing to unpack .../08-libsodium23_1.0.16-2_amd64.deb ...
Unpacking libsodium23:amd64 (1.0.16-2) ...
Selecting previously unselected package php7.2-cli.
Preparing to unpack .../09-php7.2-cli_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-cli (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package php7.2-phpdbg.
Preparing to unpack .../10-php7.2-phpdbg_7.2.7-0ubuntu0.18.04.2_amd64.deb ...
Unpacking php7.2-phpdbg (7.2.7-0ubuntu0.18.04.2) ...
Selecting previously unselected package php-radius.
Preparing to unpack .../11-php-radius_1.4.0~b1-6build2_amd64.deb ...
Unpacking php-radius (1.4.0~b1-6build2) ...
Selecting previously unselected package expedition-beta.
Preparing to unpack .../12-expedition-beta_1.0.103_amd64.deb ...
Unpacking expedition-beta (1.0.103) ...
Processing triggers for install-info (6.5.0.dfsg.1-2) ...
Setting up libexporter-tiny-perl (1.000000-2) ...
Setting up libsodium23:amd64 (1.0.16-2) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up php-common (1:60ubuntu1) ...
Processing triggers for man-db (2.8.3-2) ...
Setting up bc (1.07.1-2) ...
Setting up liblist-moreutils-perl (0.416-1build3) ...
Setting up php7.2-common (7.2.7-0ubuntu0.18.04.2) ...
Setting up php7.2-readline (7.2.7-0ubuntu0.18.04.2) ...
Setting up php7.2-json (7.2.7-0ubuntu0.18.04.2) ...
Setting up php7.2-opcache (7.2.7-0ubuntu0.18.04.2) ...
Setting up php7.2-cli (7.2.7-0ubuntu0.18.04.2) ...
update-alternatives: using /usr/bin/php7.2 to provide /usr/bin/php (php) in auto mode
update-alternatives: using /usr/bin/phar7.2 to provide /usr/bin/phar (phar) in auto mode
update-alternatives: using /usr/bin/phar.phar7.2 to provide /usr/bin/phar.phar (phar.phar) in auto mode
Setting up php7.2-phpdbg (7.2.7-0ubuntu0.18.04.2) ...
update-alternatives: using /usr/bin/phpdbg7.2 to provide /usr/bin/phpdbg (phpdbg) in auto mode
Setting up php-radius (1.4.0~b1-6build2) ...
Setting up expedition-beta (1.0.103) ...
PHP Fatal error: Uncaught Error: Class 'mysqli' not found in /var/www/html/libs/database.php:22
Stack trace:
#0 /var/www/html/bin/updates/updateSQL.php(14): require_once()
#1 {main}
thrown in /var/www/html/libs/database.php on line 22
its recommended to run after install: apt-get -y -f install
its recommended to run after install: sudo apt-get autoremove
PHP Fatal error: Uncaught Error: Call to undefined function PaloAltoNetworks\expedition\sns\curl_init() in /var/www/html/libs/sns/sns.php:126
Stack trace:
#0 /var/www/html/libs/sns/sns.php(155): PaloAltoNetworks\expedition\sns\sns->send_message('{"type": "stats...')
#1 /var/www/html/libs/sns/sns.php(92): PaloAltoNetworks\expedition\sns\sns->send_stats('Update Installe...')
#2 /var/www/html/libs/sns/sns.php(38): PaloAltoNetworks\expedition\sns\sns->update('4be79b3c-a61d-4...')
#3 /var/www/html/libs/utils.php(17): PaloAltoNetworks\expedition\sns\sns->__construct(Array)
#4 /var/www/html/OS/update/snsUpdate.php(11): sns_init(Array)
#5 {main}
thrown in /var/www/html/libs/sns/sns.php on line 126
Checking for old projects and Devices what are not Encrypted
PHP Fatal error: Uncaught PDOException: could not find driver in /var/www/html/libs/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php:43
Stack trace:
#0 /var/www/html/libs/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php(43): PDO->__construct('mysql:host=loca...', 'root', 'paloalto', Array)
#1 /var/www/html/libs/vendor/illuminate/database/Connectors/Connector.php(64): Doctrine\DBAL\Driver\PDOConnection->__construct('mysql:host=loca...', 'root', 'paloalto', Array)
#2 /var/www/html/libs/vendor/illuminate/database/Connectors/Connector.php(43): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=loca...', 'root', 'paloalto', Array)
#3 /var/www/html/libs/vendor/illuminate/database/Connectors/MySqlConnector.php(24): Illuminate\Database\Connectors\Connector->createConnection('mysql:host=loca...', Array, Array)
#4 /var/www/html/libs/vendor/illuminate/database/Connectors/ConnectionFactory.php(183): Illuminate\Database\Connectors\MySqlConnector->connect(Array)
#5 [internal function]: I in /var/www/html/libs/vendor/illuminate/database/Connection.php on line 664

Fatal error: Uncaught PDOException: could not find driver in /var/www/html/libs/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php:43
Stack trace:
#0 /var/www/html/libs/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php(43): PDO->__construct('mysql:host=loca...', 'root', 'paloalto', Array)
#1 /var/www/html/libs/vendor/illuminate/database/Connectors/Connector.php(64): Doctrine\DBAL\Driver\PDOConnection->__construct('mysql:host=loca...', 'root', 'paloalto', Array)
#2 /var/www/html/libs/vendor/illuminate/database/Connectors/Connector.php(43): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=loca...', 'root', 'paloalto', Array)
#3 /var/www/html/libs/vendor/illuminate/database/Connectors/MySqlConnector.php(24): Illuminate\Database\Connectors\Connector->createConnection('mysql:host=loca...', Array, Array)
#4 /var/www/html/libs/vendor/illuminate/database/Connectors/ConnectionFactory.php(183): Illuminate\Database\Connectors\MySqlConnector->connect(Array)
#5 [internal function]: I in /var/www/html/libs/vendor/illuminate/database/Connection.php on line 664
Warning: ALREADY_ENABLED: 5140-5150:tcp
Warning: ALREADY_ENABLED: 4050-4070:tcp

Hi, i followed the steps given above with my new environment but the BPA is not functioning. Is there any changes?

 

Thanks

Hi All,

 

How to create log connector in Plugins or is there any user guide document on this steps?

Thanks.

 

Ramzee

Hey community,

 

when we should expect the documentation "Using Machine Learning to create Policies from logs" ?

We have implemented expedition in the latest version.

Add new Project and load  firewall config's and Logg's works fine so far.

But if the firewall export files are loaded from 24 hours with more than 4 GB size, the tool will stop working. How do you best deal with the shortage of data? Is it possible to send the data directly via syslogg to expedition?

How is this set up?

 

Thanks

 

MatzePeng

The documentation is ready and now is under review so expect it this week!

Hey alestevez,

Thank you for your prompt reply. That sounds good.

Best regards

Matthias

  1. Using Machine Learning to create Policies from logs (Coming soon)  How much longer for this guide? :) 

Available !!

SWEET!!


Hi All,

 

Is it possible if i manually upload the traffic log into Expedition, instead of the Expedition pull the log by itself thru the network?

The reason being is i didnt install the Expedition in client's environment, install in my laptop instead.

 

I need the traffic log into Expedition in order Expedition to advise me for rules optimization (recommended App-ID, recommended rules not in use, recommended merge rules, etc etc)

 

Thanks,

Ramzee

Hi Ramzee,

 

If I understood your question correctly, the answer is yes.

 

You can export the logs and the configuration from firewall to file and manually load them into expedition for analysis.

We load the files via SCP (SSH) in data folder to expedition. After that, the files are available in expedition.

The only problem we had where files that were too big ( export 24h traffic log with more than 4 GB Data fom 3000 Series Palo an more than 1 Mio lines per *.csv file). There seems to be a problem in expedition. Maybe our system need more perfomance.  Don't know at the moment.

Would make sense to test it with short files at the beginning.

 

I think all the information you need can be found in the documentation above.

 

Best

MatzePeng

 

@Ramzee Yes and No, you need to first create the device and retrive the Configuration by using the APIs, that means you need to be in the customer's network to do that. Then you can manually import via SCP the log files and place into Expedition, from the DEvice configured you can tell where you placed them for analisys, Please follow the Documentation https://paloaltonetworks.box.com/s/2h1xd16i5nlwkv9pmpega0m416rnps0q and follow the Rule Enrichment Process to do the App-ID Adoption

Hi MatzePeng,

 

Understood on the approach.

Another question, I have export traffic log in .csv but it only containt log for a day. From the firewall Monitor tab, at least i can see up until June 2018. Please advise how can i export all traffic logs.

 

Thanks.

Hi alestevez,

 

As for now the Expedition is not install in client's environment. I'm trying looking to run the Expedition out from client's environment (my laptop didnt connect to client's environment).

 

Thanks for your advise.

Hi Ramzee,

 

logs can be exported using filters.

 

Palo Alto knowledgebase

 

_https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clj3CAC

 

Best

 

 

 

Hi MatzePeng,

 

The same exact steps that i did before, the result from .csv only showing today and only for 2 hours of traffic log. Instead i can see from the firewall Monitor Traffic log, i can see at least starting from June 2018.

Hey,

 

strange. Have you checked the date, time and time zone on the firewall and expedition?

 

To rule out a malfunction in the GUI, would I test it all over the CLI. Is there the problem too?

 

Have you also checked the maximum number of lines in the CSV file? How many lines does your file have?

Please check the configuration as described in the link.

 

_https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaPCAS

 

Best

MatzePeng

 

Hi MatzePeng ,

 

You are right, that is the restriction. Currently the default Max Rows in CSV is 65535. I would need to increase it if require more logs. Max value can be increase is 1048576.

 

Thanks a lot mate for the assistant!

@alestevezWhat firewalls are supported by Expedition now? I don't see this documented anywhere.

 

Hi, bspilde

 

You  can refer this document, it memtions about Cisco, Fortinet, Check Point, Forcepoint, Juniper and IBM XGS.

 

https://www.paloaltonetworks.com/resources/datasheets/expedition-transformation-and-best-practices-a...

 

Homer

Hello, I am looking at migrating some McAfee (Stonesoft) firewalls (version 6.3.8) to a new Palo Alto estate and wondered if Expedition will be able to process the configurations.  I appreciate that McAfee/Stonesoft isn't supported natively, but wondered if the Forcepoint modules in Expedition extend to the newer versions of McAfee code following the aquisition by Forcepoint.  Appreciate the answer is probably 'No', but thought I would check.  Thanks

@nburrows It should work, probably they didnt change the config. If you can please verify it. Thanks

I'm finding nothing in these docs about how to access the GUI after you've downloaded and run the virtual machine.  I can't browse to localhost, and although I can log into the CLI through the console, I am not seeing which IP/port combination I need to insert into the browser to reach the GUI.

 

What am I missing?


by SteveSirag
on ‎02-20-2019 11:54 AM

I'm finding nothing in these docs about how to access the GUI after you've downloaded and run the virtual machine.  I can't browse to localhost, and although I can log into the CLI through the console, I am not seeing which IP/port combination I need to insert into the browser to reach the GUI.

 

What am I missing?


 

Hi Steve, 

 

you can check what's the assigned IP address via ifconfig in the CLI, then just https://ip.address in the web browser.

Hai,

 I am fallowing the Admin guide to use expedition tool. I am able to do everything but i dont see  "PLUGINS" option on my tool.

Should we enable something here??

Vendor count under project not increasing even after adding two PAN firewalls in it.