Real-time update tab in Devices

L1 Bithead

Real-time update tab in Devices

Under a device in Expedition there is a tab called Real-time updates. It seems to be a syslog receiver for changes.

 

Can someone confirm how to use this feature?

Highlighted
L4 Transporter

Re: Real-time update tab in Devices

This feature is not complete, unfortunatelly.

 

What does feature this do?

Let me explain what it is meant to do when complete:

  1.  If you define in your PA to send Config syslog entries to Expedition, Expedition will parse such changes and check which modifications it would require into your policies to keep them in synch.
  2. It will require the System syslog entries as well, to determine when a Commit has been applied and know then that the changes need to me transferrerd into the projects. If the System info would report that you went back to Running Config, the pending changes would be discarded. However, if a specific config is loaded (for instance, a saved config in the PA), the project will get into an unsynch state, as we would not know which changes are present in the new config.

Notice that the controls to keep the projects in synch with the policies are very complex. We need to identify which objects are changing, which rules are being modified or moved, etc. and to know how would that effect to the current changes that you may have in the Expedition project. 

 

Let's put one example:

Imagine you decided to delete an address object in the Expedition project, because you are doing some cleaning (you decided that using a range instead of multiple IP addresses as a source would increase the readability of the config).

However, somebody in the PA, decided to modify the address object and convert it into a subrange.

What should Expedition do in such case? Create the address object again? Verify that the new object is still redundant given the changes in your project? Raise a warning because you may overwrite some "interesting" changes in your PA?

 

In Which state is this feature now?

We have been covering quite a large subset of these changes, and only for Security Rules and Nat Rules (including address, services, apps, etc.) but there are several features that we have not covered, such as network settings.

 

For this reason, this feature has not been promoted and we may retake its implementation for PANOS 9.0, where we expect to be able to track the changes better.

 

What does it require to activate it?

Take a look into the rsyslog file in 

/var/www/html/OS/rsyslog/rsyslog.conf

You will see that this config in rsyslog has a logic to identify different types of Config and System syslog actions, and executes some database inserts to report seen config modifications. It requires of the module

mmnormalize

to know how to read the syslog messages, which are defined in

/var/www/html/OS/rsyslog/palo_alto_networks.rb

However, we will have to extend thaose schemas to support PANOS 9.0 when we retake this task, as we were doing this implementation during PANOS 7.1.

 

I want to help

Suggestions or coding hands will be welcome to help into this feature completeness. ;)

You can contact us at fwmigrate at paloaltonetworks dot com or directly to me at dgildelaig at paloaltonetworks dot com

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!