Rule Enrichment Error

Reply
L3 Networker

Rule Enrichment Error

Anyone have a problem with, when you try to do rule enrichment on a rule(s) that is marked for RE, when you click on "Analyze Data" it says "no rules selected for learning"?

 

rule enrichment.PNG

L3 Networker

Re: Rule Enrichment Error

Just found my problem. Wrong device group selected in the log connector. :-/

L0 Member

Re: Rule Enrichment Error

Im getting the same error message and my device group is correct in the log collector.  Any other suggestions?

L4 Transporter

Re: Rule Enrichment Error

The configuration that you are using for the RE needs to come from the device.

I mean, do not directly upload the XML configuration into a project, but attach a device into the project and use the device as the source for importing the configuration.

 

This may be the reason that provoked that you would get no results.

 

QUESTION: Why can't I bring the XML manually into the project via the Palo Alto Networks import field? 
ANSWER: When doing Rule Enrichment or Machine Learning processes, we will have to go into the information we learnt from logs. We do need a way to map the security rules to logs that the firewall has generated. We do have a map between logs and devices, as the logs provide the serial number of the device, and we do need to have a mapping between the device and the configuration. This mapping is done by importing the configuration from the device itself.

 

QUESTION: Does this mean that we need to have connectivity to the firewall to download the config?
ANSWER: Until version 1.1.12, the answer was YES. In 1.1.12 we have provided a functionality to upload the XML config into the device (I refer to the device within Expedition), so you won't need to provide API Keys to do HTTPS connections to the FW and retrieve the XML config.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!