Trouble doing ML on security policy from panorama?

Reply
L1 Bithead

Trouble doing ML on security policy from panorama?

Can you use the ML and rule enhancements on security policy that is located in panorama.  Im struggling a bit to get it to work.  I set my project up to use panorama and then brought in the firewalls.  There is not a schedule log export function to panorama to csv so I am exporting from firewall.  I tried fwd syslog but the tool did not recognize the files.  I get deferent results if i point my log connecter to panorama or the firewall.  I get no devices in this connector If I point it at the firewall I   If point the connector at the firewall I get No rules selected for learning.

 

Here are some screenshots. Thanks for you help in advance: I did the lab at ignite and am really excited about this tool,  I'm a partner and plan on demoing it at one of our customer events in a couple of weeks.  I would really like to do it on panorama and a larger firewall.

 

 

 

firewallconn.pngfirewalloutput.pngpanoramaOutput.pngpanoramaconn.png

L2 Linker

Re: Trouble doing ML on security policy from panorama?

What version of Expedition are you using?  I had the same issue, but it resolved itself when I upgraded to 1.0.99.

L1 Bithead

Re: Trouble doing ML on security policy from panorama?

Im running 1.0.99.1 . I did get syslog working,  I had to rename my log files to csv,  I can now run ML and RE but there is no ouput after it is done. 

L4 Transporter

Re: Trouble doing ML on security policy from panorama?

Yes, it is possible, but a couple of things which may get tricky:

 

  1. As we are going to work from a policy located in the Panorama device, we need to import the Panorama config. 
  2. The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
  3. We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
  4. We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
  5. The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail.

L4 Transporter

Re: Trouble doing ML on security policy from panorama?

Yes, it is possible, but a couple of things which may get tricky:

 

  1. As we are going to work from a policy located in the Panorama device, we need to import the Panorama config. 
  2. The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
  3. We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
  4. We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
  5. The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail (fwmigrate at paloaltonetworks dot com).

L4 Transporter

Re: Trouble doing ML on security policy from panorama?

I get the same as described above and I'm running 1.0.101

L1 Bithead

Re: Trouble doing ML on security policy from panorama?

Hi Esfeld, could you tell me how to upgrade the Tool ? I could not find a reference in the Admin/User Guides and "sudo apt-get update && apt-get upgrade" does not seem to work.

Thanks.

 

Regards,

Thomas

L2 Linker

Re: Trouble doing ML on security policy from panorama?

Those are the correct commands to run for it to get the updates.  Make sure it is allowed through your firewall.

L7 Applicator

Re: Trouble doing ML on security policy from panorama?

sudo apt-get update
sudo apt-get install expedition-beta
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!