I haven't seen a pattern for this yet, but for some reason the feature to Retrieve Apps using a Log Connector sometimes fails to return any matching applications - even though I can see the logs in Panorama showing application hits for a rule.
Here is my setup / steps to reproduce:
1) Create a Log Connector. Select previously added Panorama device, then for Vsys select the Device Group that I'm working with. The HA pair of firewalls I need appear in the filter area. Time period doesn't matter as long as it is at least 6 days in my case (the date where Panorama logs show hits on this rule I'm testing).
2) Select that Log Connector in the bottom right.
3) Right-click rule, App-ID Adoption > Retrieve Apps (Selection). It looks like reports are pulled in the background, but no apps are returned.
4) Looking in Panorama, I see traffic log entries for this rule 6 days ago, with hits for example on ssl on tcp/443 and ms-rdp on tcp/3389.
go to https://<yourmigrationtool>/debug/api.php
here you will find the api calls executed to retrieve the reports. You can click in the one you want to check. Once you click on the link it will not work becasue you have to add by hand at the end of the api call the param "&key=andyourapikey" in order to see what is the real output of this call to detect problems...
remember to generate the api key "https://yourfirewallorpanorama/api/?type=keygen&user=youruser&password=yourpassword
Try it please and add your comments :-)
That was tricky! The logs weren't displaying at all in Chrome, and in Firefox the amount of data kept crashing the browser. Finally got the output I needed though and tried to manually generate the report with my API key. Here is the resulting page:
<response status="error" code="13">
<line>Report generation failed</line>
This was the query:
https://x.x.x.x/esp/restapi.esp?type=report&key=[myAPIkey]&reporttype=dynamic&report-name=custom-dyn... 00:00:002015/10/06 23:59:59500( rule eq 'Rule ID 496' ) AND (app neq 'incomplete') AND (app neq 'insufficient-data')
In the debug for the api there is a button at the very bottom left to disable the scroll lock, this will allow you to move your scrolls for the page.
The call should look: esp/restapi.esp?type=report&reporttype=dynamic&reportname=custom-dynamic-report&cmd=<type><traffic><aggregate-by><member>app</member><member>dport</member><member>proto</member></aggregate-by><values><member>bytes</member><member>packets</member></values></traffic></type><period>last-7-calendar-days</period><topn>500</topn><query>(%20rule%20eq%20%27Outbound%27%20)%20AND%20(app%20neq%20%27incomplete%27)%20AND%20(app%20neq%20%27insufficient-data%27)</query>
plus your api key. Check that out please. I cannot see the api call in the last post :(
This is the output of the API query that you just provided:
<line>Report job enqueued with jobid 25455</line>
The query from you was:
The API query got truncated somehow in my last post.
My failed API query from the logs, which is different than the one you provided, is:
https://10.232.9.29/esp/restapi.esp?type=report&key=[myAPIkey]&reporttype=dynamic&report-name=custom-dynamic-report&cmd=appdportprotobytespackets2015/08/28 00:00:002015/10/06 23:59:59500( rule eq 'Rule ID 496' ) AND (app neq 'incomplete') AND (app neq 'insufficient-data')
Also, I tried using that Disable Scroll Lock button but Firefox was freezing before I could click it.
Thanks for looking into this!
Now as you can see you got a job ID. <job>JOBID</job>
Run this query in your browser:
And check the result...
But isn't the source of the issue the fact that the API query sent by my tool was incorrect, and thus the report failed?
EDIT: My apologies, my original post earlier with the API queries didn't have the correct query from my debug output. You can see now that the query sent by my tool is different than the one you provided.
If you want to run a goTomeeting session please send us an email to firstname.lastname@example.org and we can do it now. then we can help you to see where the error is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!