07-12-2017 06:07 AM
I have created an EDL in PANOS 8.0.0 using a feed from Minemeld 0.9.40, when I commit I receive the following message:
EDL(vsys1/Skype-IPv4 ip) Downloaded file is not a text file.
Does anyone know how to correct the error ?
07-12-2017 06:23 AM
you should check ms.log for additional details. Most probably this is due to a known bug in PAN-OS 8.0.0 that was fixed in the subsequent releases. The bug was related to certificate verification.
07-12-2017 07:04 AM
The file appears to be downloading:
2017-07-12 13:30:50.287 +0100 EDL entry(0x10a6a000, 0x1cff6000, (nil) vsys1/Skype-IPv4, 1, 1 ip) Downloaded EDL file size(1210)
There is nothing obvious to me in ms.log, I have attached some extracts for reference.
07-12-2017 07:20 AM
Hi @lmori -
I have connected to the URL with a browser and I can see the IP addresses listed, there are no proxies involved, the 'Test Source URL' on the EDL object gives result message 'Source URL is accessible.'
07-13-2017 12:43 AM
If the firewall IP is not in the minemeld log, it means that MineMeld does not receive the EDL request from the firewall.
Could you double check that the URL in PAN-OS is correct (don't trust "Test Source URL") ?
Is there something in the middle between the firewall management interface and MineMeld that could block the session ?
07-13-2017 01:26 AM
The EDL is on one end of an IPSEC VPN the peer traffic logs attached appear to show successful connections to the Minemeld server.
The URL shows IP addresses, extract below:
188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168 22.214.171.124-126.96.36.199 188.8.131.52-184.108.40.206 220.127.116.11-18.104.22.168
The only thing I can think of that would block the session is the peer firewall and as I say the logs appear to show a valid connection.
The system log on the EDL firewall also appears to show that the file is being downloaded and processed...or are these spurious messages ?