AIOps for NGFW FAQ

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
No ratings

From licensing to telemetry and data privacy, here are the frequently asked questions for Palo Alto Networks AIOps for NGFW.From licensing to telemetry and data privacy, here are the frequently asked questions for Palo Alto Networks AIOps for NGFW.

 

GENERAL 

 

Q: What is AIOps for NGFW? 

 

A: AIOps for NGFW is the industry's first domain-centric AIOps solution that redefines the firewall operational experience by interpreting, predicting, and resolving problems before they become business impacting. 

 

  • Continuously improve security posture by optimizing configuration to the dynamic environment, based on best practice and policy recommendations. 
  • Empower network security operations teams to become proactive with ML-powered anomaly detection and actionable insights into the health and performance of the entire deployment

 

Q: What problem is AIOps for NGFW solving? 

 

A: Customers are unaware of their security posture and don’t have the product expertise to maximize utilization of security functionality or insights into misconfigurations. This leads to gaps in their security posture and puts them at a greater risk of a breach.

 

In addition, security teams are tasked with maintaining firewall deployments with limited resources and tools to prevent business disruptions caused by firewalls. In addition, they lack visibility into their entire deployment’s health, performance, and security posture to prevent business-disrupting incidents due to firewall-related errors. Once impacted, they spend immense time and resources reacting to the situation - trying to determine the root cause - while under tremendous pressure to bring the business back online. 



Q: What are the key benefits of using AIOps for NGFW? 

A: 

  • Strengthen security posture: Reduce the attack surface and strengthen security posture with built-in best practices, combined with policy recommendations customized to their unique deployment. Best practice recommendations are powered by machine learning (ML) based on industry standards, security policy context, and advanced telemetry data collected from all Palo Alto Networks firewalls.
  • Proactively Resolve Firewall Disruptions: Gain insights across your deployment and reduce NGFW downtime with proactive insights to maintain optimal firewall health and performance and keep your NGFWs running smoothly. AIOps can intelligently predict firewall health, performance, and capacity problems up to 7 days in advance and provides actionable insights to resolve the predicted disruptions. 

 

Q: How can I consume AIOps for NGFW? 

A: AIOps for NGFW is available in Free and Premium (Paid) versions and can be used on NGFW and Panorama devices that run on PAN‑OS 10.0 and above.



Q: What are the prerequisites to consume AIOps? 

A: AIOps can be consumed on NGFW and Panorama devices with:

  • Software requirements: PAN-OS version 10.0 and above with telemetry enabled
  • App Support: We are presently hosted in US-Central and our deployment
    is accessible globally. 
  • Data storage: The telemetry data can be stored in CDLs in any of the supported geographies. User must agree transfer of data from regional CDL during activation workflow

 

Q: What's the "AI" in AIOps for NGFW?

A:   The AI features in AIOps today are mostly in the Operational Health problem scenarios in the form of techniques in ‘Anomaly detection’, ‘Forecasting’, ‘Threshold’ and ‘State-change’ based alerts. 

 

Q: Where is AIOps cloud-hosted? Do we have different instances across the globe?

A: We are presently hosted in US-Central and our deployment is accessible globally. 

 

The AIOps app is hosted in the NAM region, and the analysis/compute of the data happens in NAM and the data itself can reside in the customer's local region where their CDL is hosted.

 

Q: How can I get started with AIOps for NGFW?

A: See our Getting Started Guide to get started with your own instance of AIOps for NGFW. 

 

 

LICENSING OVERVIEW

 

Q: How can I consume AIOps for NGFW? 

A: AIOps for NGFW is available in Free and Premium (Paid) versions and can be used on NGFW and Panorama devicesthat run on PAN‑OS 10.0 and above.

Q: What is the difference between the Free and Premium tiers of AIOps for NGFW?

A: The free tier is a fully functional product that aims to enrich the operators’ understanding of the firewall deployment. This tier is forever free to use for all the Palo Alto Networks firewalls registered in the Customer Support Portal. The Premium tier (Paid) contains Premium functionality of the AIOps product, in addition to the functionality provided in the Free tier.

 

Q: What licenses are needed for the Free/Premium tiers?

A: The Free tier does not require any license to be installed. The Premium tier requires the customer to purchase Premium AIOps for NGFW licenses.

 

Q: Can I instantiate both a Free and a Premium instance of AIOps?

A: Yes, you could have the Premium license for just a subset of the firewalls that are registered with the CSP (in a separate instance from firewalls without a Premium license). All firewalls without a Premium license will be maintained in a separate, Free instance of AIOps.

 

 

TELEMETRY OVERVIEW

 

Q: What is Telemetry?

A: Telemetry is the collection of measurements and data from one location and transmitting to a remote location for processing. The PAN-OS device telemetry feature for versions 10.0 and above include information in three categories—device health and performance, product usage, and threat prevention. While the user can choose to decide to turn off telemetry for any of these categories independently, the lack of data will affect the functionality or the quality of insights and recommendations that these telemetry-powered applications can provide.

 

Q: What does the customer need to do with telemetry for AIOps for NGFW to work?

A: Customers need to enable telemetry collection on their firewalls. PAN-OS 10.0+ supports the collection of telemetry data natively. 

 

Q: Can we monitor telemetry data in real-time or is this historical?

A: The data is processed in batches, and is not real-time. This is not a replacement for a near real-time monitoring solution. However, by analyzing the data and proactively calling out potential issues, we aim to help the user avoid business-disrupting incidents.

 

 

DATA PRIVACY, COLLECTION, STORAGE, AND ACCESS 

 

Q: Where can I find the privacy datasheet?

A: You can read the Telemetry privacy datasheet here.

 

Q: How are you collecting data?

Note: Before we are able to collect data the device administrator has to confirm and agree for us to do so. 

A: Panorama and NGFWs will collect and share data about the runtime and configuration aspects of the product with Palo Alto Networks. This data is collected by running command-line interface (CLI) commands and by accessing internal data sources (such as internal log files, configuration files, metric counters, etc.) that are sometimes, but not always, viewable by device administrators. This information is sent to Palo Alto Networks cloud as an unstructured blob of data at specific time intervals. Once this data is received, it is parsed and converted into tables of information that are needed by telemetry powered applications (TPAs) to perform their function(s).

 

Q: Can I see what data you are collecting?

A: The Panorama and NGFW have a UI setting where you can get more information on what is being collected. Additionally, you can also see what data would be sent if it were collected at that instant by clicking the Generate Telemetry File button and downloading the generated file to your desktop.

 

Q: Where is the data stored?

A: The telemetry data is stored in a customer-specific silo on the Cortex Data Lake, referenced by a “tenant ID”. The telemetry powered apps (TPAs) use this data to deliver insights and recommendations to the customers. 

 

Q: Does AIOps for NGFW support regionalization? How does it safeguard the data?

A: AIOps for NGFW is available globally. Customers can point to their in-region CDL for all permanent storage of AIOps for NGFW data. The AIOps for NGFW app itself will serve the UI from a US or EU (Frankfurt) based data center, but it will not store any customer-related PII information in these data centers if the CDL location is not the same.

 

Q: I do not want to participate. How do I opt-out?

A: The Panorama and Firewall have a setting in the UI (Device/Panorama > Setup > Telemetry) where you can choose to opt-out of sending telemetry data. 

 

Q: I have changed my mind. I originally had opted in, and have not opted out. I also do not want you to have any of my previously collected data. How do I trigger that?

A: The first step is to stop the PAN-OS devices from sending any new telemetry data. Panorama and the Firewalls have a UI setting from where you can choose to opt-out of sending telemetry data. This will stop the Palo Alto devices from sending on any new telemetry data to Palo Alto Networks. 

 

To remove any data that might have previously been collected, please create a support ticket with our Support organization. 

Note: Data that was previously collected will be aged out after our retention period. 

 

Q: How are you securing data?

A: We take this aspect very seriously. All communications related to handling telemetry data is via secure channels. The data is encrypted at rest. The data centers are SOC2 Type 2 certified, and there are strict controls and audit measures put in place as to who accesses the data. Please see our privacy datasheet for more information.

 

Q: How long is the data stored?

A: All customer-specific data that is collected is aged out. Currently, this is set to 1-year retention before it is aged out.

 

Rate this article:
Comments
L0 Member

are you also collecting firewall configuration ? 

L2 Linker

Hi @Ramkishan

Yes, we do collect the firewall configuration in the telemetry bundles to process and provide various types of alerts and forecasts in AIOps.

Kindly refer to the below documents for more information:
https://docs.paloaltonetworks.com/pan-os/u-v/pan-os-device-telemetry-metrics-reference 
https://docs.paloaltonetworks.com/aiops/aiops-for-ngfw/get-started-with-aiops/about-metrics 
https://docs.paloaltonetworks.com/aiops/aiops-for-ngfw/summary/summary-overview#idf0f966f9-2629-4cs9... 

Regards
Prasanna Iyer
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/bd-p/AIOps_for_NGFW_Discussions
*Don’t forget to accept the solution provided!*
 

L0 Member

Hi,

 

We have PAN-OS 10.2.3 and telemetry enabled . However "Send File to CDL Receiver Failed" messages are coming. Device certificate  installed and " Current Device Certificate Status Valid" .Any suggestion

L3 Networker

Hi @TASIMPaloAlto,

 

To help you further with this issue, please provide me with the following details:

> Is it working before or have you freshly onboarded your device?

> Have you changed any configuration?

> Are you using service route in your firewall?

 

Regards,
Ravi Kumar Singh
Product Specialist
Palo Alto Networks
http://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW
*Don’t forget to accept the solution provided!* 

 

 

L0 Member
> Is it working before or have you freshly onboarded your device? >>> Fresh

> Have you changed any configuration? New config

> Are you using a service route in your firewall? No

L4 Transporter

If you have panorama managing all of your firewalls, can you just configure panorama to send this data instead of configuring every firewalls certificates?  Or is there something beneficial to having each device registered?

L3 Networker

Hello @Sec101

 

Panorama does not provide the health telemetry that comes direct from each firewall. Each device makes direct connection to cdl for telemetry and logs. There is no alternative to use panorama to proxy those connections.
This is the way-->_<

 

Thanks and Regards,
Sharan Selva

Product Specialist
 Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/bd-p/AIOps_for_NGFW_Discussions

L3 Networker

Hello @Sec101

 

Hope you are doing well,

 

This only serves as a follow-up to the query.
Do you still need help, or can we just close the query now?

 

Thanks and Regards,
Sharan Selva
Product Specialist
Palo Alto Networks

L4 Transporter

we are good.   You should build in a feature where panorama feeds aiops for everything.  Just like log forwarding on security rules.   That way you don't have to configure every firewall- you just configure panorama.

L0 Member

I am having the same issue Failed to send: file 'PA_xxx_dt_10.2.2-h2_20230214_1130_1-hr-interval_HOUR.tgz' 

Has anyone found a solution to this problem? Some firewalls are working and onboarded, but most are not. 

 info for one of the firewalls:

 

show device-telemetry settings

Device Telemetry Settings:
device-health-performance: yes
product-usage: yes
threat-prevention: yes
region: americas
status: Device Certificate is valid

(active)> show device-telemetry settings stats details

Device telemetry details:
Send interval : 60 minutes
Timestamp for send : 07:18:28
End point : br-prd1.us.cdl.paloaltonetworks.com

 

(active)> show device-telemetry stats all

Device Telemetry Statistics:
device-health-performance:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed
product-usage:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed
threat-prevention:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed

 

(active)> tail follow yes mp-log device_telemetry_send.log
2023-02-13 17:38:03,098 dt_send INFO sorted file list: tmp_dir: /opt/panlogs/tmp/device_telemetry/hour/*
2023-02-13 17:38:03,098 dt_send INFO TX_DIR: send file dir: fname: /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,098 dt_send INFO TX FILE: send_fname: /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,098 dt_send INFO TX_FILE: dest server ip: 35.184.126.116
2023-02-13 17:38:03,099 dt_send INFO TX FILE: send_file_cmd: /usr/local/bin/dt_curl -i 35.184.126.116 -f /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,502 dt_send INFO TX FILE: curl cmd status: 9, 9; err msg: 'CDL Receiver Key Empty'
2023-02-13 17:38:03,505 dt_send INFO update send failed count: resend_count: 530, update_count = 531
2023-02-13 17:38:03,507 dt_send INFO update_tx_failed_count: failed send: set intvl resend-failed-count to 3
2023-02-13 17:38:03,518 dt_send ERROR TX FILE: Failed to send file /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz for intvl=. resend_count: 530, update_count: 531, cmd status: 9
2023-02-13 17:38:03,518 dt_send ERROR TX_DIR: send file dir: Failed to send file /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz.

L2 Linker

I am actually working on the same problem with 11 Pa-440s.  My research as led to a few possible things, that may help.

 

1. MTU size on the management interface, although this seemed more related to the retrieving of certificates.

2. Firewall policies preventing backend connections

3. Running "request certificate fetch" to retrieve the certificate.

 

I have 30 firewalls, and only a portion seem impacted.  All running 10.2.3.  I rebooted them overnight, but that only fixed it for a bit.  I thought refetching the cert would help, and to my surprise that one suddenly worked.  So I am doing that now.

 

I feel like this is more of a backend issue with PA then a true firewall configuration issue now.  If this doesn't help, I plan to open a TAC case.

L2 Linker

I will throw this out as well, in the off chance AIOps sees it.  All the firewalls I just ran "request certificate fetch" on also tried to fetch the certificate automatically around 4:52am and that is the same time they all stopped reporting as well.

 

But these fetches were successful.

L4 Transporter

Seeing the sam ething

L2 Linker

Any idea what the average size of telemetry package is?

We have a remote site with small link and don't want telemetry to utilize all of it.

  • 18814 Views
  • 14 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎04-10-2023 08:49 PM
Updated by: