- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-01-2022 03:12 PM - edited 04-10-2023 08:49 PM
Q: What is AIOps for NGFW?
A: AIOps for NGFW is the industry's first domain-centric AIOps solution that redefines the firewall operational experience by interpreting, predicting, and resolving problems before they become business impacting.
Q: What problem is AIOps for NGFW solving?
A: Customers are unaware of their security posture and don’t have the product expertise to maximize utilization of security functionality or insights into misconfigurations. This leads to gaps in their security posture and puts them at a greater risk of a breach.
In addition, security teams are tasked with maintaining firewall deployments with limited resources and tools to prevent business disruptions caused by firewalls. In addition, they lack visibility into their entire deployment’s health, performance, and security posture to prevent business-disrupting incidents due to firewall-related errors. Once impacted, they spend immense time and resources reacting to the situation - trying to determine the root cause - while under tremendous pressure to bring the business back online.
Q: What are the key benefits of using AIOps for NGFW?
A:
Q: How can I consume AIOps for NGFW?
A: AIOps for NGFW is available in Free and Premium (Paid) versions and can be used on NGFW and Panorama devices that run on PAN‑OS 10.0 and above.
Q: What are the prerequisites to consume AIOps?
A: AIOps can be consumed on NGFW and Panorama devices with:
Q: What's the "AI" in AIOps for NGFW?
A: The AI features in AIOps today are mostly in the Operational Health problem scenarios in the form of techniques in ‘Anomaly detection’, ‘Forecasting’, ‘Threshold’ and ‘State-change’ based alerts.
Q: Where is AIOps cloud-hosted? Do we have different instances across the globe?
A: We are presently hosted in US-Central and our deployment is accessible globally.
The AIOps app is hosted in the NAM region, and the analysis/compute of the data happens in NAM and the data itself can reside in the customer's local region where their CDL is hosted.
Q: How can I get started with AIOps for NGFW?
A: See our Getting Started Guide to get started with your own instance of AIOps for NGFW.
Q: How can I consume AIOps for NGFW?
A: AIOps for NGFW is available in Free and Premium (Paid) versions and can be used on NGFW and Panorama devicesthat run on PAN‑OS 10.0 and above.
Q: What is the difference between the Free and Premium tiers of AIOps for NGFW?
A: The free tier is a fully functional product that aims to enrich the operators’ understanding of the firewall deployment. This tier is forever free to use for all the Palo Alto Networks firewalls registered in the Customer Support Portal. The Premium tier (Paid) contains Premium functionality of the AIOps product, in addition to the functionality provided in the Free tier.
Q: What licenses are needed for the Free/Premium tiers?
A: The Free tier does not require any license to be installed. The Premium tier requires the customer to purchase Premium AIOps for NGFW licenses.
Q: Can I instantiate both a Free and a Premium instance of AIOps?
A: Yes, you could have the Premium license for just a subset of the firewalls that are registered with the CSP (in a separate instance from firewalls without a Premium license). All firewalls without a Premium license will be maintained in a separate, Free instance of AIOps.
Q: What is Telemetry?
A: Telemetry is the collection of measurements and data from one location and transmitting to a remote location for processing. The PAN-OS device telemetry feature for versions 10.0 and above include information in three categories—device health and performance, product usage, and threat prevention. While the user can choose to decide to turn off telemetry for any of these categories independently, the lack of data will affect the functionality or the quality of insights and recommendations that these telemetry-powered applications can provide.
Q: What does the customer need to do with telemetry for AIOps for NGFW to work?
A: Customers need to enable telemetry collection on their firewalls. PAN-OS 10.0+ supports the collection of telemetry data natively.
Q: Can we monitor telemetry data in real-time or is this historical?
A: The data is processed in batches, and is not real-time. This is not a replacement for a near real-time monitoring solution. However, by analyzing the data and proactively calling out potential issues, we aim to help the user avoid business-disrupting incidents.
Q: Where can I find the privacy datasheet?
A: You can read the Telemetry privacy datasheet here.
Q: How are you collecting data?
Note: Before we are able to collect data the device administrator has to confirm and agree for us to do so.
A: Panorama and NGFWs will collect and share data about the runtime and configuration aspects of the product with Palo Alto Networks. This data is collected by running command-line interface (CLI) commands and by accessing internal data sources (such as internal log files, configuration files, metric counters, etc.) that are sometimes, but not always, viewable by device administrators. This information is sent to Palo Alto Networks cloud as an unstructured blob of data at specific time intervals. Once this data is received, it is parsed and converted into tables of information that are needed by telemetry powered applications (TPAs) to perform their function(s).
Q: Can I see what data you are collecting?
A: The Panorama and NGFW have a UI setting where you can get more information on what is being collected. Additionally, you can also see what data would be sent if it were collected at that instant by clicking the Generate Telemetry File button and downloading the generated file to your desktop.
Q: Where is the data stored?
A: The telemetry data is stored in a customer-specific silo on the Cortex Data Lake, referenced by a “tenant ID”. The telemetry powered apps (TPAs) use this data to deliver insights and recommendations to the customers.
Q: Does AIOps for NGFW support regionalization? How does it safeguard the data?
A: AIOps for NGFW is available globally. Customers can point to their in-region CDL for all permanent storage of AIOps for NGFW data. The AIOps for NGFW app itself will serve the UI from a US or EU (Frankfurt) based data center, but it will not store any customer-related PII information in these data centers if the CDL location is not the same.
Q: I do not want to participate. How do I opt-out?
A: The Panorama and Firewall have a setting in the UI (Device/Panorama > Setup > Telemetry) where you can choose to opt-out of sending telemetry data.
Q: I have changed my mind. I originally had opted in, and have not opted out. I also do not want you to have any of my previously collected data. How do I trigger that?
A: The first step is to stop the PAN-OS devices from sending any new telemetry data. Panorama and the Firewalls have a UI setting from where you can choose to opt-out of sending telemetry data. This will stop the Palo Alto devices from sending on any new telemetry data to Palo Alto Networks.
To remove any data that might have previously been collected, please create a support ticket with our Support organization.
Note: Data that was previously collected will be aged out after our retention period.
Q: How are you securing data?
A: We take this aspect very seriously. All communications related to handling telemetry data is via secure channels. The data is encrypted at rest. The data centers are SOC2 Type 2 certified, and there are strict controls and audit measures put in place as to who accesses the data. Please see our privacy datasheet for more information.
Q: How long is the data stored?
A: All customer-specific data that is collected is aged out. Currently, this is set to 1-year retention before it is aged out.
Hi @Ramkishan
Yes, we do collect the firewall configuration in the telemetry bundles to process and provide various types of alerts and forecasts in AIOps.
Kindly refer to the below documents for more information:
https://docs.paloaltonetworks.com/pan-os/u-v/pan-os-device-telemetry-metrics-reference
https://docs.paloaltonetworks.com/aiops/aiops-for-ngfw/get-started-with-aiops/about-metrics
https://docs.paloaltonetworks.com/aiops/aiops-for-ngfw/summary/summary-overview#idf0f966f9-2629-4cs9...
Regards
Prasanna Iyer
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/bd-p/AIOps_for_NGFW_Discussions
*Don’t forget to accept the solution provided!*
Hi,
We have PAN-OS 10.2.3 and telemetry enabled . However "Send File to CDL Receiver Failed" messages are coming. Device certificate installed and " Current Device Certificate Status Valid" .Any suggestion
Hi @TASIMPaloAlto,
To help you further with this issue, please provide me with the following details:
> Is it working before or have you freshly onboarded your device?
> Have you changed any configuration?
> Are you using service route in your firewall?
Regards,
Ravi Kumar Singh
Product Specialist
Palo Alto Networks
http://live.paloaltonetworks.com/t5/cloud-ngfw-help-center/ct-p/Cloud_NGFW
*Don’t forget to accept the solution provided!*
If you have panorama managing all of your firewalls, can you just configure panorama to send this data instead of configuring every firewalls certificates? Or is there something beneficial to having each device registered?
Hello @Sec101
Panorama does not provide the health telemetry that comes direct from each firewall. Each device makes direct connection to cdl for telemetry and logs. There is no alternative to use panorama to proxy those connections.
This is the way-->_<
Thanks and Regards,
Sharan Selva
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/bd-p/AIOps_for_NGFW_Discussions
I am having the same issue Failed to send: file 'PA_xxx_dt_10.2.2-h2_20230214_1130_1-hr-interval_HOUR.tgz'
Has anyone found a solution to this problem? Some firewalls are working and onboarded, but most are not.
info for one of the firewalls:
show device-telemetry settings
Device Telemetry Settings:
device-health-performance: yes
product-usage: yes
threat-prevention: yes
region: americas
status: Device Certificate is valid
(active)> show device-telemetry settings stats details
Device telemetry details:
Send interval : 60 minutes
Timestamp for send : 07:18:28
End point : br-prd1.us.cdl.paloaltonetworks.com
(active)> show device-telemetry stats all
Device Telemetry Statistics:
device-health-performance:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed
product-usage:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed
threat-prevention:
last-attempt: Mon Feb 13 17:38:03 EST 2023
last-success: Wed Feb 8 04:18:04 EST 2023
num-of-failed-attempts: 531
reason: CDL Receiver Key Empty
status: failed
(active)> tail follow yes mp-log device_telemetry_send.log
2023-02-13 17:38:03,098 dt_send INFO sorted file list: tmp_dir: /opt/panlogs/tmp/device_telemetry/hour/*
2023-02-13 17:38:03,098 dt_send INFO TX_DIR: send file dir: fname: /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,098 dt_send INFO TX FILE: send_fname: /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,098 dt_send INFO TX_FILE: dest server ip: 35.184.126.116
2023-02-13 17:38:03,099 dt_send INFO TX FILE: send_file_cmd: /usr/local/bin/dt_curl -i 35.184.126.116 -f /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz
2023-02-13 17:38:03,502 dt_send INFO TX FILE: curl cmd status: 9, 9; err msg: 'CDL Receiver Key Empty'
2023-02-13 17:38:03,505 dt_send INFO update send failed count: resend_count: 530, update_count = 531
2023-02-13 17:38:03,507 dt_send INFO update_tx_failed_count: failed send: set intvl resend-failed-count to 3
2023-02-13 17:38:03,518 dt_send ERROR TX FILE: Failed to send file /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz for intvl=. resend_count: 530, update_count: 531, cmd status: 9
2023-02-13 17:38:03,518 dt_send ERROR TX_DIR: send file dir: Failed to send file /opt/panlogs/tmp/device_telemetry/hour/PA_sn_dt_10.2.2-h2_20230213_1730_1-hr-interval_HOUR.tgz.
I am actually working on the same problem with 11 Pa-440s. My research as led to a few possible things, that may help.
1. MTU size on the management interface, although this seemed more related to the retrieving of certificates.
2. Firewall policies preventing backend connections
3. Running "request certificate fetch" to retrieve the certificate.
I have 30 firewalls, and only a portion seem impacted. All running 10.2.3. I rebooted them overnight, but that only fixed it for a bit. I thought refetching the cert would help, and to my surprise that one suddenly worked. So I am doing that now.
I feel like this is more of a backend issue with PA then a true firewall configuration issue now. If this doesn't help, I plan to open a TAC case.
I will throw this out as well, in the off chance AIOps sees it. All the firewalls I just ran "request certificate fetch" on also tried to fetch the certificate automatically around 4:52am and that is the same time they all stopped reporting as well.
But these fetches were successful.