End of Life Announcement for Palo Alto Networks Expedition We are excited to share some great news with you, as a valued user of Expedition functionalities. We are currently in the process of transferring the core functionalities of the tool into new products. This strategic move aligns with our commitment to meet the evolving needs of our customers and enhance our range of product offerings. Starting from January 2025, Palo Alto Networks will no longer support the Expedition tool, including all versions of both Expedition1 and Expedition2 branches. We believe this transition will bring even more value and improved capabilities to our users. For more details, please refer to Live Community site.   Dear valued customers,   We are excited to introduce the beta release of Expedition 2, a cutting-edge tool designed to facilitate firewall migration from various vendors and manage Palo Alto Networks firewalls/Panoramas configuration via API. Developed with a focus on automation, rich capabilities, and streamlined network management tasks, Expedition 2 aims to significantly enhance your network administration experience.   Expedition 2 offers numerous benefits, including automating firewall migration, simplifying security policy management, and enabling bulk operations across multiple devices.   While we are confident in Expedition 2's robust features and its ability to make network management more efficient, we acknowledge that this is a beta release. As such, there may be bugs and issues we need to resolve before the official launch. We encourage you to test the beta version of Expedition 2 and share your valuable feedback, which will help us improve the tool before its GA launch.   Please note that access to the beta version is restricted, and we kindly request you to fill out the online form available at the link below to receive access to the beta files: Note: Updating google form link https://forms.gle/wHukcW8QAvXXyxgXA The form will request some information from you, which will help us understand your requirements and expectations better. Once we receive your response, we will provide you with the necessary access to the beta files. We believe that your feedback will help us improve our product and make it more user-friendly. We encourage you to test the beta version thoroughly and provide us with your honest feedback. If you encounter any issues or have any questions, please do not hesitate to contact us at fwmigrate@paloaltonetworks.com . ** UPDATE: 9th December 2024 ** PANser container tool support for Sonicwall migrations has been discontinued.   We appreciate your time and consideration and look forward to hearing from you soon.   Best regards, Expedition Team

End of Life Announcement for Palo Alto Networks Expedition   Dear Valued Customer and Partner, We are excited to share some great news with you, as a valued user of Expedition functionalities. We are currently in the process of transferring the core functionalities of the tool into new products. This strategic move aligns with our commitment to meet the evolving needs of our customers and enhance our range of product offerings. Starting from January 2025, Palo Alto Networks will no longer support the Expedition tool, including all versions of both Expedition1 and Expedition2 branches. We believe this transition will bring even more value and improved capabilities to our users.   What This Means for You:   No Further Development: Expedition will have no new features or updates. Support Changes: Technical support for Expedition will be discontinued. We encourage you to utilize the Expedition community on our live portal for ongoing discussions and access to all previously created documentation. Email and Community Transition: The distribution list fwmigrate@paloaltonetworks.com will be archived, but the Expedition community will remain active on our live portal.   Transition Support and Alternatives:   To assist you in transitioning smoothly, we recommend exploring the following alternatives: SCM Features: Cleanup and optimization features with many enhancements to functionality in Expedition will be available in Strata Cloud Manager (SCM) for configs managed in SCM. Stay tuned for updates on these exciting developments. Professional Services and Migration Factory: Our expert team is available to support your configuration migration to Palo Alto Networks products. By leveraging automation, tactical scripts, and custom solutions, our Migration Factory team can provide scalable and efficient migration services. We understand this transition's impact on your operations and are committed to supporting you every step of the way. Should you have any questions or need further assistance, please do not hesitate to reach out via the Expedition community forum or by contacting our team directly through the previously mentioned email. We appreciate your understanding and continued support as we strive to serve your needs better with our advanced product solutions.   Warm regards: Palo Alto Networks   FAQs   Could I keep using Expedition for my migration projects?   Yes, absolutely you can continue using Expedition, as both the tool and the repositories will remain accessible for your usage. While you can technically continue using Expedition after its End of Life (EOL) date, there are several factors to consider: Lack of Support and Limited Functionality: No further development or updates: This means Expedition will not receive any bug fixes, security patches, or new features. This could make it not compatible with all features in future versions of PAN-OS. Technical support unavailable: If you encounter any issues with Expedition, you will not be able to receive assistance from Palo Alto Networks. You will need to use the open live community and that could lead to delays and frustration in resolving problems. Community Support: Limited community resources: Although the Expedition community forum will remain accessible, it will not be actively moderated or updated. This means you may have difficulty finding answers to your questions or solutions to your problems. Declining community activity: As Expedition becomes less popular While Expedition users transition to features consumption in products,, the community around it may dwindle. This could make it harder to find help and support from other users. Alternatives to Consider: Given the limitations of using Expedition after EOL, you may want to consider alternative solutions for your migration projects. Professional Services including Migration Factory team: Palo Alto Networks offers professional services to assist with configuration migration. This can be a good option if you need expert help with the migration process.   Ultimately, the decision of whether or not to continue using Expedition after EOL is up to you. However, it is important to weigh the risks and limitations before making a decision. If you require ongoing support, access to new features, and compatibility with future versions of PAN-OS, you may want to consider using an alternative solution.   Could I modify the code and maintain it?   As stated in the Agreement disclaimer 5. Use Restrictions and Prohibitions: Except as expressly specified in this Agreement, You may not, nor allow any third party, directly or indirectly to: Copy (except in the course of loading or installing), modify or create derivative works based on the Tool, including but not limited to adding new features or otherwise making adaptations that alter the functioning of the Tool. Expedition is not an open-source project, therefore you cannot change or modify any code without the consent of Palo Alto Networks, as outlined in the terms and conditions.   What can I do if I have some issue?   While it's true that Expedition has a long history of stability and a wealth of documentation available, it's important to acknowledge the limitations associated with using a tool past its End of Life (EOL) date. To assist you in transitioning smoothly, we recommend exploring the following alternatives: SCM Features: We are integrating clean-up and optimization features into SCM. This integration will preserve key functionalities and introduce new enhancements. Stay tuned for updates on these exciting developments. Professional Services and Migration Factory: Our expert team is available to support your configuration migration to Palo Alto Networks products. By leveraging automation, tactical scripts, and custom solutions, our Migration Factory team can provide scalable and efficient migration services. Besides above consider these valuable resources that can help you address issues with Expedition: Extensive Documentation: Expedition's live portal contains a comprehensive library of documentation, including user guides, FAQs, and troubleshooting tips. This wealth of information can often provide solutions to common issues. Take advantage of the search functionality within the documentation to find relevant articles addressing your specific problem. Active Community Portal: Although Expedition is no longer officially supported, the community portal remains an active hub for users seeking assistance. Post your issue on the community portal. The community comprises experienced users who may have encountered similar problems and can offer valuable insights and solutions. Search the portal for existing discussions. Chances are, someone has already faced the same issue and documented a solution. Leverage Existing Stability: Expedition has been in the field for many years and has proven to be a stable tool. Unless you encounter critical bugs, it can still reliably perform migrations. Focus on addressing specific issues rather than abandoning the entire tool. This approach can save time and resources while maintaining your migration workflow. Remember, while Expedition may not receive official updates after EOL, its existing functionality and the supportive community can still be valuable assets for your migration projects. Here's a summary of your options: Consult the extensive documentation on the live portal. Post your issue on the community portal and seek help from other users. Focus on resolving specific issues rather than abandoning the entire tool. By utilizing these resources effectively, you can continue to leverage Expedition's strengths for your migration needs even after its EOL date.   Why stop supporting Expedition?   Expedition played a crucial role in bridging the gap between customer needs and Palo Alto Networks' product offerings. As a free, community-supported tool, it provided valuable assistance with configuration migration. However, with the introduction of enhanced capabilities within Strata Cloud Management (SCM) and enhanced migration services, a natural progression has occurred.  Palo Alto Networks is now focusing resources on these more comprehensive and officially supported solutions. Expedition's legacy as a valuable tool for configuration migration is acknowledged. However, the transition to SCM represents a natural progression towards a more comprehensive and officially supported solution. This shift aligns with Palo Alto Networks' commitment to providing customers with the best possible tools and resources for their policy posture management.

Last update 23/MAY/2024  Advisory: Guidance for Apache HTTP Server 2.4 vulnerabilities described in the official apache.org site:  https://httpd.apache.org/security/vulnerabilities_24.html   Affected version:Fix for CVE detected on Apache HTTP Server 2.4 versions from 2.4.1 to 2.4.59.   Update 2.4.59 released 2024-04-04 Affects <=2.4.58   Diagnosis Execute below command to check the version of Apache HTTP Server 2.4:   sudo apt list --installed | grep apache   If the output showing version less than 2.4.59, you will need to perform the steps to upgrade the apache2 libraries. Solution Prerequisites: Your Expedition VM should have connectivity to http://ppa.launchpad.net and subdomains. ONLY required to do the libraries upgrade. Note: Optionally consider to take an snapshot of your VM.   In Expedition CLI execute below commands:   Update the package repository: sudo apt-add-repository ppa:ondrej/apache2 Install deb lib packages: sudo apt-get install apache2 Check packages are installed sudo apt list --installed | grep apache Expected output: apache2-bin/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2-data/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 all [installed,automatic] apache2-utils/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed] libapache2-mod-php7.0/now 7.0.33-57+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,upgradable to: 7.0.33-74+ubuntu20.04.1+deb.sury.org+1] Make /tmp folder writable for apache2 service Open file to edit: sudo vi /lib/systemd/system/apache2. service Change setting PrivateTmp from true to false (PrivateTmp=false) Save file and restart below services: sudo systemctl daemon-reload; sudo systemctl restart apache2 Access via UI and restart the Task Management

Context In cases where a configuration file of a significant size needs to be uploaded and Expedition is unable to process it, it becomes necessary to modify the setup of the Apache-PHP component. Requirements CLI and sudo access Solution Open a terminal to the VM Execute the below command sudo vi /etc/php/7.0/apache2/php.ini Look for the attribute upload_max_filesize Change the value to (i.e) upload_max_filesize = 300M Look for the attribute post_max_size Change the value to (i.e) post_max_size = 300M Save the changes (press esc :wq!) Restart the apache service sudo service apache2 restart Try it again, you should be able to upload files up to 300MB  

Here are all the Documents related to Expedition use and administrations   Installation Guide - Instructions to install Expedition 1 on an Ubuntu 20.04 Server and Transferring Projects between Expeditions Hardening Expedition – Follow to secure your Instance. Admin Guide – Describes the Admin section and provides advice on how to configure and properly setup. User Guide  v1.1 (will be improved) Log Analysis Feature Guide - (APP-ID Adoption, Rule Enrichment, and Machine Learning features)

Updated April 23, 2024: adding new repository to get erlang > 25+ packages Symptoms Expedition is vulnerable to CVE-2022-37026, below are the Detail about the vulnerability : In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.   Diagnosis Issue below command in Expedition CLI: $apt list --installed | grep erlang  the result will show erlang package is v22.x which is vulnerable to the CVE   Solution Summary: Run below commands in Expedition CLI to add new repositories and upgrade the two packages to the stated version:   rabbitmq-server: 3.11.4-1 erlang: 25.0.4   ------------------------------------------------------------------------------------- // execute below commands as root sudo -su root // stop mysql service so Expedition is not available service mysql stop // remove any potential version installed apt-get remove rabbitmq-server && apt-get purge rabbitmq-server apt-get remove erlang && apt-get purge erlang apt autoremove // disable the legacy repository for erlang > 25+ packages echo "#deb https://packages.erlang-solutions.com/ubuntu focal contrib" | sudo tee /etc/apt/sources.list.d/erlang-solution.list echo "#deb [trusted=yes] http://www.rabbitmq.com/debian/ testing main" | sudo tee /etc/apt/sources.list.d/rabbitmq.list // update the apt list apt update // add the new repository storing erlang > 25+ packages add-apt-repository -y ppa:rabbitmq/rabbitmq-erlang-25 // update the apt list apt update // add the rabbitmq repository $curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.deb.sh | sudo bash // update the apt list apt update // fix any broken dependency  sudo apt --fix-broken install // install the rabbitmq-server $apt-get install rabbitmq-server=3.11.4-1 // remove any unneeded package $apt autoremove $apt purge // start the mysql service to make Expedition available $service mysql start   Verify the two packages are updated with the required version with below commands:   $apt list --installed | grep erlang  $apt list --installed | grep rabbitmq-server      

Expedition supports migration sections of the below Vendor's configuration to PAN-OS configuration **The list of tested Vendor OS version, version not listed here needs further validations *** The UserID CN chain is extracted from the original configuration and integrated into the migrated security rule. However, the device configuration must be manually performed on the device itself.   Table1: Expedition supports converting 3rd Party vendors config sections (Updated on 2024/01/01) Note: Table will be updated when new support added   Vendor Supported Vendor OS** Global Address Object Address Objects Address Group Objects Service Objects Service Group Objects User ID Security Policy NAT Policy Network Interface (L3 only) Routing(Static Routes Only) VPN Checkpoint R75,R77 ✔ ✔ ✔ ✔ ✔ ✔  *** ✔ ✔ ✔ ✔     > R80 ✔ ✔ ✔ ✔ ✔ ✔  *** ✔ ✔ ✔ ✔   Cisco ASA 9.0, 9.1,9.6,8.2,8.4, ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔ ✔   FirePower [only in ASA syntax] ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Fortinet Fortigate 4.0, 5.0,6.0 ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   IBM XGS 5.1   ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Juniper All Netscreen Firewalls (ScreenOS) ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔     Junos 11.4, 12.1, 12.3 ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Forcepoint Sidewinder   ✔ ✔ ✔ ✔   ✔   ✔ ✔     Stonesoft   ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔  

Dear Expedition2 Beta Users, We are very excited to announce release of the machine learning features in Expedition2 Beta to have parity with Expedition1. For details, please look for document named 'Machine Learning Feature Announcement' in the Expedition2 Beta shared drive.  Users not yet on beta can expect updates on General Availability in the coming weeks.   Thanks, Expedition Team  

Expedition Community,  We request your feedback on the Expedition tool. This will help us to gain insight into your utilization of Expedition and understanding the aspects that are most important to you. Please invest a quick 2 minutes to share your thoughts by completing this short survey: https://forms.gle/8AWGJTj7HX5ecqqL7    Appreciate your feedback, Expedition Team

UseCase   In the ML or RE case, where Expedition is configured as syslog server , and you are forwarding traffic logs from Panorama to Expedition,  by default, the logs will be saved using Panorama_IP . The solution below provides steps on how to  split the logs per serial# of the firewall.   Solution   Split the logs per FW/Serial number by following below steps:   Step 1. Edit your rsyslog.conf file   Replace below line: $template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%HOSTNAME%traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv" to below ones: set $!SERIAL = field($msg,",",2); $template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%$!SERIAL%/%$!SERIAL%%HOSTNAME%_traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv"   The intention of the above configuration is to create a folder with your Panorama IP and subfolders for each FW/Serial number.   Step 2. Restart the syslog service Issue below command: service rsyslog restart   For your reference, next Expedition releases will include a set of rsyslog configuration example files on the path /var/www/html/OS/rsyslog folder .  

Advisory: Guidance for OpenSSL Vulnerability Disclosures (02/07/23) CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286   Affected version: Impacts all versions of OpenSSL 1.1.1 (installed default version on Ubuntu 20 is 1.1.1f-1ubuntu2.16)   Diagnosis Execute below two commands to check the version of openssl and libssl1.1:   apt list --installed | grep openssl/focal-updates apt list --installed | grep libssl1.1 if the output showing version less than 1.1.1f-1ubuntu2.17 amd64 , you will need to perform the steps to upgrade the openssl and libssl1.1   Solution In Expedition CLI execute below commands:   Update the package index: sudo apt-get update Install deb lib packages: sudo apt-get install openssl sudo apt-get install libssl1.1 Check packages are installed apt list --installed | grep openssl/focal-updates Expected output: openssl/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed] apt list --installed | grep libssl1.1 Expected output: libssl1.1/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed,automatic]

We are aware of the issue with Ubuntu VM on MAC with M1 chipset. Expedition installation script will fail due to dependency packages not being installed as these have not been compiled for the M1 architecture.  We will study possible alternatives for the future releases. 

Symptoms While executing a migration you get one of bellow message errors on the /tmp/error file:  Got a packet bigger than 'max_allowed_packet' bytes Error while sending QUERY|STATISTICS packet Also the migration process could be stacked at some point for a long period of time. Diagnosis MySQL is not supporting to create the among of objects defined on your config so you need to give more resources to MySQL. Solution Resize the max allowed packets property on Mysql. 1) Locate your max_allowed_packet mysql configuration (for instance inside: /etc/mysql/mariadb.conf.d/50-server.cnf). 2) Edit the mysql config file and increase the MB for the property max_allowed_packet (for instance: max_allowed_packet = 100M). 3) Restart mysql (for instance: service mysql restart).  4) Execute the migration in a new clean Expedition project.

Symptoms After a fresh installation of Expedition, error message like below shows :   Diagnosis When Execute the following command in Expedition CLI as suggested :     sudo sh /var/www/html/OS/BPA/updateBPA306.sh   Script did not finished running and encountered error message below:   × python setup.py bdist_wheel did not run successfully. │ exit code: 1 ╰─> [175 lines of output] running bdist_wheel running build running build_py creating build creating build/lib.linux-x86_64-3.8 creating build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageSequence.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/EpsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PdfImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TarIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IcoImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GifImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageShow.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PpmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageDraw.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageTransform.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ExifTags.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PdfParser.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImagePath.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TgaImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MpoImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BlpImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WmfImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PSDraw.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GimpGradientFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GbrImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcdImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SunImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageOps.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/DcxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageEnhance.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Jpeg2KImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Hdf5StubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GimpPaletteFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMath.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImagePalette.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFilter.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageCms.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/CurImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageQt.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/features.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FliImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMode.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_util.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PsdImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/McIdasImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImtImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/JpegPresets.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageGrab.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/JpegImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TiffTags.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SpiderImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IcnsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WebPImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageChops.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_tkinter_finder.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageColor.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GdImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PngImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BufrStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FtexImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_version.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageStat.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Image.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MspImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PalmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PaletteFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MicImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ContainerIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TiffImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XVThumbImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_binary.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FitsStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BmpImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PixarImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IptcImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFont.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/OleFileIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SgiImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PyAccess.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BdfFontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageWin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XbmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/__init__.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WalImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XpmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcfFontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageTk.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FpxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MpegImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMorph.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GribStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/DdsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageDraw2.py -> build/lib.linux-x86_64-3.8/PIL running egg_info writing src/Pillow.egg-info/PKG-INFO writing dependency_links to src/Pillow.egg-info/dependency_links.txt writing top-level names to src/Pillow.egg-info/top_level.txt reading manifest file 'src/Pillow.egg-info/SOURCES.txt' reading manifest template 'MANIFEST.in' warning: no files found matching '*.c' warning: no files found matching '*.h' warning: no files found matching '*.sh' no previously-included directories found matching 'docs/_static' warning: no previously-included files found matching '.appveyor.yml' warning: no previously-included files found matching '.coveragerc' warning: no previously-included files found matching '.codecov.yml' warning: no previously-included files found matching '.editorconfig' warning: no previously-included files found matching '.landscape.yaml' warning: no previously-included files found matching '.readthedocs.yml' warning: no previously-included files found matching '.travis' warning: no previously-included files found matching '.travis/*' warning: no previously-included files found matching 'tox.ini' warning: no previously-included files matching '.git*' found anywhere in d istribution warning: no previously-included files matching '*.pyc' found anywhere in d istribution warning: no previously-included files matching '*.so' found anywhere in di stribution writing manifest file 'src/Pillow.egg-info/SOURCES.txt' running build_ext The headers or library files could not be found for jpeg, a required dependency when compiling Pillow from source. Please see the install instructions at: https://pillow.readthedocs.io/en/latest/installation.html Traceback (most recent call last): File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 765, in <module> setup(name=NAME, File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 144, in setup return distutils.core.setup(**attrs) File "/usr/lib/python3.8/distutils/core.py", line 148, in setup dist.run_commands() File "/usr/lib/python3.8/distutils/dist.py", line 966, in run_commands self.run_command(cmd) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3/dist-packages/wheel/bdist_wheel.py", line 223, in run self.run_command('build') File "/usr/lib/python3.8/distutils/cmd.py", line 313, in run_command self.distribution.run_command(command) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3.8/distutils/command/build.py", line 135, in run self.run_command(cmd_name) File "/usr/lib/python3.8/distutils/cmd.py", line 313, in run_command self.distribution.run_command(command) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3.8/distutils/command/build_ext.py", line 340, in r un self.build_extensions() File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 612, in build_extensions raise RequiredDependencyException(f) __main__.RequiredDependencyException: jpeg During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<string>", line 2, in <module> File "<pip-setuptools-caller>", line 34, in <module> File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 812, in <module> raise RequiredDependencyException(msg) __main__.RequiredDependencyException: The headers or library files could not be found for jpeg, a required dependency when compiling Pillow from source. Please see the install instructions at: https://pillow.readthedocs.io/en/latest/installation.html [end of output] Solution The error caused by libjpeg-dev package is missing , solution is to install the missing package before re-run the script, issue below commands first: sudo apt-get install libjpeg-dev Then re-run the script: sudo sh /var/www/html/OS/BPA/updateBPA306.sh   Script will be completed without error , and you can verify the error message in dashboard is remediated.  

Symptoms After upgrade Expedition from 1.1.x to 1.2.x , Radius authentication stop working  Diagnosis Module php7.0-radius is missing  Solution Please follow below steps :  1) Check if php7.0-radius installed on your VM:  php -m  2) If it’s not installed , run below command to install radius php7.0 sudo apt-get install php7.0-radius 3) Remove packages not needed. sudo apt autoremove 4) Check again if php7.0-radius is installed on the VM  php -m 5) Confirm php CLI is 7.0 php -version 6) Restart apache2 sudo apache2ctl restart

Your Expedition VM might be vulnerable to the CVE-2021-4034, here is the Info regarding the vulnerability:   Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). Please refer to the website for detail info : https://ubuntu.com/security/cve-2021-4034 To Patch your Ubuntu system, please follow below steps:   1. Adding below line to the /etc/apt/sources.list : deb http://security.ubuntu.com/ubuntu focal-security main 2. Run below commands to update the policy-1 package: $sudo apt-get update $sudo apt-get install policykit-1 3. Verify the policykit-1 package has been updated to v. 0.105-26ubuntu1.2 as shown in below screen:     Those who can’t patch immediately should use below command to remove the SUID-bit from pkexec:   $chmod 0755 /usr/bin/pkexec  

Question I am running out of the HD space in Expedition server , need to add more HD space. Answer Please refer below article for the instructions on adding a new drive and mount the drive to be used by Expedition: https://help.ubuntu.com/community/InstallingANewHardDrive

Question   I am getting below errors when issue $sudo apt-get update to update expedition to the latest package, how do I fix it ?   Err:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages Could not open file /var/lib/apt/lists/partial/conversionupdates.paloaltonetworks.com_expedition-updates_Packages.gz - open (13: Permission denied) Fetched 114 kB in 1s (57.0 kB/s) Reading package lists... Done W: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. E: Failed to fetch https://conversionupdates.paloaltonetworks.com/expedition-updates/Packages Could not open file /var/lib/apt/lists/partial/conversionupdates.paloaltonetworks.com_expedition-updates_Packages.gz - open (13: Permission denied) E: Some index files failed to download. They have been ignored, or old ones used instead.   Answer   Run below command: sudo rm /var/lib/ap t/lists/partial/* Then run below commands for updating Expedition to the latest version: sudo apt-get update sudo apt-get install expedition-beta  

Hello!   We know you are all concerned on having the Expedition tool on an old not-supported Ubuntu. You had requested several times to increase support for newer versions of the OS, and we have finally reached to the point we can present Expedition on Ubuntu 20.04 LTS.   We have updated our Expedition installer and some internal modules (Spark codes, database structures and webserver backend) to be able to support the tool installation on the current Ubuntu 20.04 LTS. The installation process is very similar as it used to be, but to help you in the task, we have written an Instructions document with multiple images that will certainly guide you.   And, on top of all this, we are providing a Transfer Assistant that will help you transferring all your Expedition projects, devices, user credentials, traffic logs, etc. from your old Expedition to a new one.   You will find the Installation document in our Expedition Documents section: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619   Let's start a new Expedition together!

  Palo Alto Networks, August 2, 2021   Dear Expedition Users,   During the years, we have evidenced a sustained and increased usage of the Expedition 1.0 tool, earlier known as the Migration Tool. As many of you know, we want to increase the number of functionalities in our tools, to enhance existing functionalities and to improve their quality.   To achieve these improvements, we have decided to join efforts with Professional Services. A dedicated team in Professional Services will take ownership of the code used for configuration translations from third party vendors to PANOS.   This strategy will improve the migrations that we have been offering during the years with the Expedition tool,  increasing the resources in the team dedicated to the translations,  improving the quality assurance with fewer bugs, having a closer the relationship with the Professional Services consultants that consume the translation functionalities on a daily basis,  increasing the number of Use Cases that are supported and decreasing the response time to support new functionalities , making the migrations in your projects more pleasant and efficient.   As a consequence, we have taken the decision to postpone the launch of Expedition 2.0 until April 2022, to guarantee the quality of the release and to extend the functionalities that the tool will provide. During this period, Expedition 1.0 will continue to be supported by the Expedition team, and we are working on updating our code and installation process to make it available for Ubuntu Server 20.04.   We would like to remark that Expedition 2.0 will continue being offered free of charge, as well as the translations from third party vendors to PANOS.   The Expedition Team  

Here you can find details about the Expedition Migration Tool Agreement.  

With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed.    Exporting Configuration   To export the configuration from a Checkpoint R80 we are gonna need to download a tool from the Checkpoint's Github. We want to be sure we download latest version of the tool since the one it comes installed in your SmartCenter usually is old and may contain bugs.   So first open your preferred web browser and go to:   https://github.com/CheckPointSW/ShowPolicyPackage/releases   Check the latest, at the moment of updating this post latest version was 2.0.6, so in order to download it we have to click on the file named: web_api_show_package-jar-with-dependencies.jar   https://github.com/CheckPointSW/ShowPolicyPackage/releases/download/V2.0.6/web_api_show_package-jar-with-dependencies.jar   After download the file you have to UPLOAD it to your SmartCenter Server where Checkpoint R80 management is running. Use your SCP preferred tool to do it.   Please read the README.md file shown in https://github.com/CheckPointSW/ShowPolicyPackage to understand how to run the downloaded file properly, pay special attention to the Examples   Before you run the command verify the Checkpoint API is running otherwise this tool will fail to execute. Please read this if you don' t know how to enable/verify if your API is UP and Running   Now you can RUN the tool from CLI as EXPERT   java -jar web_api_show_package-jar-with-dependencies.jar -v   The output from that command will let you know what Packages are available to export   Last command we have to run is the following where PACKAGE_NAME is the name you have chosen from the previous command and in case you are in a MULTI-DOMAIN environment specify the DOMAIN_NAME too (-d is OPTIONAL):    java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>   This will create a new tgz file which you will use as is to import into Expedition Importation page.   Exporting Routing and interfaces   From the Firewall CLI, you can run the following:   netstat -nr > routes.txt   With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80.   Assign a name to your configuration such as "MyInternetGW" Select the tgz file and attache it to the proper input Select the routes.txt for the routes Click UPLOAD   References: Checkpoint Website article about the show package tool    

Symptoms When Importing either PAN-OS configuration or 3rd party vendor configuration, the import progress bar stuck in the middle without throwing any errors.    Diagnosis All migrations in Expedition 1 leave traces for debugging in the error file located in /tmp/error. Below we present an example of an error that could be reported on a migration:    In this specific case, the migration parser could not complete due to a limit amount of RAM allowed to be used in the migration process (Allowed memory size of 4GB exhausted) Solution Fortunately, this is RAM limit simple to handle. In your Expedition WEBUI, go to "Settings" -> "CUSTOM PARAMS", increase the allowed RAM ("PARSER_max_execution_memory") to a larger value without exceeding your VM RAM. If you have 16G RAM in your expedition VM, you could change the value up to "16G"  as shown in the below screenshot below. Notice that in most of the cases, your configuration won't be as large that becomes necessary to allocate such a large amount of "Allowed RAM". For most scenarios, 4GB should be enough, therefore try allocating 6GB or 8GB until your migration can be completed.    

Expedition – The Glue Between IronSkillet and Best Practices Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet 

Access Expedition GUI Using Google Chrome with Certification Error   Symptoms Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website.  Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.   View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.   Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en   Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ( Replace this with your county name) ST = VA  ( Replace this with your state name) L = SomeCity  ( Replace this with your city name) O = MyCompany ( Replace this with your company name) OU = MyDivision ( Replace this with your organization name) CN = 192.168.44.131 ( Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 = company.com  DNS.3 = company.net ........................................................................................       saves the changes with ESC :wq!   Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/   Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf  Find below two lines in the default-ssl.conf and replace the path  SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key    with    SSLCertificateFile   /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key   saves the changes with ESC :wq   Restart Apache by issue below command: $ sudo systemctl restart apache2   Try access the Expedition GUI again Google chrome should now present you an option under "Advanced" to proceed to the URL. 

Be the first to discover the new dynamic log connector functionality and learn about App-ID Adoption and the new Device Monitor...

Explore the Expedition Dashboard   Expedition Dashboard   There are 2 parts related to the VM Stats, one controls the stats for the local VM running the GUI and the ML Health in case is running on another VM shows the stats from the remote Expedition VM.   That means you can setup 2 Expedition VMs and use one for the GUI and another with more CPU and RAM to run the data analysis and machine learning. If this is your case just go to SETTINGS -> M. Learning and setup the IP address where your Expedition with more resources is running and click on SAVE.   The Task Manager must be always UP and controls all the backend jobs requested from the GUI like to retrieve contents from a device using the API keys.   Expedition comes with a self-check list to at least show you if there is something that can be improved in the system or if some dependencies or required functions are working properly or missing.   Close to the logo you can find the version and the released day plus what version of the Best Practices Assessment Tool is running.

What is Expedition?   Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks.   By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well.   With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS, but we want to ensure the outcome is the best as possible. This is why we added a Machine Learning module that can help you generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts.   With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier.   NOTE: Expedition is supported by the community as best effort   The Palo Alto Networks TAC does not provide support, so please post your questions in the community.   Go to: Expedition landing page on LIVEcommunity

This document describes the advantages of using Regions objects when importing the Rule Enrichment policy recommendations.