Expedition Articles

Last update 23/MAY/2024  Advisory: Guidance for Apache HTTP Server 2.4 vulnerabilities described in the official apache.org site:  https://httpd.apache.org/security/vulnerabilities_24.html   Affected version:Fix for CVE detected on Apache HTTP Server 2.4 versions from 2.4.1 to 2.4.59.   Update 2.4.59 released 2024-04-04 Affects <=2.4.58   Diagnosis Execute below command to check the version of Apache HTTP Server 2.4:   sudo apt list --installed | grep apache   If the output showing version less than 2.4.59, you will need to perform the steps to upgrade the apache2 libraries. Solution Prerequisites: Your Expedition VM should have connectivity to http://ppa.launchpad.net and subdomains. ONLY required to do the libraries upgrade. Note: Optionally consider to take an snapshot of your VM.   In Expedition CLI execute below commands:   Update the package repository: sudo apt-add-repository ppa:ondrej/apache2 Install deb lib packages: sudo apt-get install apache2 Check packages are installed sudo apt list --installed | grep apache Expected output: apache2-bin/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2-data/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 all [installed,automatic] apache2-utils/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2/focal,now 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed] libapache2-mod-php7.0/now 7.0.33-57+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,upgradable to: 7.0.33-74+ubuntu20.04.1+deb.sury.org+1] Make /tmp folder writable for apache2 service Open file to edit: sudo vi /lib/systemd/system/apache2. service Change setting PrivateTmp from true to false (PrivateTmp=false) Save file and restart below services: sudo systemctl daemon-reload; sudo systemctl restart apache2 Access via UI and restart the Task Management

Context In cases where a configuration file of a significant size needs to be uploaded and Expedition is unable to process it, it becomes necessary to modify the setup of the Apache-PHP component. Requirements CLI and sudo access Solution Open a terminal to the VM Execute the below command sudo vi /etc/php/7.0/apache2/php.ini Look for the attribute upload_max_filesize Change the value to (i.e) upload_max_filesize = 300M Look for the attribute post_max_size Change the value to (i.e) post_max_size = 300M Save the changes (press esc :wq!) Restart the apache service sudo service apache2 restart Try it again, you should be able to upload files up to 300MB  

Here are all the Documents related to Expedition use and administrations   Installation Guide - Instructions to install Expedition 1 on an Ubuntu 20.04 Server and Transferring Projects between Expeditions Hardening Expedition – Follow to secure your Instance. Admin Guide – Describes the Admin section and provides advice on how to configure and properly setup. User Guide  v1.1 (will be improved) Log Analysis Feature Guide - (APP-ID Adoption, Rule Enrichment, and Machine Learning features)

Hello!   We know you are all concerned on having the Expedition tool on an old not-supported Ubuntu. You had requested several times to increase support for newer versions of the OS, and we have finally reached to the point we can present Expedition on Ubuntu 20.04 LTS.   We have updated our Expedition installer and some internal modules (Spark codes, database structures and webserver backend) to be able to support the tool installation on the current Ubuntu 20.04 LTS. The installation process is very similar as it used to be, but to help you in the task, we have written an Instructions document with multiple images that will certainly guide you.   And, on top of all this, we are providing a Transfer Assistant that will help you transferring all your Expedition projects, devices, user credentials, traffic logs, etc. from your old Expedition to a new one.   You will find the Installation document in our Expedition Documents section: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619   Let's start a new Expedition together!

Here you can find details about the Expedition Migration Tool Agreement.  

Expedition – The Glue Between IronSkillet and Best Practices Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet 

Access Expedition GUI Using Google Chrome with Certification Error   Symptoms Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website.  Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.   View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.   Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en   Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ( Replace this with your county name) ST = VA  ( Replace this with your state name) L = SomeCity  ( Replace this with your city name) O = MyCompany ( Replace this with your company name) OU = MyDivision ( Replace this with your organization name) CN = 192.168.44.131 ( Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 = company.com  DNS.3 = company.net ........................................................................................       saves the changes with ESC :wq!   Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/   Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf  Find below two lines in the default-ssl.conf and replace the path  SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key    with    SSLCertificateFile   /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key   saves the changes with ESC :wq   Restart Apache by issue below command: $ sudo systemctl restart apache2   Try access the Expedition GUI again Google chrome should now present you an option under "Advanced" to proceed to the URL. 

Be the first to discover the new dynamic log connector functionality and learn about App-ID Adoption and the new Device Monitor...

Explore the Expedition Dashboard   Expedition Dashboard   There are 2 parts related to the VM Stats, one controls the stats for the local VM running the GUI and the ML Health in case is running on another VM shows the stats from the remote Expedition VM.   That means you can setup 2 Expedition VMs and use one for the GUI and another with more CPU and RAM to run the data analysis and machine learning. If this is your case just go to SETTINGS -> M. Learning and setup the IP address where your Expedition with more resources is running and click on SAVE.   The Task Manager must be always UP and controls all the backend jobs requested from the GUI like to retrieve contents from a device using the API keys.   Expedition comes with a self-check list to at least show you if there is something that can be improved in the system or if some dependencies or required functions are working properly or missing.   Close to the logo you can find the version and the released day plus what version of the Best Practices Assessment Tool is running.

What is Expedition?   Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks.   By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well.   With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS, but we want to ensure the outcome is the best as possible. This is why we added a Machine Learning module that can help you generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts.   With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier.   NOTE: Expedition is supported by the community as best effort   The Palo Alto Networks TAC does not provide support, so please post your questions in the community.   Go to: Expedition landing page on LIVEcommunity

This document describes the advantages of using Regions objects when importing the Rule Enrichment policy recommendations.

(DO NOT EDIT resolv.conf)   If needed, the steps to statically configure a DNS server to the Expedition server will be to edit the dns-nameserver in the /etc/network/interfaces file.    Editing resolv.conf is not reliable as any edits will be overwritten on reboot of the Expedition server.   expedition@Expedition:/etc/network$ sudo vi interfaces   Configured to use DHCP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet dhcp dns-nameservers  8.8.8.8  4.2.2.2   Configured with a static IP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet static        address 192.168.252.136        netmask 255.255.255.0        gateway 192.168.252.2        dns-nameservers      8.8.8.8 4.2.2.2

Please review the attached document for SHA256 hash of the Expedition OVA.  

This document describes how to enable and configure the new feature in update version 1.1.20 to enable the scheduling of log processing for the Machine Learning feature.

The attached document has been used as a lab guide to configure the machine learning in your environment.    Replace the VM and Expedition details using your configuration and traffic logs to start using machine learning to show how App-ID can be employed to reduce the attack surface of your security policies.

Generate the XML configuration by running this command from the CLI   show configuration | display xml | no-more   Before you import a Juniper SRX into Expedition, there are some manual checks we can do to verify the migration will work.   The configuration must start only with <configuration> tag, you have to replace everything before or inside that tag by only <configuration> The configuration must end with </configuration> any other text after it must be removed         Here's an example on how a SRX config should look when you edit:   <configuration> .... .... </configuration>   For integrity validation is a good practice try to open the XML file from FIREFOX browser becasue if something is breaking the XML integretity FIREFOX will notice to you which line has an invalid character. You must replace the invalid character before upload it to Expedition This is an example of wrong configuration. It seems someone created the file but stored with wrong jumps on it, so Firefox will complain about the format.        If we edit the file, we can see this at line 911 of the config file:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</asc ii-text> </pre-shared-key>    To fix this example, we have to remove the break line after </asc to:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</ascii-text> </pre-shared-key>  Fix all the problems before importing into Expedition.   Hope this helps.

Expedition comes with a built-in messaging queue system.   This mechanism allows it to prepare some tasks and send it to the queue. With this, we can run jobs internally without having to wait until the job is finished in the same page we are.   The first thing you will have to do when you enter in Expedition is check if the process is UP or DOWN, click on START in case is DOWN. If this is DOWN the Jobs will not be executed until it get's UP again. Dashboard  Some of the tasks relaying in the TASK MANAGER are: Download contents from Devices Auto-Zone Function Retrieve dynamic reports from firewalls for App-ID and User-ID adoption Machine Learning     Debug: If you want to see the output generated by the jobs running from the Queue you can see the content here:   tail -f /home/userSpace/panReadOrders.log    

There are many ways to replace Zones in your Rules but there is one that really makes a difference.   The idea in this example is replace the Zone called VPN-Didac by Untrust. So the approach we will take is filter by the Zone and see where this zone is used and then do the replace.   From within the Project navigate to Network and then click on Zones.         From there right-click on the Zone (point he mouse over the name) we want to replace, in our case VPN-Didac and select Add to filter.   This will create a new filter and we need to activate it by using drag and drop to drop it under ACTIVE folder and click on APPLY FILTER button.       Navigate to TOOLS and Search and Replace. Select from the left panel where the output from the filters are listed the Zone we want to replace and then Expedition will search in what groups or policies has been used.     In our example we will click on Security Policies and we will select all the rules where this zone was seen and we will add to Replace, the same will do with the Nat Policies shown as well. After that we will click on REPLACE.   From the REPLACE view and keeping all the elements selected choose from the combo called Replace by "Zones" and then from the next combo called "To" select the zone you want to be replaced by the one you searched.     Click on Replace All and check from the Rules the change was effectively done.       Done !  

Question Can I export my project to another Expedition instance? Answer Yes you can!   Export a Project:    Warning: Only Expedition Super-Users can Import and Export Projects.   Login to your Expedition Go to Projects Tab Select the project you want to export and click on Settings Projects View        4. Go to the Import/Export sub-Tab      5. Click on the Export button.       6. Click on Save   Import Export View   Import a Project:      1. Create a new Project     2. Click on Settings of the project     3. Go to the Import/Export sub-Tab     4. From the Import fieldset click on Browse to select the project to import     5. Click on Save   Warning: In case the project already exists the content will be replaced by the new one, whatever it was in the project will be replaced with the new content.     The log connectors will be removed from the project because they reference devices that may not exists where you are importing the project.   Import Export View  

There is a time when you already started a project and then you need to import the configuration from one device you didn't created yet.   From the Expedition Dashboard, go to Devices and add the new device. After generate the keys and import the contents go to the Projects view Select your project and click on settings Go to Devices Select the firewall you want to bring to your project Click on the Arrow that points to the Right Click on Save   Project's Settings View   Now when you enter into your project and navigate to the Import tab you will see the device to be imported.   

In Expedition, there are many different ways to setup a filter. Let's start from the beginning.   Case A) Project Dashboard:      Project Dashboard   When you click on one of the counters from the PROJECT STATISTICS Expedition will set a filter and will jump into the object selected. If you click on services Duplicated counter this is the filter will take action plus you will be transported to the Services view Filter Window   Case B) Predefined Filters   From any objects view when we press right-click an advanced menu will be shown, one of the options its called predefined filters, just open the list and select the one you want to automatically create and apply the filter.   Right-click over one service     Each type of object can have their own predefined filters but usually they are common between them   Case C) Custom Filters   Click on Filters from the Objects or Policies view to get access to the Filter assistant Access to Filter Assistant     A new window will show up. From here we can create our custom filter   Scope: Where this filter will apply, The more number of objects you add to the scope will reduce the amount of fields common between them to be able to search by, like if you select as scope address and addressgroups you can search only by name, tag and description because those are the fields in common, if you only select address all the fields related to address can be used to search like ipaddress, cidr, etc... Field: the field we want use to filter Operator: It can be equal, or contains, etc What to search: Text we want to search on the selected field. to CREATE the filter click on the plus button Creating custom filter   To Apply the new filter we have to select the filter from AVAILABLE and DROP into ACTIVE folder Click on APPLY FILTER Edit Custom Filter   From the Objects and Policies views, you can see if there is any Active filter and Clear them all     Remember when creating a custom filter, first add to the available filters and then drop it into the ACTIVE to apply the filter.

Expedition comes with a framework to manage the Role-Based Access Control, this will help you to add users with different level of privileges.        1) Expedition User Roles:                 a) Super User: This Role allows the User to manage everything on Expedition              b) Admin: This Role allows the user to Create projects and devices but cannot change system settings or add new users              c) User: This Role allows the user only to enter on Expedition and see projects and devices where has been granted access.        View of adding a new user to Expedition          2) Project User Roles:             When a project is created by an Expedition Super-User or Admin, this can be edited by clicking on Settings   View of Expedition Project Settings           From the Settings window, we can add Expedition Users to the Project. Inside the Project, we have different Roles:           a) admin: This Role can change the Project Settings and modify all the content within it.         b) user: This Role can edit the project contents but it cannot change the project settings to add more devices or users to the project.          c) viewer: This Role is for read-only purposes. Doesn't have any privileges to change nothing inside the project or manage the project settings.    View of Edit Project panos to add Expedition users.       As an example, you can create a new Expedition user with Role (User) and attach this user to one Project as (admin), in this case the User be able to manage only the project and the content but it will be unable to add more projects, devices or users to Expedition.     Hope this helps to clarify how to assign Roles.  

Symptoms Sometimes you have the need to add the same Security Profile or Log forwarding Profile or even a TAG to a large amount of Security Policies. When the number of rules is really high the function MULTIEDIT can be sometimes SLOW. How can i perform BULK changes for common problems really FAST?   Diagnosis Solution With version 1.0.107, we introduced a new way to perform BULK CHANGES in a really super fast way.   From POLICIES, you can use right click or click on the TOP RIGHT menu button for Options     View of Security Policies Bulk Changes   Here you will find all the available options for BULK CHANGES. At the time to select one option you will have to select if want to apply the change to all the Rules or just the selected ones. The changes will be made immediately.    

Expedition offers local user authentication and external user authentication via LDAP and Radius servers.   In this example, we will illustrate how to configure external authentication via a Windows Active Directory server.     Settings in LDAP Server We have created a server under the domain sctc.domain.local, defined a group called "developers" and added a user "didac gil" with logon name "didacgil9".   In the figure, we can notice that users authenticate with the suffix "@sctc.domain.local". We will have to take account of this value for providing the correct settings in Expedition to complete the user authentication.   View of Active Directors Users and Computers, highlighting @sctc.domain.local in a user account.   Defining LDAP Server in Expedition In Expedition, we will first define the LDAP authentication server. Only Superusers have rights for server registration or modification. We have two different approaches for user authentication.   Approach 1. User needs to enter full logon name Define a server providing the desired server's name, the server's address and port, server type (Windows or Linux), Search DN parameters and SSL and/or TLS usage.   In our case, we our server responds at sctc.domain.local port:389 and we have named LDAP_approach1. The users that will use this server for authentication belong to the developers group, therefore we have provided the following Search DN: "CN=developers,DC=sctc,DC=domain,DC=local". Contact your Active Directory administrator to verify your correct Search DN parameters.     View of Approach 1 to Add New LDAP Server using the address sctc.domain.local.   After saving, we will test the server settings clicking on the diagnostics icon. We will be required to enter an existing user's credentials.    View of LDAP Test Connection   A feedback will be provided with the results of the connection.   Through this approach, users will have to provide their full account name for authentication. In our case, didacgil9@sctc.domain.local will be the user name account required to have a valid authentication.     Approach 2. Server specifies the user suffix In this case, we will facilitate the user's logon, providing the suffix already in the server settings. This way, a user will only have to write their account name "didacgil9". View of Approach 2 to Add New LDAP Server using the address sctc.domain.local.   Notice that using this approach, all users must share the same suffix in order to be able to validate their credentials.

  Expedition TechNote: CSV Import Guide: This document provides examples and descriptions on how to import configurations using the "Import CSV" option available in Expedition. There are many use cases to utilize the CSV import feature with one of the main use cases being used to migrate 3rd party firewall configurations that Expedition currently does not have a native configuration parser for.   Updated May 15, 2019

Hello Expedition Community, The process to install and deploy Expedition has been changed by offering an installable script that can be used to deploy onto your own instance of Ubuntu 16.04 LTS. Cloud and On-Prem Ready The changes in the Expedition installation provides greater flexibility allowing users to deploy Expedition on-prem onto their local hyper-visor or onto a cloud compute resource in AWS, Azure, and Google Cloud. The attached document describes the OS requirements (Ubuntu 16.0.4) and recommend compute resources.   Download and read the attached Expedition installer guide. To get started with your Expedition installation, download the Expedition installer script: https://conversionupdates.paloaltonetworks.com/expeditionInstaller.tgz   Additional Information Download and follow the use case examples in the available Expedition Admin Guide and Technotes: https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619   Ask questions in the Expedition Community https://live.paloaltonetworks.com/t5/Expedition-Discussions/bd-p/ExpeditionDiscussions  

Expedition TechNote: Managing Service Objects – This document will describe how to optimize the services and services group objects.

Take a look to the new Greenfield security policy generation based on PanOS logs.

 A few feature added in the ver 1.1.9 release is the identification of "Ghost" objects which may require special handling based on the configuration file sources.   What are "Ghost" objects Ghost objects are temporary address objects (address objects only) that were learned from the migration of the Security and NAT policies. The ghost objects are displayed under OBJECTS > Address along with a new counter in the project dashboard.   The attached document provides background information on what causes ghost objects and how to mitigate them within a configuration.   This document will discuss the following topics: What are Ghost objects Handling of Ghost objects