Expedition Articles

Release Notes: Version 1.1.69, 1.1.69.1, 1.1.69.2, 1.1.69.3 Date 28/05/2020, 05/06/202 Bug [MT-1768] - BPA-Auto Remediate does not work [MT-1811] - Clone NAT. Updates have a larger scope than they should [MT-1812] - Checkpoint. Delete temporary files [MT-1813] - Autozone. Limit the calculations to the given vsys Checkpoint R80 parser does not complete. Parser not closed correctly New Feature [MT-1660] - CSV Logs. Read traffic logs rom Splunk [MT-1795] - RE / ML. Offer thresholds for traffic filtering [MT-1800] - API Calls. Improve feedback error message [MT-1801] - HealthCheck. Check APT frozen packages Task [MT-1757] - M.Learning setting- Expedition ML Address probably not being saved on the fresh installed Expedition Improvement [MT-1794] - Checkpoint. Support for routing table per rulebase [MT-1805] - CSV Logs. Splunk: Use earliest and latest options   Version 1.1.68 Date 28/04/2020 Bug [MT-1780] - Config Import. Invalid Version error Improvement [MT-1671] - VPN Warnings. Provide Warning feedback [MT-1770] - CISCO. IPSec Tunels missing ProxyIDs [MT-1771] - Update Message. Improve message to assist Expedition Update   Version 1.1.67 Date 23/04/2020 Bug [MT-1764] - Download Config. Unable to pull running config from Panos 8.1.14, 9.1.2   Version 1.1.66 Date 16/04/2020 Bug [MT-1747] - Network -> Interface Goes up only to EthernetX/24 does not support ExternetX/25-28 [MT-1759] - Checkpoint. Address with netmask not convertible to CIDR [MT-1761] - ASA Conversion - Security Policies Do Not Convert [MT-1765] - Remap Interface. Sets interface as blank New Feature [MT-1750] - Export. Allow filtering subatomic API calls with commas [MT-1751] - Export. Allow filtering subatomic API calls by device group Improvement [MT-1756] - Export. Filter by API response code [MT-1762] - HealthCheck. Unused accounts   Version 1.1.65 Date 02/04/2020 Bug [MT-1628] - Export: generated api with Mega doesnt work [MT-1639] - Virtual Router: on RIP there are interfaces and they are not being read [MT-1755] - Radius LDAP. Failing to test New Feature [MT-1742] - CSV Logs. Allow override AfterProcess from Panorama [MT-1749] - Bulk Change. Append Description all rules (as include) [MT-1753] - Palo Alto Networks. Slow import of Routes with objects [MT-1754] - CSV Autoprocess. Compress/Delete second and later files Override by Panorama Improvement [MT-1745] - Add Description to security policy Bulk Change function   Version 1.1.64 Date 25/03/2020 Bug [MT-1729] - Add version 9.2 to the getVersion function [MT-1739] - Error when to click save on address object Improvement [MT-1692] - Palo Alto Networks. Slow import of Routes with objects   Version 1.1.62 & 1.1.63 Date 20/03/2020 Bug [MT-1724] - Ghost Objects. It may provide more results than actual address objects [MT-1725] - CISCO. Missing security Rules with warnings [MT-1728] - CISCO. Some host objects get imported with CIDR=0 [MT-1731] - Filters. Use id as a value for the combo_operator [MT-1733] - CSRF. Control on device report [MT-1736] - CISCO. Missing some predefined services (e.g. icmp-echo-reply ) New Feature [MT-1730] - Edit userDefinitions. Provide page to modify userDefinitions.php [MT-1734] - AppID. Customize max number of rules to analyse [MT-1735] - Filters. Rules without hits Improvement [MT-1732] - Dashboard. Provide info about address count [MT-1737] - CISCO. Aggregate Sec Rules based on same remark   Version 1.1.61 and 1.1.61.1 and 1.1.61.2 Date 10/03/2020 Bug [MT-1712] - CSV Files. Correct reporting device [MT-1713] - CISCO. Sanitize Description text [MT-1714] - Security Rules. Skip loading empty security rules list [MT-1715] - Devices Monitor. Allow export New Feature [MT-1701] - Ability to identify logged in users [MT-1716] - Filters. Show rules without hits Improvement [MT-1710] - RSyslog. Specify user owner of CSV logs [MT-1711] - Update Expedition dependencies   Version 1.1.60 Date 05/03/2020 Bug [MT-1709] - Invalid ranges Version 1.1.59 Date 04/03/2020 Bug [MT-1695] - CSV Logs. Unsupported logs are reported as processed [MT-1696] - CSV Logs. Failure to process Summary on logs [MT-1697] - CSV Logs. Failure to process CSV logs due to "rule" empty [MT-1699] - CSRF. Direct the user to the logging page is session is expired Task [MT-1704] - Fortinet. Cover service ports in security rules involving VIP destinations (update) Improvement [MT-1700] - CSV List. Present processed logs by HA device [MT-1702] - CSV Logs. Report reasons for not finding logs [MT-1706] - CSV List. Allow files with spaces [MT-1707] - CSRF. Control on file posting [MT-1708] - Incomplete Jobs. Update jobs that have tasks completed.   Version 1.1.58, 1.1.58.1 Date 27/02/2020 Improvement [MT-1682] - Import Config. Present date of the device's config in the grid [MT-1686] - Devices. Catch control for listing files larger than 2GB over NSF [MT-1687] - Invalid Address. Verify that an address object does start with a valid char [MT-1691] - Fortinet. Cover service ports in security rules involving VIP destinations Modify CSRF token expiration time   Version 1.1.57 & 1.1.57.1 Date 18/02/2020 Bug [MT-1617] - Add "fixed" Cases in Consolidations' Calculations [MT-1666] - FR - Merge on Policies for more than 10 cases in one pass Task [MT-1488] - Merge Rules: change behaviour Improvement [MT-1663] - App-ID Adoption. Support Consolidation with Recommended+Dependencies [MT-1672] - Checkpoint. Rename import labels [MT-1673] - RE. Separate incomplete and insufficient data traffic   Version 1.1.56 Date 13/02/2020 Bug [MT-1653] - API Export: atomic complete but incomplete (policies) and sub atomic never completed [MT-1661] - Checkpoint. Tags not created for section rules [MT-1662] - Other vendors. Rules presented in a wrong order when selecting VSYS=all Improvement [MT-1664] - Radius Authentication. Include attributes for client identification [MT-1667] - Dashboard. Invalid address objects for IPv6 wrongly calculated [MT-1668] - Applications.xml. Update the default applications.xml file [MT-1669] - Device Config files. Enable downloading not encrypted files [MT-1670] - Authentication Server grid. Increase the last column to see the Test button   Version 1.1.55 Date 06/02/2020 Bug [MT-1615] - Applications Signatures: does not load XML on UI [MT-1648] - Sec Merge. Control on negated src/dst [MT-1650] - API Export stuck at Generating Log Settings :: vsys:shared [MT-1654] - Devices: Update "Panorama model" when selected and saved Improvement [MT-1646] - Consolidation Security Rules: Add explanation [MT-1649] - Sec Merge. Improve feedback messages [MT-1655] - Device Summary. Do not show local FW as disconnected from Panorama [MT-1656] - CSV Logs. Support for panos 9.1.x [MT-1657] - HealthCheck. Check for allowed DB connections   Version 1.1.54 Date 03/02/2020 Bug [MT-1625] - Dynamic Address Groups may be considered as Unused [MT-1634] - Expedition NAT issues [MT-1638] - Support for multicast routing Improvement [MT-1640] - ML. Importing "any" may use (if exists) an invalid address object without ip_address   Version 1.1.53 Date 27/01/2020 Bug [MT-1629] - RL Import. Ranges are created as ip-netmask instead of ip-range [MT-1630] - Calculate Unused: Automatically called after RE import [MT-1635] - UI: Error deleting unused objects: the objects panel and toolbox does not unlock Improvement [MT-1631] - SRX: Support for new Zone-based security policies in SRX [MT-1637] - Checkpoint IPv6 network support for <R80   Version 1.1.52 & 1.1.52.1 Date 16/01/2020 Bug [MT-1601] - XML Export. Error in application signatures [MT-1604] - Doesn't uploaded Devices grid after added devices [MT-1608] - Viewer Settings. Allow update user Settings in a project [MT-1610] - Expedition Service Object Length [MT-1613] - Issues with API output manager [MT-1614] - Running v1.1.50 - after merging, export hangs at Generating Applications vsys/dg:vsys1 [MT-1616] - Update Tab context when clicking on Project Dashboard [MT-1618] - Log Connector: source does not loaded correctly [MT-1619] - Devices: device grid was filtered based on selected project Improvement [MT-1605] - Max Users. Allow parameterising. define ('MAXSUPERUSERS', 4); in /home/userSpace/userDefinitions.php [MT-1609] - Rules Consolidation: Export to Excel Complete Version 1.1.51 Date 10/12/2019 Bug [MT-1220] - Address objects incorrectly being marked as unused - Panorama nested objects [MT-1491] - Zones: Include list and Exclude list contains address, address groups objects [MT-1581] - PanOS 9.0: Add GRE Tunnels from Network [MT-1591] - IpSec Tunnel: update interface from Manual Key when change name to interface [MT-1595] - CSV Rules: the "tag" column isn't imported [MT-1596] - CSV Objects: the "tag" column isn't imported [MT-1598] - Search & Replace: It takes a long time to load [MT-1599] - Remove Unused Objects. After import some objects references in NATs were deleted [MT-1603] - Filters. Hit count may miss some rules Improvement [MT-1587] - Remove/Calculate Unused objects. Perform process in background [MT-1600] - Security Merge. Control on application default and disabled rules   Version 1.1.50 Date 25/11/2019 Bug [MT-1556] - PanOS 9.0: Address - Add Type IP Wildcard Mask [MT-1582] - Filter Invalid&Used: fails to filter [MT-1588] - Static Route cannot be created within UI [MT-1590] - CSV Autoprocess. Managed Device not processed when not having path and Panorama does not have autoprocess enabled Improvement [MT-1584] - Merge. Control ANY and Values merge on all fields in security rules [MT-1586] - Security Rules. Show ML/RE rules with an icon   Version 1.1.49 Date 19/11/2019 Bug [MT-1573] - Generate XML: error when generated zones [MT-1578] - Autoprocess. Does not process the logs from all the devices [MT-1579] - Calculated Used/Unused Objects: error when Calculating dynamic groups Improvement [MT-1574] - Monitor. Show all type of monitor entries   Version 1.1.48, 1.1.48.1, 1.1.48.2 Date 12/11/2019 Bug [MT-1557] - Tags on Applications: doesn't load. Import/Export. [MT-1571] - CISCO. VPN without peers stops parser [MT-1572] - Checkpoint. Single IPv6 objects issue New Feature [MT-1431] - (Predefined) Filters to Hit Count on Security Policies [MT-1567] - Threat Dynamic Reports Improvement [MT-1570] - Applications Window: Change UI   Version 1.1.47 Date 11/11/2019 Bug [MT-1559] - Connector. Error when having multiple panorama connectors [MT-1565] - Static group to Dynamic group [MT-1566] - First Load Crash. environmentParameters not existing New Feature [MT-1496] - Bulk Changes Policies: Add/Delete Group Tags Improvement [MT-1558] - Connector. Create a dynamic connector to avoid multiple changes [MT-1560] - Connector. Allow selecting the source from a device [MT-1561] - App-ID Adoption. Allow processing "deny" rules. [MT-1562] - App-ID Adoption. Collect incomplete and insufficient-data apps. [MT-1563] - CSV Processing. Clarify how to enable files for CSV processing   Version 1.1.46 Date 5/11/2019 Bug [MT-1506] - Merge tags: merged all, not selected [MT-1511] - Virtual Router: PanOS 9.0: Destination, Next Hop IP Address, Path Monitoring are address objects [MT-1512] - Virtual Router: PanOS 9.0: Add FQDN on static routes Next Hop [MT-1547] - Clone Window: Failure message on wait message [MT-1548] - Tags null on Policies [MT-1551] - PanOS 9.0: Merge Tags by Name: doesnt update on group tags [MT-1552] - Regions: merge by Name or Value doesnt work New Feature [MT-1550] - CHECKPOINT R80.10. Added support for dynamic NATs Improvement [MT-1549] - Calculated Used/Unused: add group tags [MT-1553] - Tags Menu: unify Menu Up & Down [MT-1554] - Tags Menu: Add/Replace Prefix/Suffix [MT-1555] - Regions Menu: unify Menu Up & Down   Version 1.1.45 Date 4/11/2019 Bug [MT-1540] - CSV Processing. Listing files issues Improvement [MT-1541] - Devices. Skip Listing CSV Logs if possible [MT-1546] - Device Summary. Avoid warnings   Version 1.1.44 Date 31/10/2019 Improvement [MT-1534] - CSV Processing. Reduce time for file listing [MT-1535] - CSV Processing. Support processing hundreds of files in one call [MT-1536] - CSV List. Improve time setting PANOS version priority   Version 1.1.43 Date 30/10/2019 Bug [MT-1479] -  Route Monitor being deleted [MT-1485] - Replace Feature does not visualize all replacing options if a filter is applied. [MT-1487] - Filters: on objects, filter with tags does not work [MT-1497] - Virtual Router: On edit windows does not see RIP Administrative Distances [MT-1507] - CSV Autoprocess. Compress/Delete second and later files [MT-1508] - CSV Processing. Malformed CSV files crash Spark 2.4.3 [MT-1521] - CSV Processing. Add 'csv' as log type for new devices by default. New Feature [MT-1498] - Task Agent. Autostart when booting for new installs. Improvement [MT-1519] - CSV Processing. Improve panReadOrders feedback [MT-1520] - CSV Processing. Allow processing files with .log extension [MT-1518] - CSV Processing. Allow processing files under panorama managed devices   Version 1.1.42 Date 23/10/2019 Bug [MT-1505] - RE Import. Check UTF8 encoding for user names New Feature [MT-1472] - Version PanOS 9.1: Edit Rules: Add "group-tag" on editor rules [MT-1484] - Device Monitor Improvement [MT-1486] - CISCO. Support for src port services [MT-1489] - CISCO. Service any from 0-65535 [MT-1499] - www-data in expedition group [MT-1504] - Filters. Allow multiple levels of filter operators   Version 1.1.41 and 1.1.41.1 Date 17/10/2019 Bug [MT-1002] - PanOS-9: add "group-tag" in all policies [MT-1451] - Appoverride Rules: When editing the rules, the zones add any [MT-1453] - Appoverride Rules: On edit rules set Application and Port field required [MT-1456] - Scheduled tasks. No task found [MT-1457] - Merge Rules: add "target" options [MT-1458] - Cloned Rules: On Nat/Appoverride Rules missing cloned target [MT-1461] - CSV Processing. File size incorrectly reported [MT-1462] - Invalid Rules. Filter does not show results [MT-1465] - SRX. Device Static Routing not imported when VR is defined [MT-1466] - Virtual Wires: When edit interfaces and selected virtual wire, change automatically interfaces on virtual wires [MT-1467] - PALOALTO: error on export log-authentication-timeout from authentication rules [MT-1473] - Expedition Bug - Applying Filters (v1.1.40) [MT-1475] - Dashboard. Invalid rules [MT-1482 ] - Checkpoint. Issue with address IPv6 addresses in <R80 New Feature [MT-1003] - Version 9: add "uuid" in all policies [MT-1468] - CSV Processing. Support for PANOS 9.1 Beta. [MT-1480] - RE Import. Consider compacting Service High Ports [MT-1481] - RE Import. Consider importing networks Improvement [MT-1469] - Change CSV Log permit. Increate feedback [MT-1470] - Job monitoring. Verify the proper counts of failed jobs   Version 1.1.40 Date 09/10/2019 Bug [MT-1442] - Profiles on Security Rules: doesn't rendered correctly File Blocking [MT-1443] - Best Practices / Threat Practice: error in parameters from function [MT-1446] - CSV List. Empty (0 size) files provoke UI error and timeouts New Feature [MT-1439] - Filters: change columns behaviour Improvement [MT-1445] - Checkpoint. IPv6 host and network objects support   Version 1.1.39 Date 04/10/2019 Bug [MT-1208] - Dashboard: doesnt rendered correctly values from Tags [MT-1433] - CSV Processing. Error accessing CSV file while processing [MT-1434] - CSV Processing. May loop on a file multiple times New Feature [MT-1421] - Tags: Add Filter (Predefined) Used and Unused and link to Dashboard [MT-1405] - ZONES. Bulk change delete Improvement [MT-1184] - Networks Menu: unify Menu Up & Down [MT-1397] - CSV Files. Show warning if file to big for GZ [MT-1435] - Device Listing Timeout. If ML settings are incorrect, Expedition may give timeouts Version 1.1.38 Date 26/09/2019 Bug [MT-1076] - FQDN address being incorrectly marked as invalid [MT-1186] - Panorama - a specific DG cannot be selected [MT-1221] - Interfaces not being imported into the correct VSYS [MT-1225] - Log processing - failing due to memory issues [MT-1395] - CISCO. Non-utf descriptions support [MT-1403] - Dashboard:warnings on rules are not correctly calculated  [MT-1417] - Checkpoint. Issue with address group creation in R80.10 (2) Version 1.1.37 Date 20/09/2019 Bug [MT-1387] - Checkpoint. Issue with address group creation in R80.10 Improvement [MT-1386] - STONESOFT. Interfaces in virtual fw_cluster   Version 1.1.36 Date 19/09/2019 Bug [MT-1165] - FGT migration - not considering case sensitive address object naming - causing incorrect migration [MT-1168] - CSV Interface. Some interfaces are not correctly imported [MT-1185] - ASA migration - failing when migrating crypto profiles [MT-1202] - ASA migration - NAT rules not migrating [MT-1217] - Merge by Name and Value - Failing for address-groups, results in merging Groups with same name but different members [MT-1223] - Zones - remove the option to add them to 'shared' [MT-1284] - WebUI - no longer displaying 'Known Applications by rule' pop up [MT-1286] - UI: Known Applications: the tree Applications doesnt rendered correctly [MT-1377] - Applications Groups Menu: Selected Predefined Filter doesnt work [MT-1379] - Issue with merging of service objects with same dport value but different timeout [MT-1380] - Applications Groups: Predefined Filter Name & Value and Merge, error on select when default_applications Improvement [MT-1320] - CSV Processing. Do not allow clicking on "Process Files" within a Panorama device [MT-1371] - CSV Processing. Save PID to be able to check if the process failed [MT-1283] - New Project. Cannot add device during new project creation (applications.xml containsa dependency loop)   Version 1.1.35 Date 14/08/2019 Bug [MT-1203] - Checkpoint R80.x0 - migrating NAT rules twice (duplicating them) [MT-1216] - Updates 1.1.34: Unknown column 'vsys' in 'config_views' Improvement [MT-1214] - Invalid Sec Rules. Mark as invalid rules those containing incomplete and insufficient-data apps   Version 1.1.34 Date 13/08/2019 Bug [MT-997] - CISCO. down interface is considered for routing [MT-1138] - AutoZoneAssign - not finding the VR from a template [MT-1201] - Checkpoint R80.10/.20 - incorrectly migrating vsys/DG names causing migrations to fail [MT-1205] - WebUI - Export page - deleting a single item results in removing the entire config file [MT-1211] - AutoZoneAssign - incorrectly using the DG as the vsys assignment [MT-1213] - AutoZone. Do not consider "down" interfaces for routing tables Improvement [MT-1209] - CSV Processing. Allow processing using the priovidrd path even not having saved device settings [MT-1210] - CSV Processing. Provide human-readable feedback [MT-1212] - Network Interfaces. Show down interfaces as disabled rows   Version 1.1.33 Date 08/08/2019 Bug [MT-1041] - Stonesoft import - errors on import. Initial support for virtual_fw devices [MT-1126] - Load snapshot - Cancel option does not stop the loading of the snapshot [MT-1147] - Save snapshot - support saving and loading without manually typing a name [MT-1192] - Spark - not processing traffic logs when hostname has an underscore [MT-1199] - ML. Wrong naming convention when importing networks New Feature [MT-1195] - For ML and RE - add the option to analyze 'incomplete' logs Improvement [MT-1154] - Tags - check for duplicate tags (Dashboard information) [MT-1194] - Spark java.net.UnknownHostException. Issues with the hostname. Healthcheck for hostname without "_"   Version 1.1.32 (Requires expeditionml-dependencies-beta v. 0.1.3) Date 02/08/2019 Bug [MT-1150] - WebUI filter for NAT - create a filter for 'Interface' [MT-1185] - ASA migration - failing when migrating crypto profiles Improvement [MT-1187] - Add "Mark as Fixed" button warning messages on Warning Tabs Editor Rules [MT-1188] - HealthCheck. Check for installed versions [MT-1189] - Spark. Upgrade to Spark 2.4.3 (ML and RE performance and feature improvements) [MT-1190] - panReadOrders started. Create a script to automatically start panReadOrders agent   Version 1.1.31 Date 31/07/2019 Bug [MT-1149] - ASA - not migrating NAT rules [MT-1169] - CISCO. VPN - IKE gateway wrong interface if multiple "crypto map" entries are available [MT-1170] - CISCO. VPN IPsec crypto profile - no unique name created [MT-1174] - CSV NAT import: not all values for "interface" ingested [MT-1176] - Policies editor: Do not show corrected warnings [MT-1177] - CSV: added log twice, one with name and another empty [MT-1181] - CSV Processing. Identify jobs that started more than 24h ago [MT-1182] - Bug when Remapping Interfaces [MT-1183] - App-ID adoption - timing out when requesting traffic logs Task [MT-1171] - UI: Connector, change order from Top Improvement [MT-1172] - ML: Provide network only for IPv4 [MT-1173] - ML Settings. Trim paths before saving new Path [MT-1178] - Scheduled tasks. Check for scheduled tasks every 30 sec [MT-1180] - CSV Processing. Provide feedback in bar   Version 1.1.30-h2 Date 24/07/2019 Temporarily Disabled: [MT-1158] - ML: Create advanced features to allow network import   Version 1.1.29-30 Date 24/07/2019 Bug [MT-1099] - IronSkillet - reports are being incorrectly written to the wrong XPath [MT-1119] - CSV: Service any when importing security rules [MT-1133] - App-ID adoption with Panorama / Cortex [MT-1148] - IronSkillet: Add variable INCLUDE_PAN_EDL [MT-1151] - ASA Parser - new format managed from FMC (Firepower Mgmt Console) [MT-1155] - CISCO. Firepower import fails [MT-1064] - Ext.util.Event.getFireInfo(): No method named "onBeforeLoadReports" [MT-1159] - ML - returning incorrect results – Time Frame Override cannot be cleared [MT-1160] - UI: Convert Basic Event Binding to View Controller Event Binding [MT-1161] - Ext.JSON.decode(): You are trying to decode an invalid JSON String: undefined [MT-1162] - CISCO. Parsing users is not taken \ for group\user [MT-1163] - ASA User-ID Mapping reslove missing "/" [MT-1164] - UI: Window Download doesn't worked [MT-1166] - CISCO. VPN – IKE crypto lifetime is not set correctly Improvement [MT-1156] - Scheduled log processing – add details to the status messages [MT-1158] - ML: Create advanced features to allow network import     Version 1.1.28 Date 04/07/2019 Bug [MT-1094] - IronSkillet templates - incorrect MGMT_IP in the XML config [MT-1134] - Edit Project: When asigned devices, devices grid does not reload all devices [MT-1142] - Checkpoint R80.10 parser - hanging on zone calculation for NAT rules. Method missing Improvement [MT-1145] - CSV Autoprocess. Reset last_execution time to allow re-execution [MT-1146] - Expedition Installer. Verify Expedition user exists   Version 1.1.27 Date 04/07/2019 Bug [MT-1047] - Rule Enrichment - Change the order when importing rules [MT-1130] - Checkpoint R80.10/.20 - not importing security or nat policies [MT-1139] - Checkpoint. R80 NAT service may load incorrectly [MT-1140] - Filters. Address groups with 1 member misses some matches New Feature [MT-1121] - Bulk Change. Add Zone to all rules (as include) [MT-1141] - Filters. Address objects not used in groups Improvement [MT-1132] - WebUI - Devices header wording change [MT-1136] - Load Applications.xml. Protect against recursive-loop dependencies [MT-1137] - Rule Enrichment. Improve performance by reducing number of queries   Version 1.1.26 Date 27/06/2019 Bug [MT-1118] - Search and Replace - 'Remove' option fails when the DG selection is set to 'All' [MT-1122] - ASA migration - add migration support for DM_INLINE service objects [MT-1124] - Periodic CSV Process. Stops if one firewall does not have logs to process [MT-1128] - Invalid policy names - length calculation needs to be adjusted for PAN-OS 8.x and 9.0 New Feature [MT-1120] - Service import - check for valid destination port ranges [MT-1129] - Policy merge - add the policy name of the merged policy into the description into the new policy Improvement [MT-1080] - Backup directory - limit to 20 snapshots [MT-1127] - VM Setup. Script to setup Expedition on clean Ubuntu 16.04 [MT-1131] - Sec Merge. Improve performance   Version 1.1.25 Date 20/06/2019 Bug [MT-1054] - Radius Server. Reports test connection errors as LDAP [MT-1066] - SRX migration - custom service timeouts not being migrated [MT-1111] - CSV Nat. Importing NAT rules misses to capture src and dst fields [MT-1112] - UI: console log when edit services [MT-1113] - CSV: delete the first columns mapping [MT-1115] - CSV Service Import. Dport not loaded correctly [MT-1116] - XML generation - removed LLDP profiles [MT-1117] - XML generation - adding 'merged' tag into the incorrect XPath   Version 1.1.24 Date 12/06/2019 Bug [MT-1087] - Web UI - multiple refreshes automatically after upgrade to 1.1.21 [MT-1091] - Interfaces: when edit lost IP Address [MT-1092] - XML generation - failing to generate XML file [MT-1095] - Interfaces: remove Link Settings from Vlan, Loopback and Tunnel [MT-1096] - Interfaces Log Card/Decrypt Mirror: Import/Edit/Export [MT-1098] - Interfaces: remove field Type from Vlan, Loopback and Tunnel [MT-1103] - JOBS Listing. Include STARTED tasks in the view of pending [MT-1104] - Spark Log. Create entry for RuleDistanceCalculator [MT-1109] - CSV Summary. Perform the summary on HA device as well Task [MT-1106] - Script New Installation. Located in /var/www/html/OS/installation Improvement [MT-1100] - HealthCheck Jobs. Verify all the jobs are correctly reported [MT-1101] - Device Reload. Force device reload on "reload", not on tab click [MT-1102] - Snippet Reload. Force snippet reload on "reload", not on tab click   Version 1.1.23 Date 2/06/2019 Bug [MT-1105] - GUI Logging loop. Control when backend does not report correctly a valid login.   Version 1.1.22 Date 30/05/2019 Bug [MT-1050] - CISCO. upd www not created correctly (reported by R. Ouaini) Improvement [MT-571] - SPARK: ML_NewRules Reduce time and memory consumption [MT-1006] - Devices - hide the API key's [MT-1060] - ASA migration - migrate service 'domain' as TCP/UDP 53 [MT-1074] - Interfaces: Add PagingToolbar [MT-1086] - Policies. Show again the "all" rules [MT-1089] - Discovery Button: Make it all clickable [MT-1093] - Spark CSV. Improve memory and disk usage for debug   Version 1.1.21 Date 27/05/2019 Bug [MT-1036] - Rule Enrichment - App-ID being included in imported rules with 'Application' unchecked [MT-1078] - CSV Import - Import of security policies not incrementing Rule ID's correctly Improvement [MT-1084] - CSV Autoprocess. Show current system time for autoprocess assistance [MT-1085] - CSV rights. Script to modify CSV log rights to emable www-data delete the files   Version 1.1.20 Date 24/05/2019 Bug [MT-1063] - XML Generation - Panorama Template - Interface mappings not migrating correctly [MT-1070] - Panorama: add on Interface Type: "Log Card", "Decrypt Mirror" [MT-1075] - Predefined Filter “Duplicated Name” Not Worked as Expected Improvement [MT-1005] - CSV Import - services add field for source port [MT-1071] - CSV Logs. Schedule log processing (autoprocessing) [MT-1081] - HealthCheck Summary to fast spot healthcheck issues [MT-1082] - HealthCheck. Verify Temp Data Structure rights [MT-1083] - Spark. Separate temp data structure from parquet paths   Version 1.1.19 Date 16/05/2019 Bug [MT-1001] - CSV import - do not allow Security policies to be imported into 'Shared' [MT-1063] - XML Generation - Panorama Template - Interface mappings not migrating correctly Improvement [MT-1068] - CSV Parquet. Split CSV files into buckets based on available RAM. Reduce chances for memoryoverhead error New Feature [MT-1069] - environtmentParameters. Verify that all required parameters are defined via a healthcheck   Version 1.1.18 Date 13/05/2019 Bug • [MT-884] - Zones: on version 8, add type "Tunnel" and "External" on Panorama • [MT-1039] - Zone names - max characters is 31 - Expedition recognizes only up to 15 • [MT-1046] - WebUI - Filter for Address --> Type needs to be corrected • [MT-1059] - Slow performance - when removing unused objects • [MT-1065] - Filters: duplicated Name & Value on AddressGroups Improvement • [MT-858] - Usability improvement feature: Add status icon for Project exports • [MT-1061] - Change "No rules configured" to "Select a vsys with rules" • [MT-1067] - CSV Parquet. Use available RAM     Version 1.1.17 Date 06/05/2019 Bug   [MT-403] - CISCO. The field devicegroup shows "default" instead of filename [MT-892] - User-ID entry causing XML generation to fail or XML to be malrofmed [MT-961] - ScreenOS - service configs with multiple ports and protocols with SRC settings not migrating correctly [MT-1048] - Dashboard - Disk Space message - updated Live Community link [MT-1051] - TAG "merged" is used by objects but not exported to the XML [MT-1052] - Edit Security Rules: add/edit tag change with id [MT-1056] - Policy count reporting error. Vsys "all" will not display security rules. [MT-1057] - WebUI - wording changes Improvement [MT-999] - Mark Checkpoint policies with a Warning when migrated from an action not set to allow or deny [MT-1012] - UI wording change - Search and Replace - change 'VSYS' to 'VSYS / DG'   Version 1.1.16 Date 30/04/2019 Bug • [MT-884] - Zones: on version 8, add type "Tunnel" and "External" on Panorama • [MT-892] - User-ID entry causing XML generation to fail or XML to be malrofmed • [MT-994] - Address merge - perform a precheck for Ghost objects. Do not let ghost objects to be merged • [MT-1004] - Virtual Router - Route sorting not working • [MT-1017] - Add LACP Port Priority on Interface when type is Aggregate Ethernet (reported by Luke) • [MT-1027] - ASA migration - failing to complete the migration • [MT-1029] - Add Tag Column on Grid Applications • [MT-1030] - PAN-OS. Panoram read-only. Dont create it if max id is 0 • [MT-1031] - XML generation - <import> - importing unneeded interfaces causing commit to fail • [MT-1032] - Checkpoint R80.20 - Address groups not being migrated • [MT-1033] - Interfaces: update interfaces on other tables • [MT-1042] - CSV. After read the content of a csv file go to PAGE1 by default. • [MT-1043] - CISCO. Support for address-group security in ACLs • [MT-1044] - Warning Logs from Address Groups   New Feature • [MT-759] - Add TAGS to merged objects (address and services) and policies (security and NAT) • [MT-849] - Add Tags to multiple address objects (multiedit) • [MT-1026] - CSV Import - add option to delete lines Improvement • [MT-844] - API Key. Make the request in background • [MT-864] - Export: Change to Job • [MT-1010] - NAT policy export - add column and values for 'Translation Type' • [MT-1013] - Add on Objects: selected item from right click on Menú options • [MT-1016] - WebUI change - App-ID adoption • [MT-1035] - Address. Improve performance to process address and address groups • [MT-1037] - IronSkillet. Add templates for version 9.0 • [MT-1038] - Change report name - M.LEARNING Traffic report • [MT-1045] - CSV. AutoMap Columns based on CSV Header     Version 1.1.15 Date 15/04/2019 Bug [MT-892] - User-ID entry causing XML generation to fail or XML to be malrofmed [MT-1007] - XML generation - inserting invalid tunnel interface configuration [MT-1008] - App-Override - Transform App to Service is generation an incorrect timeout [MT-1019] - Merge - cannot merge 'Log forwarding profile' [MT-1020] - Service Merge. Error while merging two services New Feature [MT-759] - Add TAGS to merged objects and policies Improvement [MT-1014] - Increase height of the window that shows the results of the merge   Version 1.1.14 Date 12/04/2019   Bug [MT-768] - Consolidate - do not mix and match rules with services and applications [MT-1000] - Expedition Exporting Configuration with "read-only" (reported by Luke)   Version 1.1.13 Date 10/04/2019 Bug [MT-757] - MERGE - issue found when setting unused object as primary for merge [MT-937] - Web UI - Remove the "Register as Regions" button [MT-942] - XML generation - orphan XML tag being added [MT-953] - Rule merge all results [MT-986] - WebUI - (Predefined) Nat noNAT not working correctly [MT-998] - Web UI - graphic not rendering correctly [MT-1009] - Expedition Cross Site Scripting in devices View (Description field) Task [MT-308] - Verify all scripts in /bin have the sessionControl.php Improvement [MT-975] - MULTI-EDIT - enable the 'Description' option [MT-995] - Ghost object - replace the "/" in the name after transforming [MT-996] - Wording change in UI   Version 1.1.11 Date 28/03/2019 Bug [MT-947] - SRX migration - NAT rules not migrating Destination NAT rules correctly [MT-958] - PROJECT. Prevent invalid names for Projects like "create" or "is" [MT-964] - Dashboard. Calculate Ghost when source is not provided [MT-966] - Dashboard. Invalid services do not consider groups with "any" inside [MT-967] - CISCO. Creating service groups with tcp-udp services includes any service [MT-968] - CISCO. Missing some implicit services due to being both tcp and udp [MT-969] - Export to Excel: Nat rules, remove id) from name [MT-972] - Save snapshot - not saving when the snapshot name has blank spaces New Feature [MT-917] - API Calls. Clear all API Calls. Improvement [MT-956] - Dashboard statistics - only calculate unused objects for the most recent imported configuration [MT-957] - Dashboard statistics - add a counter for rules and objects with warnings [MT-959] - Check Used Objects. Calculate objects only for the new source [MT-976] - API Output manager - expand the 'search' to include the 'XML Content' [MT-978] - Dashboard. Include address groups with invalid references   Version 1.1.10 Date 21/03/2019 Bug [MT-819] - SRX file migration failed - due to Invalid XML [MT-932] - SRX - NAT policies not migrating correctly [MT-939] - Service override settings need correction in the XML and API output [MT-940] - SRX - migration stalls at importing NAT policies [MT-949] - XML generation is Invalid - Dash in the description causing the failure New Feature [MT-200] - Convert Long structures to BigInt to support IPv6 [MT-941] - SRX - migration support for double NAT configurations [MT-946] - WebUI - add a global indicator for the Expedition agent status [MT-948] - CSV Logs. Show logs per days summary Task [MT-952] - Update to Sencha 4.2.5 Improvement [MT-501] - CHECKPOINT R80. Importing objects some are missing [MT-781] - Allow importing of new configurations to be displayed and edited [MT-871] - Add a message after merging configurations [MT-936] - Add a search for Device-Group and Template selections   Version 1.1.7 Date 28/02/2019 Bug    [MT-874] - ZONES: Delete a used zone is performed without a warning    [MT-879] - Saved Rule Name with the character "*"    [MT-880] - Filters doesn't search by the character "*"    [MT-885] - Application object import - commas are causing new lines to be created    [MT-886] - DEVICES page load timing out causing remote exception when hundreds    [MT-887] - XML generation failing due to VLAN configured object    [MT-888] - R80 import - Address group missing some members    [MT-890] - IronSkillet - base config not passing admin credentials    [MT-894] - Filter - not matching predefined keywords 'none'    [MT-897] - Import Project: error when are two or more directories on folder    [MT-898] - Checkpoint. Missing members in nested groups    [MT-901] - Zones - incorrect zone being deleted by mistake    [MT-902] - IronSkillet - 8.1 XML file not adding template    [MT-903] - IronSkillet - not copying the MGMT IP information    [MT-904] - IronSkillet - API Output manager is generating invalid API requests for deviceconfig    [MT-905] - Spelling correction - Best practices section    [MT-908] - XSS in Migration Tool    [MT-909] - Import/Export Applications ident-by-icmp-type Improvement     [MT-877] - /boot out of space Added as Check from the Dashboard.     [MT-891] - IronSkillet - Panorama config display enhancement     [MT-907] - Fixed some Text Typos   Version 1.1.6 Date 14/02/2019 Improvement    * [MT-828] - LogConnector: Provide information about used data sources    * [MT-876] - Change width “Description” column for all Excel export   Version 1.1.5 Bug     * [MT-866] - ScreenOS. Fails importing security rules with hidden chars     * [MT-872] - ScreenOS: SNMP service incorrectly loaded     * [MT-860] - Filters. “Starts with” does not filter correctly Improvement     * [MT-814] - Auto Zone Assigment: change title if nat or security policies     * [MT-815] - Autozone: Bidirectional NATs are not correctly applied     * [MT-863] - Allow reimporting a configuration with an existing name. Loaded with date suffix   Version 1.1.4 Date 02/05/2019 Bug [MT-767] - Consolidate - do not include 'Deny' rules to consolidate if other rules are set to accept [MT-811] - Cisco ASA migration - Auto Zone Assign not calculating the zones for Security rules correctly [MT-813] - ver 1.1 - XML generation failing - due to PBF rule [MT-820] - GlobalProtect configuration missing in Expedition tool [MT-823] - Policy Filter in Expedition with option NOT IN NETWORK [MT-826] - Services: override unexpected here. Discarding. [MT-827] - Rule Enrichment: doesn't import correctly application-default [MT-829] - Rule Enrichment: doesn't have save snapshot [MT-834] - Export/Output: Disable override doesnt generated correctly [MT-837] - Export/Output: services with protocol SCTP doesnt generated correctly [MT-842] - LDAP. Authentication not working correctly [MT-845] - Policy Filter with option NOT IN NETWORK doesn’t work [MT-857] - SRX parser - not adding nested service groups [MT-859] - Rule Enrichment: doesn't import correctly source/destination   New Feature Under LDAP servers a new field has been added (account prefix) Now Expedition calculates for all the rules if they are L7 or L4 only. [MT-698] - New Predefined Filter. L4 and L7 Rules [MT-850] - The Discovery window has been splitter in two windows one for ML and another one for Rule Enrichment The ML and RE now supports IPv6 addresses within the logs Expedition will verify if you have access to the logs folder for ML and RE Runtime feedback added while RE and ML is running from the view. [MT-812] - Update BPA Security Policies View with the new Fields [MT-833] - ML: RE: Added Unknown applications to the Analysis [MT-843] - UserRoles. Do not allow SuperUser to change own role Expedition can import the same configuration name into the same project by automatically renaming them with the date-time at the end of the filename.   Version 1.1.2 Date 28/12/2018 Bug [MT-813] - ver 1.1 - XML generation failing - due to PBF rule Improvement [MT-814] - Auto Zone Assigment: change  window title if its nat or security policies [MT-815] - Autozone: Bidirectional NATs are not correctly applied   Version 1.1.1 Date 19/12/2018 Improvement [MT-812] - Updated Best Practices. The Security Policies View. Updated the Grid Columns Bug IronSkillet. Version 1.1 didnt get all the components needed to run IronSkillet. Fixed in 1.1.1     Version 1.1 Date 14/12/2018 Bug [MT-407] - Filtering by Nat zone TO doesn't work [MT-597] - Output: Merge zones in the Template [MT-599] - Consolidation: Check for duplicated profiles [MT-602] - Bug with ML server export [MT-604] - Device image models are not rendered correctly. [MT-608] - Rule Enrichment: Add to Existing Rules [MT-622] - FW: Latest Version of Expedition doesn't delete Service Objects [MT-628] - Issue with Custom App-IDs in Expedition [MT-634] - Truncate Names Rules Names/Description v.8.0 [MT-636] - ASA Config: Any in group to service [MT-648] - Remote exception when filtering for unused address object groups [MT-651] - New bug detected in 1.0.101 (Email) Duplicated Name, Filter [MT-765] - Update name schedules/log forwarding/zones/monitor, selected ids from rules by source and vsys [MT-766] - Log Forwarding / Schedule: if it's removed need to be removed from rules too. [MT-800] - Tab Click on Policies does not render correctly [MT-808] - Export: output. Remove new policies QoS, PBF, etc. New Feature [MT-424] - Add Filter Target and Set Add, Remove, Update target etc [MT-600] - Add button Test on Servers [MT-603] - New windows for Test Connection LDAP and Radius [MT-618] - Address: Add Transform IPAddress to object [MT-779] - Add Other Rules: check version 7 Task [MT-792] - LDAP: remove admin from test window Improvement [MT-638] - Add Other Rules Import [MT-650] - Add Other Rules: calculate used objects [MT-728] - Unify the two menus of the objects (Address / Address Groups) [MT-729] - Unify the two menus of the objects (Services / Services Groups) [MT-734] - Settings - Servers - LDAP/RADIUS Added Best Practices version 3.6.3 Added IronSkillet under Import -> Palo Alto   Hotfix 1.0.109 Date 10/12/2018 Bug [MT-756] - PALOALTO. Some Url categories from PAN-DB are lost when Expedition imports a PAN-OS Configuration [MT-795] - App-ID PDF Report. Fields with ANY are rendered with the previous value. [MT-804] - Export: output, drag & drop shared response pages fails to merge with the Base Configuration [MT-805] - Export: output API Calls doesn't generate GlobalProtect IPSec Crypto [MT-806] - Export: output API Calls doesn't generate Tunnel Monitor from IPSec Tunnel Improvement [MT-475] - Reviewed support for VPN IPSec in PAN-OS version 8.1 [MT-797] - Data Analysis. Added support for Logs from PAN-OS 9.0.0 beta [MT-798] - Rule ML: Verify if parquet folders exist before execute the analysis [MT-799] - Rule ML: Define default input and output folders [MT-801] - STONESOFT: Load template NAT rules [MT-802] - STONESOFT: Multiple services in NAT rules not loaded   Hotfix 1.0.108 Date 30/11/2018 Bug [MT-744] - Reviewed Consolidation Issues: sometime the zones are lost. [MT-748] - Enable or Disable from menu: add/delete Target when is Panorama [MT-760] - Import Palo Alto: Monitor Profile empty action, interval and threshold [MT-763] - Filters by Tag: doesn't work "not contain" and "not equal" [MT-769] - External List: if is removed, Was not removed from rules. [MT-772] - CISCO: ASA migration enhancement request: service as null [MT-773] - Filters: doesnt work negated filters (not equal, not contains) [MT-774] - Add Prefix. Affects to predefined Objects like application-default [MT-775] - Export: output duplicated predefined objects to shared [MT-778] - Export: output API Output Manager doesnt load devices [MT-788] - Dynamic Address Groups, Add TAGs to export as Excel. [MT-789] - Known Applications: create rule: Icons Source/Destination are not rendered correctly [MT-790] - App-ID Reconciliation Reviewed. Task [MT-787] - LDAP: Test change method from GET to POST Improvement [MT-753] - Add options from Rule Action to Bulk Changes on Appoverride Rule's Menu [MT-754] - CSV Import. Static Routes. Rewording Gateway by NextHop [MT-755] - CSV Import. Static Routes. If interface is set and NextHop too add both [MT-783] - Query the summary logs for log analysis. App-ID now can query summary database instead the raw log.   Hotfix 1.0.106 Date 10/01/2018 Fixes [MT-677] - CHECKPOINT. Add Target to NAT Rules [MT-678] - CHECKPOINT. Read Headers for NAT as we do for Security [MT-683] - CHECKPOINT. Negated Services in Rule [MT-684] - Activate Rule Actions via rightclick (Nat) [MT-692] - Combine rules from Main Menu [MT-695] - Remapping Interfaces on a PAN-OS configuration added interface in source nat. [MT-708] - SRX. Interfaces not imported due to single quotes in comments [MT-709] - Objects. Address and Groups View. Tag is not shown correctly [MT-713] - Fix duplicated rule name with the maximum name length according to the version Improvements [MT-686] - Unify the two menus of the rules (Nat) [MT-688] - Add Option "Select All Rules" [MT-691] - Menu Nat rules: set "selection" or "all rules" from all options [MT-717] - STONESOFT. Added support for multiple policy jumps   Hotfix 1.0.105 Date 09/19/2018 Fixes [MT-263] - Activate ML/RE rules via rightclick without clicking firs with the left button. [MT-676] - MultiEdit changed parameters from GET to POST [MT-679] - Activate Set as Primary objects via rightclick  without clicking firs with the left button. [MT-680] - Activate Rule Actions via rightclick (Security)  without clicking firs with the left button. [MT-681] - CombineSecurity rules from Main Menu was not working properly [MT-682] - CISCO. The function addPrefixSuffix was removed. Added again to avoid import crash if IPSsec tunnels defined. [MT-685] - Activate Rule Actions via rightclick (Application Override)  without clicking firs with the left button. [MT-689] - STONESOFT. Some member groups where created as duplicated objects because the naming [MT-693] - STONESOFT. Address differenciate between IPv4 and IPv6 [MT-705] - Add "Case Sensitive" on Menu option: "Search&Replace" [MT-706] - Export: Source configuration: missing Applications Groups New Features [MT-360] - Improve Rule Search to include "by ID" in the search not just by name [MT-701] - Rule Menus: Added option "All Rules" to "Add Serial" to all the selection Improvements [MT-86] - Output: Drop Apps into Shared: AppGroups where not moved properly [MT-519] - Join the two menus of the rules (Security) [MT-613] - Add Filter: (Predefined) Rules with Users [MT-687] - Join the two menus of the rules (Application Override) [MT-700] - STONESOFT. Use Objects in Memory for speed up migrations [MT-704] - Search & Replace: add Id] on grid "Replace"   Hotfix 1.0.104 Date 09/03/2018 Fixes [MT-633] - Virtual Routes: edit static routes doesnt oder by column [MT-667] - Consolidations/Merge Nats [MT-668] - MERGE Objects. The Descriptions are appended even they are equal [MT-669] - Error JavaScript ServerProxy store Translation Type on Nat Editor [MT-672] - Remote exception when filtering for unused when clicked on Dashboard [MT-673] - Cloned Rule Nat [MT-674] - STONESOFT. Cidr from objects are not imported [MT-675] - STONESOFT. After GroupMember2IdAddress_improved new dummy objects were created New Functions [MT-577] - Project Import. Verify the size of the file is smaller than MAX [MT-670] - Filters Nat/App override Policies: Add filter with Target   Hotfix 1.0.103 Date 08/28/2018 Fixes [MT-654] - Tools: cloned rule exceeds the max lenght. [MT-661] - Merge by value. Descriptions were incorrectly merged between objects. [MT-663] - Missing options to calculate invalid services [MT-666] - Rule Enrichment is not importing discovered rules New Functions [MT-662] - SNIPPETS. Add new type SPYWARE   Hotfix 1.0.92 Date 06/22/2018 Fixes Output generation was broken if non utf characters or "&" were found in the description fields.  New Functions Stonesoft: Added support for refuse action to be mapped with reset-both instead of drop   Hotfix 1.0.91 Date 06/21/2018 Fixes Cisco Nats: Improved the support for object nats. New Functions Added Best Practices version 3.0.6 After the Update you have to run an script to update to python36       sudo bash /var/www/html/OS/BPA/updateBPA306.sh  

Expedition – The Glue Between IronSkillet and Best Practices Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet 

Access Expedition GUI Using Google Chrome with Certification Error   Symptoms Can't access Expedition GUI using Google chrome, error message ' NET::ERR_CERT_COMMON_NAME_INVALID'  displayed as below screenshot, and you are not able to proceed to the website.   Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.   View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private  and will not provide you an option to proceed to the URL.   Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en   Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US (   Replace this with your county name) ST = VA  (   Replace this with your state name) L = SomeCity  (   Replace this with your city name) O = MyCompany (   Replace this with your company name) OU = MyDivision (   Replace this with your organization name) CN = 192.168.44.131 (   Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 =   company.com  DNS.3 =   company.net ........................................................................................       saves the changes with ESC :wq!   Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/   Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf  Find below two lines in the default-ssl.conf and replace the path  SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key    with    SSLCertificateFile   /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key   saves the changes with ESC :wq   Restart Apache by issue below command: $ sudo systemctl restart apache2   Try access the Expedition GUI again Google chrome should now present you an option under "Advanced"   to proceed to the URL. 

ABOUT Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition (Migration Tool), everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results. Expedition (Migration Tool) 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well.   READ MORE    NOTE: Expedition is supported by the community as best effort. The Palo Alto Networks TAC does not provide support, so please post your questions in the community by clicking "Ask Questions" below.   Get the Expedition Installer   Expedition Installation This video provides a quick tutorial on installing Expedition on Ubuntu Server 16.04.   Get the Legacy Expedition OVA   Get the Legacy Expedition VM   Ask Questions   Get the Guides   Tutorial Videos  

Be the first to discover the new dynamic log connector functionality and learn about App-ID Adoption and the new Device Monitor...

Here are all the Documents related to Expedition use and adminsitrations   Hardening Expedition – Follow to secure your Instance. Admin Guide – Describes the Admin section and provides advise on how to configure and properly setup. User Guide  v1.1 (will be improved) Using Machine Learning – Create policies from logs (1st version)

Explore the Expedition Dashboard   Expedition Dashboard   There are 2 parts related to the VM Stats, one controls the stats for the local VM running the GUI and the ML Health in case is running on another VM shows the stats from the remote Expedition VM.   That means you can setup 2 Expedition VMs and use one for the GUI and another with more CPU and RAM to run the data analysis and machine learning. If this is your case just go to SETTINGS -> M. Learning and setup the IP address where your Expedition with more resources is running and click on SAVE.   The Task Manager must be always UP and controls all the backend jobs requested from the GUI like to retrieve contents from a device using the API keys.   Expedition comes with a self-check list to at least show you if there is something that can be improved in the system or if some dependencies or required functions are working properly or missing.   Close to the logo you can find the version and the released day plus what version of the Best Practices Assessment Tool is running.

What is Expedition?   Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks.   By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well.   With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS, but we want to ensure the outcome is the best as possible. This is why we added a Machine Learning module that can help you generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts.   With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier.   NOTE: Expedition is supported by the community as best effort   The Palo Alto Networks TAC does not provide support, so please post your questions in the community.   Go to: Expedition landing page on LIVEcommunity

This document describes the advantages of using Regions objects when importing the Rule Enrichment policy recommendations.

(DO NOT EDIT resolv.conf)   If needed, the steps to statically configure a DNS server to the Expedition server will be to edit the dns-nameserver in the /etc/network/interfaces file.    Editing resolv.conf is not reliable as any edits will be overwritten on reboot of the Expedition server.   expedition@Expedition:/etc/network$ sudo vi interfaces   Configured to use DHCP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet dhcp dns-nameservers  8.8.8.8  4.2.2.2   Configured with a static IP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet static        address 192.168.252.136        netmask 255.255.255.0        gateway 192.168.252.2        dns-nameservers      8.8.8.8 4.2.2.2

Please review the attached document for SHA256 hash of the Expedition OVA.  

This document describes how to enable and configure the new feature in update version 1.1.20 to enable the scheduling of log processing for the Machine Learning feature.

The attached document has been used as a lab guide to configure the machine learning in your environment.    Replace the VM and Expedition details using your configuration and traffic logs to start using machine learning to show how App-ID can be employed to reduce the attack surface of your security policies.

Generate the XML configuration by running this command from the CLI   show configuration | display xml | no-more   Before you import a Juniper SRX into Expedition, there are some manual checks we can do to verify the migration will work.   The configuration must start only with <configuration> tag, you have to replace everything before or inside that tag by only <configuration> The configuration must end with </configuration> any other text after it must be removed         Here's an example on how a SRX config should look when you edit:   <configuration> .... .... </configuration>   For integrity validation is a good practice try to open the XML file from FIREFOX browser becasue if something is breaking the XML integretity FIREFOX will notice to you which line has an invalid character. You must replace the invalid character before upload it to Expedition This is an example of wrong configuration. It seems someone created the file but stored with wrong jumps on it, so Firefox will complain about the format.        If we edit the file, we can see this at line 911 of the config file:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</asc ii-text> </pre-shared-key>    To fix this example, we have to remove the break line after </asc to:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</ascii-text> </pre-shared-key>  Fix all the problems before importing into Expedition.   Hope this helps.

Expedition comes with a built-in messaging queue system.   This mechanism allows it to prepare some tasks and send it to the queue. With this, we can run jobs internally without having to wait until the job is finished in the same page we are.   The first thing you will have to do when you enter in Expedition is check if the process is UP or DOWN, click on START in case is DOWN. If this is DOWN the Jobs will not be executed until it get's UP again. Dashboard  Some of the tasks relaying in the TASK MANAGER are: Download contents from Devices Auto-Zone Function Retrieve dynamic reports from firewalls for App-ID and User-ID adoption Machine Learning     Debug: If you want to see the output generated by the jobs running from the Queue you can see the content here:   tail -f /home/userSpace/panReadOrders.log    

There are many ways to replace Zones in your Rules but there is one that really makes a difference.   The idea in this example is replace the Zone called VPN-Didac by Untrust. So the approach we will take is filter by the Zone and see where this zone is used and then do the replace.   From within the Project navigate to Network and then click on Zones.         From there right-click on the Zone (point he mouse over the name) we want to replace, in our case VPN-Didac and select Add to filter.   This will create a new filter and we need to activate it by using drag and drop to drop it under ACTIVE folder and click on APPLY FILTER button.       Navigate to TOOLS and Search and Replace. Select from the left panel where the output from the filters are listed the Zone we want to replace and then Expedition will search in what groups or policies has been used.     In our example we will click on Security Policies and we will select all the rules where this zone was seen and we will add to Replace, the same will do with the Nat Policies shown as well. After that we will click on REPLACE.   From the REPLACE view and keeping all the elements selected choose from the combo called Replace by "Zones" and then from the next combo called "To" select the zone you want to be replaced by the one you searched.     Click on Replace All and check from the Rules the change was effectively done.       Done !  

Question Can I export my project to another Expedition instance? Answer Yes you can!   Export a Project:    Warning: Only Expedition Super-Users can Import and Export Projects.   Login to your Expedition Go to Projects Tab Select the project you want to export and click on Settings Projects View        4. Go to the Import/Export sub-Tab      5. Click on the Export button.       6. Click on Save   Import Export View   Import a Project:       1. Create a new Project     2. Click on Settings of the project     3.  Go to the Import/Export sub-Tab     4. From the Import fieldset click on Browse to select the project to import     5. Click on Save   Warning: In case the project already exists the content will be replaced by the new one, whatever it was in the project will be replaced with the new content.     The log connectors will be removed from the project because they reference devices that may not exists where you are importing the project.   Import Export View  

There is a time when you already started a project and then you need to import the configuration from one device you didn't created yet.   From the Expedition Dashboard, go to Devices and add the new device. After generate the keys and import the contents go to the Projects view Select your project and click on settings Go to Devices Select the firewall you want to bring to your project Click on the Arrow that points to the Right Click on Save   Project's Settings View   Now when you enter into your project and navigate to the Import tab you will see the device to be imported.   

In Expedition, there are many different ways to setup a filter. Let's start from the beginning.   Case A) Project Dashboard:      Project Dashboard   When you click on one of the counters from the PROJECT STATISTICS Expedition will set a filter and will jump into the object selected. If you click on services Duplicated counter this is the filter will take action plus you will be transported to the Services view Filter Window   Case B) Predefined Filters   From any objects view when we press right-click an advanced menu will be shown, one of the options its called predefined filters, just open the list and select the one you want to automatically create and apply the filter.   Right-click over one service     Each type of object can have their own predefined filters but usually they are common between them   Case C) Custom Filters   Click on Filters from the Objects or Policies view to get access to the Filter assistant Access to Filter Assistant     A new window will show up. From here we can create our custom filter   Scope: Where this filter will apply, The more number of objects you add to the scope will reduce the amount of fields common between them to be able to search by, like if you select as scope address and addressgroups you can search only by name, tag and description because those are the fields in common, if you only select address all the fields related to address can be used to search like ipaddress, cidr, etc... Field: the field we want use to filter Operator: It can be equal, or contains, etc What to search: Text we want to search on the selected field. to CREATE the filter click on the plus button Creating custom filter   To Apply the new filter we have to select the filter from AVAILABLE and DROP into ACTIVE folder Click on APPLY FILTER Edit Custom Filter   From the Objects and Policies views, you can see if there is any Active filter and Clear them all     Remember when creating a custom filter, first add to the available filters and then drop it into the ACTIVE to apply the filter.

Expedition comes with a framework to manage the Role-Based Access Control, this will help you to add users with different level of privileges.        1) Expedition User Roles:                 a) Super User: This Role allows the User to manage everything on Expedition              b) Admin: This Role allows the user to Create projects and devices but cannot change system settings or add new users              c) User: This Role allows the user only to enter on Expedition and see projects and devices where has been granted access.        View of adding a new user to Expedition          2) Project User Roles:             When a project is created by an Expedition Super-User or Admin, this can be edited by clicking on Settings   View of Expedition Project Settings           From the Settings window, we can add Expedition Users to the Project. Inside the Project, we have different Roles:           a) admin: This Role can change the Project Settings and modify all the content within it.         b) user: This Role can edit the project contents but it cannot change the project settings to add more devices or users to the project.          c) viewer: This Role is for read-only purposes. Doesn't have any privileges to change nothing inside the project or manage the project settings.    View of Edit Project panos to add Expedition users.       As an example, you can create a new Expedition user with Role (User) and attach this user to one Project as (admin), in this case the User be able to manage only the project and the content but it will be unable to add more projects, devices or users to Expedition.     Hope this helps to clarify how to assign Roles.  

Symptoms Sometimes you have the need to add the same Security Profile or Log forwarding Profile or even a TAG to a large amount of Security Policies. When the number of rules is really high the function MULTIEDIT can be sometimes SLOW. How can i perform BULK changes for common problems really FAST?   Diagnosis Solution With version 1.0.107, we introduced a new way to perform BULK CHANGES in a really super fast way.   From POLICIES, you can use right click or click on the TOP RIGHT menu button for Options     View of Security Policies Bulk Changes   Here you will find all the available options for BULK CHANGES. At the time to select one option you will have to select if want to apply the change to all the Rules or just the selected ones. The changes will be made immediately.    

Expedition offers local user authentication and external user authentication via LDAP and Radius servers.   In this example, we will illustrate how to configure external authentication via a Windows Active Directory server.     Settings in LDAP Server We have created a server under the domain sctc.domain.local, defined a group called "developers" and added a user "didac gil" with logon name "didacgil9".   In the figure, we can notice that users authenticate with the suffix "@sctc.domain.local". We will have to take account of this value for providing the correct settings in Expedition to complete the user authentication.   View of Active Directors Users and Computers, highlighting @sctc.domain.local in a user account.   Defining LDAP Server in Expedition In Expedition, we will first define the LDAP authentication server. Only Superusers have rights for server registration or modification. We have two different approaches for user authentication.   Approach 1. User needs to enter full logon name Define a server providing the desired server's name, the server's address and port, server type (Windows or Linux), Search DN parameters and SSL and/or TLS usage.   In our case, we our server responds at sctc.domain.local port:389 and we have named LDAP_approach1. The users that will use this server for authentication belong to the developers group, therefore we have provided the following Search DN: "CN=developers,DC=sctc,DC=domain,DC=local". Contact your Active Directory administrator to verify your correct Search DN parameters.     View of Approach 1 to Add New LDAP Server using the address sctc.domain.local.   After saving, we will test the server settings clicking on the diagnostics icon. We will be required to enter an existing user's credentials.    View of LDAP Test Connection   A feedback will be provided with the results of the connection.   Through this approach, users will have to provide their full account name for authentication. In our case, didacgil9@sctc.domain.local will be the user name account required to have a valid authentication.     Approach 2. Server specifies the user suffix In this case, we will facilitate the user's logon, providing the suffix already in the server settings. This way, a user will only have to write their account name "didacgil9". View of Approach 2 to Add New LDAP Server using the address sctc.domain.local.   Notice that using this approach, all users must share the same suffix in order to be able to validate their credentials.

  Expedition TechNote: CSV Import Guide: This document provides examples and descriptions on how to import configurations using the "Import CSV" option available in Expedition. There are many use cases to utilize the CSV import feature with one of the main use cases being used to migrate 3rd party firewall configurations that Expedition currently does not have a native configuration parser for.   Updated May 15, 2019

Hello Expedition Community, The process to install and deploy Expedition has been changed by offering an installable script that can be used to deploy onto your own instance of Ubuntu 16.04 LTS. Cloud and On-Prem Ready The changes in the Expedition installation provides greater flexibility allowing users to deploy Expedition on-prem onto their local hyper-visor or onto a cloud compute resource in AWS, Azure, and Google Cloud. The attached document describes the OS requirements (Ubuntu 16.0.4) and recommend compute resources.   Download and read the attached Expedition installer guide. To get started with your Expedition installation, download the Expedition installer script: https://conversionupdates.paloaltonetworks.com/expeditionInstaller.tgz   Additional Information Download and follow the use case examples in the available Expedition Admin Guide and Technotes: https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619   Ask questions in the Expedition Community https://live.paloaltonetworks.com/t5/Expedition-Discussions/bd-p/ExpeditionDiscussions  

Expedition TechNote: Managing Service Objects – This document will describe how to optimize the services and services group objects.

Take a look to the new Greenfield security policy generation based on PanOS logs.

 A few feature added in the ver 1.1.9 release is the identification of "Ghost" objects which may require special handling based on the configuration file sources.   What are "Ghost" objects Ghost objects are temporary address objects (address objects only) that were learned from the migration of the Security and NAT policies. The ghost objects are displayed under OBJECTS > Address along with a new counter in the project dashboard.   The attached document provides background information on what causes ghost objects and how to mitigate them within a configuration.   This document will discuss the following topics: What are Ghost objects Handling of Ghost objects  

Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects.    In this case we will search if in our config exist any Address-Group with just one Member. If exist we will replace the Address-Group by the Member in any place we find it used. It can be used as part of another Address-Group or can be used as source or destination in any Policy.   Procedure:   Search for Address-Groups with one Member: Go to Objects and point your mouse on the Address-Group Panel and over one Address-Group right-click with your mouse and select Predefined Filter and select the (Predefined) Groups with one Member.   Select the Tab TOOLS. From the right Panel select SEARCH & REPLACE.  Expedition will show you where those Address-Groups where used. Select from Address-Groups and Policies where they were used and click on Add to Replace   Now click on the Tab called REPLACE, now for all the objects selected we will apply on the option Replace by the option Members and click on the Replace All button at the bottom of the page - right.      After the action completes we can go back to OBJECTS and check if those Address-Groups now are shown as unused. In case afirmative you can then safely remove them.       

Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects   Its common when we have used Expedition to migrate a configuration from CISCO or FORTINET to have address objects named as H-X.X.X.X or N-X.X.X.X-XX or even if the name was just an IP Address, but they were created as Address Object and count as Object. There is one function inside Expedition to convert them as IP Address that will be only Used on Rules as IP Address or IP Ranges hard-coded as Source or Destination on Rules. So they will not be used as Address Objects anymore.   This has pros and cons but if our Goal is reduce the amount of Address Objects this can help us.   Search from OBJECTS -> ADDRESS with right-click in one Address select the Predefined Filter called "Name is IP address". This will search the Address where the name is an IP Address.         We can add more filters to this process, Select the Filters Options and add all the Address where the name starts with H- for example, and the objects that starts with N- and the objects that starts with RANGE-, put the focus only on Address.         After Run SQL select the Address you want to transform to an IP Address and right-click with your mouse over one of the selected Address and select the option "Transform" -> "Object To IpAddress" and automatically all those objects will be renamed with the IP or Range Address (netmasks will be added as well in case are not /32) and will be marked internally as "dummy" objects, those objects will not be considered at the time to generate the XML or API Calls.       You can check before to transform them as IP Address if they are part of any group by going to TOOLS and SEARCH & REPLACE.