03-09-2021 08:07 AM - edited 03-09-2021 09:00 AM
I'm using expedition 1.1.93
When I target my any/any rule for app-id adoption, the adoption process finishes, but no app-ids are displayed. This occurs whether I request a slow retrieval or a fast retrieval.
The same rule(s) work fine with ML and RE (app-ids show up as expected).
Any ideas? I'm not even sure how to troubleshoot this. Any help is appreciated. Thanks!
03-09-2021 12:34 PM
Couple of things you can check :
1. Where is the security policy defined under? If it's defined in DG1 , the log connector you need to use is LC1, you should delete LC2 since you don't need it for app-id adoption.
2. Is there any traffic logs matching your security policy that you want to analyze for app-id ? Is there app-id shown in the traffic logs?
3. Make sure your expedition is running the latest version v1.1.92.
4. Trying to remove the Panorama from the device tab and re-add it in, re-retrieve the contents and create a new project, assign the panorama to the project, and re-add the log connector.
03-09-2021 12:36 PM
If your security policy defined in Panorama, you do not need api key nor connections to firewalls at all. The only interactions is between Expedition and Panorama, please make sure the firewall logs are forwarding to Panorama.
03-09-2021 12:57 PM - edited 03-09-2021 12:59 PM
Thanks @lychiang I appreciate your help!
1. Without getting too much into design, I have four NGFW devices. Each device pair (HA pair) has it's own device group. There are 'permit any/any' rules within both device groups, and I'd like to analyze all for app-ID adoption. So it's fair to say that I'm attempting app-ID adoption for rules within multiple device groups. This is the reason why I setup two log connectors (one per device group).
2. yes, there are traffic logs for the ip any/any rules, and app-IDs are 'seen' within the traffic logs
3. I just updated to 1.1.92 this morning
4. (remove Panorama, re-add and re-create project) - I will try this tomorrow
Logs are being shipped from the NGFW devices themselves to the Expedition server via 'scheduled log export'.
Thank you for answering my question about connecting via Panorama vs connecting via the devices themselves. Based on your answer, I am doing everything correctly as I can retrieve the connected devices and the connected device content via the 'top level' Panorama device.
My next step (tomorrow) is to delete the project, remove Panorama from the global devices, re-add Panorama, and re-create the project and log connector. I'm confused about this issue as the other features (ML and RE) are currently working fine within this project.
I'll post here tomorrow after I re-create everything. Thank you again for your help!
03-10-2021 10:56 AM
Today I deleted the project, deleted my panorama device, and deleted all parquet processed logs.
I re-added the Panorama instance, re-created the project, and recreated the log connectors.
After processing logs, I'm getting the same exact symptoms. ML and RE works fine, both display the expected apps for my PERMIT any/any rule. When I try to retrieve apps for APP-ID adoption (within my any/any rule), nothing shows up.
Is there a log that I can look at to see what's going on? Any debug or tshooting info would be helpful.
03-11-2021 10:11 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!