Best Practices Analysis Not Running

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Best Practices Analysis Not Running

L1 Bithead

I'm trying to run a BPA for one of my Panorama-managed devices. I got everything imported into the project, but the BPA never runs. The progress bar advances to "Done!" with no visible errors on the front-end, but Last Run stays at Never Analyzed. Checking the Apache error logs, it appears thta there's a missing executable (bpa-cli). Is this something we have to get separately?

1 accepted solution

Accepted Solutions

L7 Applicator

Hi, we found an issue in new installations where the bpa was not properly updated, Please update your Expedition to 1.0.85.1 and try it again. Thanks

View solution in original post

15 REPLIES 15

L7 Applicator

Hi, we found an issue in new installations where the bpa was not properly updated, Please update your Expedition to 1.0.85.1 and try it again. Thanks

Upgraded to 1.0.85.3 and the BPA is working now - thanks!. APT was/is complaining about the repo though.

 

Reading package lists... Done
E: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I was able to work around it by disabling the checks but that's not ideal.

 

sudo apt -o Acquire::AllowInsecureRepositories=true \
> -o Acquire::AllowDowngradeToInsecureRepositories=true \
> update

 

We have to build a new repository with a stronger certificate, its a matter of time, its coming. Thanks

Thanks for this ! This solutions worked like charm. Looking forward to those new repos !

L1 Bithead

Hi,

Im having this issue with a specific config file, with others is working OK.

Looking at error.log in apache a get this:

 

Traceback (most recent call last):

  File "/usr/local/bin/bpa-cli", line 11, in <module>

    sys.exit(main())

  File "/usr/local/lib/python3.5/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 274, in main

    xml_config = XMLConfig.read_xml(args.xml)

  File "/usr/local/lib/python3.5/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 171, in read_xml

    return cls(tree, **kwargs)

  File "/usr/local/lib/python3.5/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 26, in __init__

    self.version = float(next(iter(query.get_version(self.tree)), '0.0')[:3])

  File "src/lxml/xpath.pxi", line 432, in lxml.etree.XPath.__call__

  File "src/lxml/apihelpers.pxi", line 43, in lxml.etree._documentOrRaise

ValueError: Input object has no document: lxml.etree._ElementTree

 

Thanks for any help

Have you tried to upgrade to 1.0.88 and try it again?

Hi, 

 

I just upgraded to 1.0.88, but I'm still getting no results with this specific config.

 

Thanks for your help.

Just for verifying, the VM you have was downloaded from here at live or you got the copy from another source? If was a different source please download and try the version its hosted here at live.

I downloaded the VM from live. 

As I told you for other configurations I have tried it works ok, but there is a specific one that doesn't give results.

 

Thanks for your help,

It's working now with update 1.0.92 and the python update.

 

Thanks!

Any news about the new repo ?

 

Still having the following ssue in 2018 :

  

expedition@Expedition:~$ sudo apt-get update
...
Reading package lists... Done
W: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
expedition@Expedition:~$

L0 Member

I'm not seeing any results in the BPA. I've tried with a Panorama XML as well as a running config from a connected device. The progress bar goes to "Done!" and I don't get any results.

 

Expedition version 1.0.103

BPA version is not showing anything

 

I've run apt-get update and install and still no luck.

Do you remember if after any expedition update you followed this instructions?

 

sudo bash /var/www/html/OS/BPA/updateBPA306.sh

Try to runnit from the cli if not.

L0 Member

I was able to get this running. I did the follwing:

 

expedition@Expedition:~$ sudo apt-get update

And I looked in the directory previously mentioned and found a zip:

expedition@Expedition:~$ cd /var/www/html/OS/BPA/
expedition@Expedition:/var/www/html/OS/BPA$ ls
best_practice_assessment_ngfw_pano-master.zip

So I unzipped it:

expedition@Expedition:/var/www/html/OS/BPA$ sudo unzip best_practice_assessment_ngfw_pano-master.zip 

Then cd to the directory and see the files:

expedition@Expedition:/var/www/html/OS/BPA$ cd best_practice_assessment_ngfw_pano-master/
expedition@Expedition:/var/www/html/OS/BPA/best_practice_assessment_ngfw_pano-master$ ls
best_practice_assessment_ngfw_pano  Dockerfile.test  pytest.ini  requirements.txt  test-requirements.txt
build.sh                            MANIFEST.in      README.md   setup.py          VERSION

I read the README file and followed the "Clone method". Which is to use the pip command to install.  I ran the following commands:

 

expedition@Expedition:/var/www/html/OS/BPA/best_practice_assessment_ngfw_pano-master$ 

cat README.md 
pip install -r requirements.txt
###  a message warned me that I needed to upgrade pip
sudo pip install --upgrade pip
sudo pip install -e .

I went to the web UI and hit refresh and BAM! It worked.

 

I assumed this feature would be enabled by default, but I installed this in Fusion on my laptop and in the customer's environment after converting it with the VMware converter - both installs had the issue of not displaying BPA results after running the analysis. 

 

I hope this helps.

 

Chris

  • 1 accepted solution
  • 20552 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!