Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-20-2018 08:45 AM
Hi,
I'm running Expedition 1.0.105 with BP rules version 3.2.0 and while the analysis in working some FW configs, I've got some other FW configs for which nothing happen. I'm, of course, able to import the config in the tool and browse it
but when I click on "Start Analysis", I see the progression bar but no result.
Is there any special place in which I could see logs and understand what's wrong?
09-21-2018 08:43 AM
I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.
Two takeaways:
09-20-2018 08:58 AM
I found this in /var/log/apache2/error.log:
Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
f for f in self._xml_config().features.get(feature_type)
StopIteration
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in <module>
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in <module>
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in <module>
from apport.packaging_impl import impl as packaging
File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 23, in <module>
import apt
File "/usr/lib/python3/dist-packages/apt/__init__.py", line 23, in <module>
import apt_pkg
ModuleNotFoundError: No module named 'apt_pkg'
Original exception was:
Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
f for f in self._xml_config().features.get(feature_type)
StopIteration
09-20-2018 09:33 AM
After a relink of Python to Python 3.6 instead of 2.7 and a reinstall of the apt_pkg package, it still not working with one of the two configuration file with these errors in the Apache error log file:
Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
f for f in self._xml_config().features.get(feature_type)
StopIteration
I really don't undertand why only one of the config files is triggering this.
09-21-2018 06:56 AM - edited 09-21-2018 06:57 AM
As the error log was referring to global_protect.py, I played with the GP part of the configuration and I found that the <client-auth> section of the <global-protect-portal> is the problem:
...
<global-protect-portal>
<entry name="Test">
<portal-config>
<client-auth>
<entry name="auth-any">
<os>Any</os>
<authentication-profile>LDAP-AP-customer</authentication-profile>
<authentication-message>Enter login credentials</authentication-message>
</entry>
</client-auth>
<ssl-tls-service-profile>Wildcard customer</ssl-tls-service-profile>
<local-address>
<ip-address-family>ipv4</ip-address-family>
...
If I remove the <client-auth> section, it's working again... while I tried some other firewall configs in which the <global-protect-portal> section is working correctly.
Would anyone have a crazy idea?
09-21-2018 08:43 AM
I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.
Two takeaways:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
