Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

BPA working for some config but not for others

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BPA working for some config but not for others

L2 Linker

Hi,

 

I'm running Expedition 1.0.105 with BP rules version 3.2.0 and while the analysis in working some FW configs, I've got some other FW configs for which nothing happen. I'm, of course, able to import the config in the tool and browse it

rules.png

 

but when I click on "Start Analysis", I see the progression bar but no result.

 

Is there any special place in which I could see logs and understand what's wrong?

1 accepted solution

Accepted Solutions

I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.

 

Two takeaways:

  1. Expedition error message could certainly by improved when a missing reference is found in the configuration.
  2. Keep in mind to extract the running-config on the firewall instead of the Panorama config. You could do that for example by using from Panorama CLI "scp export device-state device <device-serial> to username@host:path" and then, import the running_config.xml in Expedition.

 

 

View solution in original post

4 REPLIES 4

L2 Linker

I found this in /var/log/apache2/error.log:

 

Traceback (most recent call last):
  File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration
Error in sys.excepthook:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
    from apport.fileutils import likely_packaged, get_recent_crashes
  File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in <module>
    from apport.report import Report
  File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in <module>
    import apport.fileutils
  File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in <module>
    from apport.packaging_impl import impl as packaging
  File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 23, in <module>
    import apt
  File "/usr/lib/python3/dist-packages/apt/__init__.py", line 23, in <module>
    import apt_pkg
ModuleNotFoundError: No module named 'apt_pkg'

Original exception was:
Traceback (most recent call last):
  File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration

 

 

 

After a relink of Python to Python 3.6 instead of 2.7 and a reinstall of the apt_pkg package, it still not working with one of the two configuration file with these errors in the Apache error log file:

Traceback (most recent call last):
  File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
  File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration

 

I really don't undertand why only one of the config files is triggering this.

As the error log was referring to global_protect.py, I played with the GP part of the configuration and I found that the <client-auth> section of the <global-protect-portal> is the problem:

...

<global-protect-portal>
              <entry name="Test">
                <portal-config>
                  <client-auth>
                    <entry name="auth-any">
                      <os>Any</os>
                      <authentication-profile>LDAP-AP-customer</authentication-profile>
                      <authentication-message>Enter login credentials</authentication-message>
                    </entry>
                  </client-auth>
                  <ssl-tls-service-profile>Wildcard customer</ssl-tls-service-profile>
                  <local-address>
                    <ip-address-family>ipv4</ip-address-family>

...

If I remove the <client-auth> section, it's working again... while I tried some other firewall configs in which the <global-protect-portal> section is working correctly.

 

Would anyone have a crazy idea?

I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.

 

Two takeaways:

  1. Expedition error message could certainly by improved when a missing reference is found in the configuration.
  2. Keep in mind to extract the running-config on the firewall instead of the Panorama config. You could do that for example by using from Panorama CLI "scp export device-state device <device-serial> to username@host:path" and then, import the running_config.xml in Expedition.

 

 

  • 1 accepted solution
  • 5738 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!