BPA working for some config but not for others

brrenaud · ‎09-20-2018

Hi,

I'm running Expedition 1.0.105 with BP rules version 3.2.0 and while the analysis in working some FW configs, I've got some other FW configs for which nothing happen. I'm, of course, able to import the config in the tool and browse it

but when I click on "Start Analysis", I see the progression bar but no result.

Is there any special place in which I could see logs and understand what's wrong?

brrenaud · ‎09-21-2018

I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.

Two takeaways:

Expedition error message could certainly by improved when a missing reference is found in the configuration.
Keep in mind to extract the running-config on the firewall instead of the Panorama config. You could do that for example by using from Panorama CLI "scp export device-state device <device-serial> to username@host:path" and then, import the running_config.xml in Expedition.

View solution in original post

brrenaud · ‎09-20-2018

I found this in /var/log/apache2/error.log:

Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
    from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in <module>
    from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in <module>
    import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in <module>
    from apport.packaging_impl import impl as packaging
File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 23, in <module>
    import apt
File "/usr/lib/python3/dist-packages/apt/__init__.py", line 23, in <module>
    import apt_pkg
ModuleNotFoundError: No module named 'apt_pkg'

Original exception was:
Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration

brrenaud · ‎09-20-2018

After a relink of Python to Python 3.6 instead of 2.7 and a reinstall of the apt_pkg package, it still not working with one of the two configuration file with these errors in the Apache error log file:

Traceback (most recent call last):
File "/usr/local/bin/bpa-cli", line 11, in <module>
    sys.exit(main())
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 279, in main
    process_normal(xml_config, args)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/json/generate.py", line 23, in process_normal
    data = xml_config.bpa.json(flatten=args.flatten)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/parser/xml_config.py", line 48, in bpa
    self._bpa = BestPracticeAssessment(self)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bpat.py", line 173, in __init__
    template_device_split=False, xml_config=xml_config)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in get_all
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 72, in <listcomp>
    records = [x.record for x in cls.get_objects(xml, panorama, **kwargs)]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 313, in record
    return {'configuration': configuration, 'bp_check': self.get_bp_checks()}
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/base.py", line 57, in get_bp_checks
    check = getattr(self, name)
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in certificate_profile_warn
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 179, in <listcomp>
    bad_clients = [client.name for client in self.auth_clients if not client.using_radius_saml()]
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 48, in using_radius_saml
    return self.get_obj('authentication_sequences', self.auth_prof).using_radius_saml()
File "/usr/local/lib/python3.6/dist-packages/best_practice_assessment_ngfw_pano/best_practice_assessment/bp_checks/network/global_protect.py", line 29, in get_obj
    f for f in self._xml_config().features.get(feature_type)
StopIteration

I really don't undertand why only one of the config files is triggering this.

brrenaud · ‎09-21-2018

As the error log was referring to global_protect.py, I played with the GP part of the configuration and I found that the <client-auth> section of the <global-protect-portal> is the problem:

...

<global-protect-portal>
              <entry name="Test">
                <portal-config>
                  <client-auth>
                    <entry name="auth-any">
                      <os>Any</os>
                      <authentication-profile>LDAP-AP-customer</authentication-profile>
                      <authentication-message>Enter login credentials</authentication-message>
                    </entry>
                  </client-auth>
                  <ssl-tls-service-profile>Wildcard customer</ssl-tls-service-profile>
                  <local-address>
                    <ip-address-family>ipv4</ip-address-family>

...

If I remove the <client-auth> section, it's working again... while I tried some other firewall configs in which the <global-protect-portal> section is working correctly.

Would anyone have a crazy idea?

brrenaud · ‎09-21-2018

I finally found the problem, the configuration extract comes from Panorama and is not including the Panorama profiles which means some part of the configuration was missing.

Two takeaways:

Expedition error message could certainly by improved when a missing reference is found in the configuration.
Keep in mind to extract the running-config on the firewall instead of the Panorama config. You could do that for example by using from Panorama CLI "scp export device-state device <device-serial> to username@host:path" and then, import the running_config.xml in Expedition.

Unlock your full community experience!

BPA working for some config but not for others

BPA working for some config but not for others

Show your appreciation!