Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Create Maschinelearning Report with exported Logfiles

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create Maschinelearning Report with exported Logfiles

L2 Linker

Dear Community Group

I have a problem with expedition maschine learning report.

I had a PA at Customer-Side for a PoC and created gigabytes of logs, because customer have no idea whats going on.

Then I setup expedition and uploadet all the logs to expedition and started the ML-Process. This worked fine after removing all IPv6-Adresses from logfiles.

But now I'm not able to create a report without configuring a Log-Collector. My Problem this PA is now at a different Customer and is not available from expedition anymore.

Is there a possibility to create a report from all my collected Logfiles? Why do I need to upload all the Logfiles when I cant use it?

Please explain it to me

many Thanks

Gernot

 

1 accepted solution

Accepted Solutions

To be able to do the ML parts, you need to load the config from the Firewall (via a connection, not via the XML). As mentioned in the NOTE that I wrote above, that is the only moment where you will have to establish a connection to the FW.

 

This is required to make a proper mapping between the rules, the firewall Serial number (which doesn't come in the config XML), and the virtual system that we want to consider for learning.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi ederg,

 

I think there is a missunderstanding about the Log-Connector. The Log-Connector is defined to specify from which firewalls and vsys we would like to learn from. This will identify which logs we are going to process.

Expedition could have 100 firewalls and logs from them all. Once their log files have been processed, the data is converted into parquet (for multiprocessing and ML execution).

 

In each Expedition project, you may define which firewalls are involved. It could be multiple FWs. For instance, you are migrating 3 firewalls PA220 to a PA7000.

When doing the LogConnector, you would define that you want to learn from the traffic logs that those PA220 have reported. Notice that this won't make connections to the PA220, but identify which are the log entries that we are going to use.

 

NOTE: To be able to generate the LogConnector correctly, we do need to retrieve the config from the device. This is the only connection we are required to do to the FW, in order to download the running or candidate config.

Many Thanks for your response.

I addet the device to the Project but I uploadet the Config from xml-file. I enabled ML on all my policies and when activating the discovery it says "No Device in this logConnector". So I have no Idea how to get to Analysis result without a logConnector.

2019-01-10 09_35_55-Expedition Project.png

To be able to do the ML parts, you need to load the config from the Firewall (via a connection, not via the XML). As mentioned in the NOTE that I wrote above, that is the only moment where you will have to establish a connection to the FW.

 

This is required to make a proper mapping between the rules, the firewall Serial number (which doesn't come in the config XML), and the virtual system that we want to consider for learning.

Hi dgildelaig 

You are my hero!

Yesterday we got the PA back from customer, now I addet it in my lab, so that it is reachabel from expedition, restored previos config, created new project and ML is running!

Many Thanks

2019-01-10 11_18_26-expedition@Expedition_ ~.png

Great!

 

Please, if you can mark the post as solved, this may help others to get to the correct answer if they face the same challenge, which most probably will happen to others.

  • 1 accepted solution
  • 5520 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!