01-09-2019 03:03 AM
Dear Community Group
I have a problem with expedition maschine learning report.
I had a PA at Customer-Side for a PoC and created gigabytes of logs, because customer have no idea whats going on.
Then I setup expedition and uploadet all the logs to expedition and started the ML-Process. This worked fine after removing all IPv6-Adresses from logfiles.
But now I'm not able to create a report without configuring a Log-Collector. My Problem this PA is now at a different Customer and is not available from expedition anymore.
Is there a possibility to create a report from all my collected Logfiles? Why do I need to upload all the Logfiles when I cant use it?
Please explain it to me
many Thanks
Gernot
01-10-2019 12:58 AM
To be able to do the ML parts, you need to load the config from the Firewall (via a connection, not via the XML). As mentioned in the NOTE that I wrote above, that is the only moment where you will have to establish a connection to the FW.
This is required to make a proper mapping between the rules, the firewall Serial number (which doesn't come in the config XML), and the virtual system that we want to consider for learning.
01-09-2019 03:20 AM
Hi ederg,
I think there is a missunderstanding about the Log-Connector. The Log-Connector is defined to specify from which firewalls and vsys we would like to learn from. This will identify which logs we are going to process.
Expedition could have 100 firewalls and logs from them all. Once their log files have been processed, the data is converted into parquet (for multiprocessing and ML execution).
In each Expedition project, you may define which firewalls are involved. It could be multiple FWs. For instance, you are migrating 3 firewalls PA220 to a PA7000.
When doing the LogConnector, you would define that you want to learn from the traffic logs that those PA220 have reported. Notice that this won't make connections to the PA220, but identify which are the log entries that we are going to use.
NOTE: To be able to generate the LogConnector correctly, we do need to retrieve the config from the device. This is the only connection we are required to do to the FW, in order to download the running or candidate config.
01-10-2019 12:43 AM
Many Thanks for your response.
I addet the device to the Project but I uploadet the Config from xml-file. I enabled ML on all my policies and when activating the discovery it says "No Device in this logConnector". So I have no Idea how to get to Analysis result without a logConnector.
01-10-2019 12:58 AM
To be able to do the ML parts, you need to load the config from the Firewall (via a connection, not via the XML). As mentioned in the NOTE that I wrote above, that is the only moment where you will have to establish a connection to the FW.
This is required to make a proper mapping between the rules, the firewall Serial number (which doesn't come in the config XML), and the virtual system that we want to consider for learning.
01-10-2019 02:24 AM
Hi dgildelaig
You are my hero!
Yesterday we got the PA back from customer, now I addet it in my lab, so that it is reachabel from expedition, restored previos config, created new project and ML is running!
Many Thanks
01-10-2019 02:26 AM
Great!
Please, if you can mark the post as solved, this may help others to get to the correct answer if they face the same challenge, which most probably will happen to others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
