03-15-2020 12:10 PM - edited 03-15-2020 12:13 PM
I'm trying to configure M. Learning in Expedition so that we can analyze the traffic passing through specific any any rules.
We use Panorama to manage the security policy on each of the individual firewalls. Is this an issue when trying to use Machine Learning? Here is the issue I'm running into.
I've setup Scheduled Log Exports on each of the individual firewalls to export their logs to Expedition.
In Expedition if I add the individual firewall in the Devices tab I can see the csv file and process it in its M.Learning tab. But if I create a project with that firewall I cannot see any of the policy to do a traffic analysis or much of anything else. My assumption is because all that information is being managed at the Panorama level.
However. If I add the panorama in the Devices tab and retrieve the specific firewall device and retrieve its configuration, I cannot then process the exported log in the M. Learning tab. I see the files but everything is grayed out and it has a header that says "Process CSV logs can only be executed from FW devices." But when I add the Panorama to a project I can see the entire security policy and everything else.
Does ML only work in environments where the firewalls aren't centrally managed by Panorama?
03-15-2020 12:24 PM
ML works for your environment, you will process logs by going to firewall , when you want to analyze the rules , you will retrieve config from panorama since all your security policy is in panorama, so you will add panorama in your project , import config, next you will need to add panorama as log connector by going to plugin. After all that , you can then go to security policy and select The device group where the rules located then right click Machine Learning , add the selected rule to Machine learning , then click on the machine learning green tab in the bottom to start machine learning.
03-15-2020 02:17 PM
By green button I'm assuming you mean "Discovery". Then I click Machine Learning. What am I supposed to do after that? Nothing is listed and if I click Analyze Data it appears to get stuck on Initializing and crashes Expedition. Also is "No connector selected" in the picture below normal?
03-15-2020 03:03 PM
It seems like it did not see any log connector ,when you add log connector under plug in. , you will need to select the corresponding device group.
03-15-2020 04:19 PM
Ah I didn't realize you had to pick a active log connector as I had several. I picked the right one and it ran but has No Data even though I know there is traffic data available via Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!