Issues configuring M. Learning while using Panorama for traffic analysis

Reply
Highlighted
L5 Sessionator

If you desire to use ML or RE, we do need to have logs in Expedition.

ML and RE do a data analytics process on the traffic logs that can't be performed on Panorama or FWs, as they are much more complex than generating reports on the devices.

Therefore, we need to export the traffic logs into Expedition so we can perform the analysis.

 

The steps that Lynn showed are required to execute ML or RE. Also, it is very important that the configuration you bring into your project comes from a Device you have declared in Expedition, and not by directly providing an XML to the project. This is necessary because this way we can know the relationship between the security rules you want to analyze (that are declared in a device config) and the traffic logs that the device has provided.

Notice that the "device" is the link between traffic logs and security rules, therefore we need to import the configuration from the Device

Highlighted
L2 Linker

@lychiang @dgildelaig 

The problem appears to lie in the dynamic between using individual firewalls & panorama.

 

You can only do HALF of the workflows depending on if you import individual firewalls vs panorama.

You can ONLY do the first half of the workflow if you import individual firewalls.

You can ONLY do the second half of the workflow if you import panorama.

But you cannot do it ALL using either method. Meaning you would have to break everything down daily as you get new logs.

 

 

In the device tab. If you import just the individual firewalls...

Expedition Issue6.png

You can do the following:

  • Go into the individual firewall's M.Learning tab and the Process table is ENABLED.
  • You can process the CSV logs.
    Expedition Issue7.png

You can NOT do the following:

  • You can NOT see any of the security policy once a project is created using the individual firewalls. This means you cannot do M. Learning traffic analysis.
    Expedition Issue8.png

 

 

Now if you import Panorama In the device tab

Importing Panorama *absorbs* those individual firewalls. As you can see, the individual firewalls are gone and only panorama remains in the device tab.  

Expedition Issue3.png

Now things are reversed.

 

You can NOT do the following:

  • Go into the individual firewall's M.Learning tab and the Process table is DISABLED and grayed out.
  • You can no longer process the CSV logs. This means we can no longer process new csv logs that will come in.
    Expedition Issue2.png

 

You can do the following:

  • Now when you create a project you can now see the security policy, mark rules for M. Learning, and analyze that traffic.
    Expedition Issue4.png
    Expedition Issue5.png

 

This obviously is not a workflow that is practical. If I were to need to do traffic analysis daily I would basically have to break everything down and re-implement everything again.  I'd have to do the following daily.

  1. Delete Panorama from the device tab. (because I can no longer process new csv logs)
  2. Add each individual firewall to the device tab. 
  3. Do the first half of the workflow. (now I can process new csv logs)
  4. Add Panorama (now those individual firewalls are gone and are absorbed into panorama taking away the ability to process new csv logs)
  5. Do the second half of the workflow. 

Now unless there is still something wrong with the way I'm implementing this I think there is a bug. The problem really lies in the disabling of the ability to process CSV Logs to individual firewalls when you are using Panorama.

Expedition Issue.png

If "Process CSV logs can only be executed from FW devices." and the grayed out CSV logs were to be removed when using Panorama it should solve everything.

Highlighted
L5 Sessionator

From the Panorama device, you can provide a Path for all the firewalls managed by that Panorama.

If you select to see all the Firewalls, not only the directly connected devices (do it clicking on the three lines icon on the Devices view) you would see all the Firewalls, and you can even select and Autooprocess on the logs, so you do not need to get into them daily.

 

Later on, in your project, you can import the Panorama config and define in your log connector the Device Group and the devices within that DG for the ML and RE.

L2 Linker

Can you provide a screenshot of what you are referring to? I'm not following.

Highlighted
L4 Transporter

BOkay, 

Instead of add firewall directly to devices, can you only add Panorama as devices, and go to Panorama Device , Click on orange button "Retrieve Connected Devices " 

 

Screen Shot 2020-03-19 at 8.44.36 AM.png

 

When you want to process logs , you will then click on the icon on the right upper corner to "show all devices" , and you should see your firewalls , then goin to the firewall to process the ML logs. 

Screen Shot 2020-03-19 at 8.48.31 AM.png

So you do not need to add firewall directly to the devices, just add panorama and retrieved the connected devices, then process the logs in the connected firewall that you got those logs from, make sure the traffic log matched the serial# of the firewall. 

 

After ML log is processed then you can add a new project and continue the steps I mentioned in the previous post.  

 

Tags (2)
Highlighted
L2 Linker

Yes, that is what I have outlined. That is not possible.

 

If I go the route where I go through Panorama via adding Panorama as the device in the Device Tab, Retrieve Contents, Retrieve Connected Devices, Retrieve Contents, and the result is a grayed out M. Learning and the message states "Process CSV logs can only be executed from FW devices."

Expedition Issue.png

Highlighted
L4 Transporter

Which device you click to get to this page , you will need to click on the firewall not the panorama .  so important steps is to click on the "Show all devices " on the right upper corner first , then you will able to see connected firewalls. 

Highlighted
L5 Sessionator

You may have a Panorama in your Device list.

panorama_device.png

 

If you edit it, you can retrieve the connected devices

panorama_devices_connected_Devices.png

 

And you can also specify where will be the default path where all the managed devices will leave their traffic logs.

panorama_device_ML.png

 

If you click on the All Devices icon, you will see that the managed devices are also known in Expedition., and actually, you should be able to see that you can edit them, you can see they inherited the path and you can also mark them for Autoprocessing.

all_devices.png

 

The specific time when the autoprocessing needs to be performed is in the Settings->MLearning section.

ml_settings_autoprocess.png

 

Later on, you would have to bring your Panorama into a project and import its configuration.

2020-03-19_16-58-26.png

 

 

This way, you can create a Log Connector that uses the Panorama Security Rules, and also can access the traffic logs from the managed devices if you select correctly the correct Device Group.

2020-03-19_16-57-27.png

Highlighted
L2 Linker

Adding Panorama then that button to show the individual firewalls the last piece of the puzzle I believe. Thank you!!!! 

 

I tested going through the M. Learning of a few any any rules and I'm seeing good results. There is only one abnormality but I will create a different thread for that.

 

Thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!