ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
If you desire to use ML or RE, we do need to have logs in Expedition.
ML and RE do a data analytics process on the traffic logs that can't be performed on Panorama or FWs, as they are much more complex than generating reports on the devices.
Therefore, we need to export the traffic logs into Expedition so we can perform the analysis.
The steps that Lynn showed are required to execute ML or RE. Also, it is very important that the configuration you bring into your project comes from a Device you have declared in Expedition, and not by directly providing an XML to the project. This is necessary because this way we can know the relationship between the security rules you want to analyze (that are declared in a device config) and the traffic logs that the device has provided.
Notice that the "device" is the link between traffic logs and security rules, therefore we need to import the configuration from the Device
The problem appears to lie in the dynamic between using individual firewalls & panorama.
You can only do HALF of the workflows depending on if you import individual firewalls vs panorama.
You can ONLY do the first half of the workflow if you import individual firewalls.
You can ONLY do the second half of the workflow if you import panorama.
But you cannot do it ALL using either method. Meaning you would have to break everything down daily as you get new logs.
In the device tab. If you import just the individual firewalls...
You can do the following:
You can NOT do the following:
Now if you import Panorama In the device tab
Importing Panorama *absorbs* those individual firewalls. As you can see, the individual firewalls are gone and only panorama remains in the device tab.
Now things are reversed.
You can NOT do the following:
You can do the following:
This obviously is not a workflow that is practical. If I were to need to do traffic analysis daily I would basically have to break everything down and re-implement everything again. I'd have to do the following daily.
Now unless there is still something wrong with the way I'm implementing this I think there is a bug. The problem really lies in the disabling of the ability to process CSV Logs to individual firewalls when you are using Panorama.
If "Process CSV logs can only be executed from FW devices." and the grayed out CSV logs were to be removed when using Panorama it should solve everything.
From the Panorama device, you can provide a Path for all the firewalls managed by that Panorama.
If you select to see all the Firewalls, not only the directly connected devices (do it clicking on the three lines icon on the Devices view) you would see all the Firewalls, and you can even select and Autooprocess on the logs, so you do not need to get into them daily.
Later on, in your project, you can import the Panorama config and define in your log connector the Device Group and the devices within that DG for the ML and RE.
Instead of add firewall directly to devices, can you only add Panorama as devices, and go to Panorama Device , Click on orange button "Retrieve Connected Devices "
When you want to process logs , you will then click on the icon on the right upper corner to "show all devices" , and you should see your firewalls , then goin to the firewall to process the ML logs.
So you do not need to add firewall directly to the devices, just add panorama and retrieved the connected devices, then process the logs in the connected firewall that you got those logs from, make sure the traffic log matched the serial# of the firewall.
After ML log is processed then you can add a new project and continue the steps I mentioned in the previous post.
Yes, that is what I have outlined. That is not possible.
If I go the route where I go through Panorama via adding Panorama as the device in the Device Tab, Retrieve Contents, Retrieve Connected Devices, Retrieve Contents, and the result is a grayed out M. Learning and the message states "Process CSV logs can only be executed from FW devices."
Which device you click to get to this page , you will need to click on the firewall not the panorama . so important steps is to click on the "Show all devices " on the right upper corner first , then you will able to see connected firewalls.
You may have a Panorama in your Device list.
If you edit it, you can retrieve the connected devices
And you can also specify where will be the default path where all the managed devices will leave their traffic logs.
If you click on the All Devices icon, you will see that the managed devices are also known in Expedition., and actually, you should be able to see that you can edit them, you can see they inherited the path and you can also mark them for Autoprocessing.
The specific time when the autoprocessing needs to be performed is in the Settings->MLearning section.
Later on, you would have to bring your Panorama into a project and import its configuration.
This way, you can create a Log Connector that uses the Panorama Security Rules, and also can access the traffic logs from the managed devices if you select correctly the correct Device Group.
Adding Panorama then that button to show the individual firewalls the last piece of the puzzle I believe. Thank you!!!!
I tested going through the M. Learning of a few any any rules and I'm seeing good results. There is only one abnormality but I will create a different thread for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!