Issues configuring M. Learning while using Panorama for traffic analysis

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues configuring M. Learning while using Panorama for traffic analysis

L2 Linker


I'm trying to configure M. Learning in Expedition so that we can analyze the traffic passing through specific any any rules. 


We use Panorama to manage the security policy on each of the individual firewalls. Is this an issue when trying to use Machine Learning? Here is the issue I'm running into.


I've setup Scheduled Log Exports on each of the individual firewalls to export their logs to Expedition. 


In Expedition if I add the individual firewall in the Devices tab I can see the csv file and process it in its M.Learning tab. But if I create a project with that firewall I cannot see any of the policy to do a traffic analysis or much of anything else. My assumption is because all that information is being managed at the Panorama level.


However. If I add the panorama in the Devices tab and retrieve the specific firewall device and retrieve its configuration, I cannot then process the exported log in the M. Learning tab.  I see the files but everything is grayed out and it has a header that says "Process CSV logs can only be executed from FW devices." But when I add the Panorama to a project I can see the entire security policy and everything else.


Does ML only work in environments where the firewalls aren't centrally managed by Panorama?


Yes, that is what I have outlined. That is not possible.


If I go the route where I go through Panorama via adding Panorama as the device in the Device Tab, Retrieve Contents, Retrieve Connected Devices, Retrieve Contents, and the result is a grayed out M. Learning and the message states "Process CSV logs can only be executed from FW devices."

Expedition Issue.png

Which device you click to get to this page , you will need to click on the firewall not the panorama .  so important steps is to click on the "Show all devices " on the right upper corner first , then you will able to see connected firewalls. 

You may have a Panorama in your Device list.



If you edit it, you can retrieve the connected devices



And you can also specify where will be the default path where all the managed devices will leave their traffic logs.



If you click on the All Devices icon, you will see that the managed devices are also known in Expedition., and actually, you should be able to see that you can edit them, you can see they inherited the path and you can also mark them for Autoprocessing.



The specific time when the autoprocessing needs to be performed is in the Settings->MLearning section.



Later on, you would have to bring your Panorama into a project and import its configuration.




This way, you can create a Log Connector that uses the Panorama Security Rules, and also can access the traffic logs from the managed devices if you select correctly the correct Device Group.


Adding Panorama then that button to show the individual firewalls the last piece of the puzzle I believe. Thank you!!!! 


I tested going through the M. Learning of a few any any rules and I'm seeing good results. There is only one abnormality but I will create a different thread for that.


Thank you!

  • 18 replies
  • 76 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!