This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Issues configuring M. Learning while using Panorama for traffic analysis
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Tools
- Expedition
- Expedition Discussions
- Issues configuring M. Learning while using Panorama for traffic analysis
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Issues configuring M. Learning while using Panorama for traffic analysis
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-15-2020 12:10 PM - edited 03-15-2020 12:13 PM
Hello,
I'm trying to configure M. Learning in Expedition so that we can analyze the traffic passing through specific any any rules.
We use Panorama to manage the security policy on each of the individual firewalls. Is this an issue when trying to use Machine Learning? Here is the issue I'm running into.
I've setup Scheduled Log Exports on each of the individual firewalls to export their logs to Expedition.
In Expedition if I add the individual firewall in the Devices tab I can see the csv file and process it in its M.Learning tab. But if I create a project with that firewall I cannot see any of the policy to do a traffic analysis or much of anything else. My assumption is because all that information is being managed at the Panorama level.
However. If I add the panorama in the Devices tab and retrieve the specific firewall device and retrieve its configuration, I cannot then process the exported log in the M. Learning tab. I see the files but everything is grayed out and it has a header that says "Process CSV logs can only be executed from FW devices." But when I add the Panorama to a project I can see the entire security policy and everything else.
Does ML only work in environments where the firewalls aren't centrally managed by Panorama?
18 REPLIES 18
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-15-2020 05:01 PM
Look like from your screenshot you select timeframe was June 2019 , you will make sure the time field of the traffic log you export from firewall to expedition matching the time you specify in the log connector .
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-15-2020 05:39 PM
It's the same as my log connector. I was just making sure I went back far so that I could get as many logs as possible. You said, "traffic log you export from firewall", however. Did I miss that step? I didn't do any exports, I was under the impression the log connector was all I needed when using panorama. I scheduled the log export to the individual firewalls but that didn't work when using Panorama.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-15-2020 06:34 PM
You could follow the steps in this doc https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ExpeditionArticles/157/1/Expedit...
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-17-2020 11:24 AM
I followed that document and it puts me in my original situation.
If I use the individual firewall I have the ability to process the scheduled log exports that are sent to Expedition. But when you start a project and go into the policy the policy is empty.
If I use panorama I lose the ability to process the scheduled log exports as it is all grayed out for the individual firewall. But when I start a project I do have the policy but no mater what log connector I use no rules show up when I click Discovery.
I've followed the following guides with no luck.
Expedition Migration and Security Assessment Quick Start 1.1.0
Expedition New Feature: Scheduled Log Processing 1.1.21
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-17-2020 12:38 PM
Hi BOkay,
Please verify below :
1. Make sure firewall logs you want to process is located at the path you specified in the M Learning setting, example, here we use /PALogs
2. Once you see the files show up in the folder, you will click on Process to process the firewall logs first.
3. After all the logs are processed then you will create a new project, and add panorama in the settings of the project like below:
4. Go into project, go to plugin , add panorama as log connector , make sure you select the corresponding device group and the firewalls that you processed the logs in step 1, select the timeframe for you traffic logs
5. Then goin to policy , continue the ML steps as mentioned in the ML doc.
If you still need assistance, please write e-mail to fwmigrate@paloaltonetworks.com
Thanks!
Related Content
- Expeditions stopped accepting Syslog in Expedition Discussions
- Issues with ML with Logs Forward from Panorama in Expedition Discussions
- Expedition Errors while getting content from Panorama and firewall configuration and finally failed with no content in Expedition Discussions
- Unable to export Panorama configuration in Expedition Discussions
- Unable to upload Panorama 10.1.0 configuration into Expedition in Expedition Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks