Issues configuring M. Learning while using Panorama for traffic analysis

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues configuring M. Learning while using Panorama for traffic analysis

L2 Linker


I'm trying to configure M. Learning in Expedition so that we can analyze the traffic passing through specific any any rules. 


We use Panorama to manage the security policy on each of the individual firewalls. Is this an issue when trying to use Machine Learning? Here is the issue I'm running into.


I've setup Scheduled Log Exports on each of the individual firewalls to export their logs to Expedition. 


In Expedition if I add the individual firewall in the Devices tab I can see the csv file and process it in its M.Learning tab. But if I create a project with that firewall I cannot see any of the policy to do a traffic analysis or much of anything else. My assumption is because all that information is being managed at the Panorama level.


However. If I add the panorama in the Devices tab and retrieve the specific firewall device and retrieve its configuration, I cannot then process the exported log in the M. Learning tab.  I see the files but everything is grayed out and it has a header that says "Process CSV logs can only be executed from FW devices." But when I add the Panorama to a project I can see the entire security policy and everything else.


Does ML only work in environments where the firewalls aren't centrally managed by Panorama?


Look like from your screenshot you select timeframe was June 2019 , you will make sure the time field of the traffic log you export from firewall to expedition matching the time you specify in the log connector . 


It's the same as my log connector. I was just making sure I went back far so that I could get as many logs as possible. You said, "traffic log you export from firewall", however. Did I miss that step? I didn't do any exports, I was under the impression the log connector was all I needed when using panorama. I scheduled the log export to the individual firewalls but that didn't work when using Panorama. 

I followed that document and it puts me in my original situation.


If I use the individual firewall I have the ability to process the scheduled log exports that are sent to Expedition. But when you start a project and go into the policy the policy is empty.


If I use panorama I lose the ability to process the scheduled log exports as it is all grayed out for the individual firewall. But when I start a project I do have the policy but no mater what log connector I use no rules show up when I click Discovery.


I've followed the following guides with no luck.


Expedition Migration and Security Assessment Quick Start 1.1.0

Expedition New Feature: Scheduled Log Processing 1.1.21



Hi BOkay,

Please verify below :

1. Make sure firewall logs you want to process is located at the path you specified in the M Learning setting, example, here we use /PALogs

Screen Shot 2020-03-17 at 12.01.52 PM.png

2. Once you see the files show up in the folder, you will click on Process to process the firewall logs first. 

3. After all the logs are processed then you will create a new project, and add panorama in the settings of the project like below:


Screen Shot 2020-03-17 at 12.08.09 PM.png

4. Go into project, go to plugin , add panorama as log connector , make sure you select the corresponding device group and the firewalls that you processed the logs in step 1, select the timeframe for you traffic logs


Screen Shot 2020-03-17 at 12.31.55 PM.png


5. Then goin to policy , continue the ML steps as mentioned in the ML doc. 


If you still need assistance, please write e-mail to




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!