- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-31-2023 03:04 AM
I am doing ML in Expedition for the first time. The setup is, all FWs managed by single Panorama, logs forward from FWs to panorama. I have setup panorama collector to forward the firewall logs to Expedition via syslog.
I have followed the online "Log Analysis Features of Expedition" and am getting stuck at Module 9 Machine learning. When I click the "Discovery" button -> Machine Learning. The window pops up but the connectors just has a Loading... listed rather than the panorama or device serial number. If I just ignore this and click analyze data it seems to quickly go to the completed stage with no information in the Learning results.
I have tried Firefox and Chrome just in case this is a browser issue with basically the same results. Obvioulsy the guide works on the basis of logs being sent direct from the firewall but I assume there is no reason I can't send the logs from panorama?
Thanks for any help
02-01-2023 08:46 AM
@ChrisHammock Yes, those seems to be correct setting, you could try only select ITE-FW-01 in the log connector see if it makes any difference. If it still not working , please send an email to fwmigrate@paloaltonetworks.com
01-31-2023 03:51 AM
Additional information, below is a screenshot, note the connector status.
I have also attempted to use Rule Enrichment on the same rules, although the window does not contain a collector, when I click "Analyze Data" I still get completed with no results.
Could the issue be because the Device Group that contains the rules in panorama is not the same device group the firewalls are a member of, it is a parent of that device group. I assume not as everything else in Expedition seems to understand this.
01-31-2023 09:59 AM
Hi @ChrisHammock For log connector, you will need to make sure the serial# of the firewall device you selected under panorama device group match the serial# of the firewall logs you had processed in the early steps. And when you enable the ML , you will need to enable it on the device group where the policy located
02-01-2023 01:31 AM - edited 02-01-2023 01:35 AM
Thanks for the response, I am sure specifics are important, please see below the processed logs window, the device serial is underneath the window in black, not sure if its visible in the screenshot
this matches what is in the csv logs in the PALogs folder header below
2023-01-26T16:21:36+00:00 RH-MGT-01.CustomerName.net 1,2023/01/26 16:21:36,012001053440,TRAFFIC,end,2305,2023/01/26 16:15:17
Let me know if you need me to confirm settings anywhere else.
02-01-2023 04:37 AM
Thought this might be of use also
02-01-2023 08:46 AM
@ChrisHammock Yes, those seems to be correct setting, you could try only select ITE-FW-01 in the log connector see if it makes any difference. If it still not working , please send an email to fwmigrate@paloaltonetworks.com
02-01-2023 09:04 AM
Thanks @lychiang that seemed to be the problem, if I remove the passive device, the connectors windows still just says "Loading..." as per the screenshot but the anayze actually provides results.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!