Issues with ML with Logs Forward from Panorama

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Issues with ML with Logs Forward from Panorama

L2 Linker

I am doing ML in Expedition for the first time.  The setup is, all FWs managed by single Panorama, logs forward from FWs to panorama.  I have setup panorama collector to forward the firewall logs to Expedition via syslog.


I have followed the online "Log Analysis Features of Expedition" and am getting stuck at Module 9 Machine learning.  When I click the "Discovery" button -> Machine Learning.  The window pops up but the connectors just has a Loading... listed rather than the panorama or device serial number.  If I just ignore this and click analyze data it seems to quickly go to the completed stage with no information in the Learning results.


I have tried Firefox and Chrome just in case this is a browser issue with basically the same results.  Obvioulsy the guide works on the basis of logs being sent direct from the firewall but I assume there is no reason I can't send the logs from panorama?


Thanks for any help

1 accepted solution

Accepted Solutions

@ChrisHammock Yes, those seems to be correct setting,  you could try only select ITE-FW-01 in the log connector see if it makes any difference.  If it still not working , please send an email to


View solution in original post


L2 Linker

Additional information, below is a screenshot, note the connector status.



I have also attempted to use Rule Enrichment on the same rules, although the window does not contain a collector, when I click "Analyze Data" I still get completed with no results.


Could the issue be because the Device Group that contains the rules in panorama is not the same device group the firewalls are a member of, it is a parent of that device group.  I assume not as everything else in Expedition seems to understand this.

Hi @ChrisHammock For log connector, you will need to make sure the serial# of the firewall device you selected under panorama device group match the serial# of the firewall logs you had processed in the early steps. And when you enable the ML , you will need to enable it on the device group where the policy located

Thanks for the response, I am sure specifics are important, please see below the processed logs window, the device serial is underneath the window in black, not sure if its visible in the screenshot




this matches what is in the csv logs in the PALogs folder header below


2023-01-26T16:21:36+00:00 1,2023/01/26 16:21:36,012001053440,TRAFFIC,end,2305,2023/01/26 16:15:17


Let me know if you need me to confirm settings anywhere else.

Thought this might be of use also




@ChrisHammock Yes, those seems to be correct setting,  you could try only select ITE-FW-01 in the log connector see if it makes any difference.  If it still not working , please send an email to


Thanks @lychiang that seemed to be the problem, if I remove the passive device, the connectors windows still just says "Loading..." as per the screenshot but the anayze actually provides results.

  • 1 accepted solution
  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!