Issues with ML with Logs Forward from Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues with ML with Logs Forward from Panorama

L2 Linker

I am doing ML in Expedition for the first time.  The setup is, all FWs managed by single Panorama, logs forward from FWs to panorama.  I have setup panorama collector to forward the firewall logs to Expedition via syslog.

 

I have followed the online "Log Analysis Features of Expedition" and am getting stuck at Module 9 Machine learning.  When I click the "Discovery" button -> Machine Learning.  The window pops up but the connectors just has a Loading... listed rather than the panorama or device serial number.  If I just ignore this and click analyze data it seems to quickly go to the completed stage with no information in the Learning results.

 

I have tried Firefox and Chrome just in case this is a browser issue with basically the same results.  Obvioulsy the guide works on the basis of logs being sent direct from the firewall but I assume there is no reason I can't send the logs from panorama?

 

Thanks for any help

1 accepted solution

Accepted Solutions

@ChrisHammock Yes, those seems to be correct setting,  you could try only select ITE-FW-01 in the log connector see if it makes any difference.  If it still not working , please send an email to fwmigrate@paloaltonetworks.com

 

View solution in original post

6 REPLIES 6

L2 Linker

Additional information, below is a screenshot, note the connector status.

 

ChrisHammock_0-1675165544605.png

I have also attempted to use Rule Enrichment on the same rules, although the window does not contain a collector, when I click "Analyze Data" I still get completed with no results.

 

Could the issue be because the Device Group that contains the rules in panorama is not the same device group the firewalls are a member of, it is a parent of that device group.  I assume not as everything else in Expedition seems to understand this.

Hi @ChrisHammock For log connector, you will need to make sure the serial# of the firewall device you selected under panorama device group match the serial# of the firewall logs you had processed in the early steps. And when you enable the ML , you will need to enable it on the device group where the policy located

Thanks for the response, I am sure specifics are important, please see below the processed logs window, the device serial is underneath the window in black, not sure if its visible in the screenshot

 

ChrisHammock_1-1675244074551.png

 

this matches what is in the csv logs in the PALogs folder header below

 

2023-01-26T16:21:36+00:00 RH-MGT-01.CustomerName.net 1,2023/01/26 16:21:36,012001053440,TRAFFIC,end,2305,2023/01/26 16:15:17

 

Let me know if you need me to confirm settings anywhere else.

Thought this might be of use also

 

ChrisHammock_0-1675255002482.png

 

@ChrisHammock Yes, those seems to be correct setting,  you could try only select ITE-FW-01 in the log connector see if it makes any difference.  If it still not working , please send an email to fwmigrate@paloaltonetworks.com

 

Thanks @lychiang that seemed to be the problem, if I remove the passive device, the connectors windows still just says "Loading..." as per the screenshot but the anayze actually provides results.

  • 1 accepted solution
  • 2952 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!