M. Learning Traffic Analysis appears to be picking up traffic that contradicts the rule.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

M. Learning Traffic Analysis appears to be picking up traffic that contradicts the rule.

L2 Linker

I've successfully setup Expedition to consume logs and provide M. Learning traffic analysis for any any rules.

I've done 6 any any rules so far and all but one look correct.

 

The following any any rule has a source zone of Trans100_inside and destination zone of Trans100_outside.

Expedition Issue9.png

Yet, the traffic analysis shows traffic going both ways which shouldn't be possible since it would violate this rule.

Expedition Issue10.png

 

Any thoughts on the issue here?

4 REPLIES 4

L4 Transporter

Hello,

 

Are you sure this traffic is not being initiated from the inside of your network? Utilizing the stateful firewall aspects of the Palo Alto Firewall?

L5 Sessionator

I may have two possible answers, actually three:

- Are you sure that is the only rule you have selected for ML? All the rules you select for ML are considered (actually their traffic) for the suggestion of security rules

- Did the rule change during the period of time you have selected to analyze? If, in the past, you had the inbound traffic also allowed in that rule, we may be learning from traffic that in the past hit the rule

- There is something wrong in the implementation, but the specifics would be really strange, as it the source, dst, From and To fields cannot transfer values to each other in the Spark process. They are taken as different fields in the DataSet (some internal terminology, but my point is that it would be really strange go mix data among fields)

- Are you sure that is the only rule you have selected for ML? All the rules you select for ML are considered (actually their traffic) for the suggestion of security rules

Positive. I'm actually taking over a project where this was done months ago with these results. I was rerunning all these traffic analysis myself because I saw the discrepancy in the previous work and assumed they were done incorrectly but, it appears they were done correctly since I am getting the same results.

 

- Did the rule change during the period of time you have selected to analyze? If, in the past, you had the inbound traffic also allowed in that rule, we may be learning from traffic that in the past hit the rule

I would highly doubt it for a couple reasons. These any any rules were create in haste because of a migration project, so I doubt they were modified considering how open it is already. Also, this current project is the first effort to address these any any rules since they were implemented. So if any modification was going to take place it would be to create new more secure rules above it in policy instead of modifying the rule. If you have a easy method to see if that rule has been changed I'll give it a try.

 

- There is something wrong in the implementation, but the specifics would be really strange, as it the source, dst, From and To fields cannot transfer values to each other in the Spark process. They are taken as different fields in the DataSet (some internal terminology, but my point is that it would be really strange go mix data among fields)

Implementation of Expedition or the policy/firewalls? If you mean Expedition, we got the same results on an older version months ago. That version of Expedition was not maintained and eventually became unusable. I just recently rebuilt it and from scratch and have it on the latest version. I got the same results as the analysis that was run months ago on the older version of Expedition before the rebuild.

I would suggest to do a Zoom session with us.

Please contact us at fwmigrate@paloaltonetworks.com to check within the traffic logs if there is anything that make us suspect on the reasons for those rule suggestions.

 

  • 3102 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!