- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2020 01:51 PM
I've successfully setup Expedition to consume logs and provide M. Learning traffic analysis for any any rules.
I've done 6 any any rules so far and all but one look correct.
The following any any rule has a source zone of Trans100_inside and destination zone of Trans100_outside.
Yet, the traffic analysis shows traffic going both ways which shouldn't be possible since it would violate this rule.
Any thoughts on the issue here?
03-19-2020 03:09 PM
I may have two possible answers, actually three:
- Are you sure that is the only rule you have selected for ML? All the rules you select for ML are considered (actually their traffic) for the suggestion of security rules
- Did the rule change during the period of time you have selected to analyze? If, in the past, you had the inbound traffic also allowed in that rule, we may be learning from traffic that in the past hit the rule
- There is something wrong in the implementation, but the specifics would be really strange, as it the source, dst, From and To fields cannot transfer values to each other in the Spark process. They are taken as different fields in the DataSet (some internal terminology, but my point is that it would be really strange go mix data among fields)
03-20-2020 05:51 AM - edited 03-20-2020 07:14 AM
- Are you sure that is the only rule you have selected for ML? All the rules you select for ML are considered (actually their traffic) for the suggestion of security rules
Positive. I'm actually taking over a project where this was done months ago with these results. I was rerunning all these traffic analysis myself because I saw the discrepancy in the previous work and assumed they were done incorrectly but, it appears they were done correctly since I am getting the same results.
- Did the rule change during the period of time you have selected to analyze? If, in the past, you had the inbound traffic also allowed in that rule, we may be learning from traffic that in the past hit the rule
I would highly doubt it for a couple reasons. These any any rules were create in haste because of a migration project, so I doubt they were modified considering how open it is already. Also, this current project is the first effort to address these any any rules since they were implemented. So if any modification was going to take place it would be to create new more secure rules above it in policy instead of modifying the rule. If you have a easy method to see if that rule has been changed I'll give it a try.
- There is something wrong in the implementation, but the specifics would be really strange, as it the source, dst, From and To fields cannot transfer values to each other in the Spark process. They are taken as different fields in the DataSet (some internal terminology, but my point is that it would be really strange go mix data among fields)
Implementation of Expedition or the policy/firewalls? If you mean Expedition, we got the same results on an older version months ago. That version of Expedition was not maintained and eventually became unusable. I just recently rebuilt it and from scratch and have it on the latest version. I got the same results as the analysis that was run months ago on the older version of Expedition before the rebuild.
03-21-2020 07:49 AM
I would suggest to do a Zoom session with us.
Please contact us at fwmigrate@paloaltonetworks.com to check within the traffic logs if there is anything that make us suspect on the reasons for those rule suggestions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!