06-07-2022 06:14 AM
Hi,
I have defined collectors in my project enable M learning for a rule, when I hit discovery i am unable to select a connector it seems to be stuck on Loading.
See attacked screenshot. I already tried rebooting the machine, restarting processes, remove/re-create the collectors.
RAM/CPU DISK usage all are ok.
Any help on this would be appreciated.
06-07-2022 08:45 AM
Hi @zGomez Have you add log connector by going to "Plug-In" , click on the "+" sign to add a log connector, depends on the config , if it's panorama config, you will add panorama device and select the device group where you want to enable for M. Learning. Please refer to the guide below:
Also , if you prefer tutorial videos, you can watch the tutorial video via below link:
https://www.youtube.com/playlist?list=PLD6FJ8WNiIqXAfspousboWn6AllrOWVMi
06-08-2022 02:38 AM
Hi Lychiang,
Yes i did define collectors under the Plug-In.
If you do not define a collector you get an error message no collector selected. Now it seems to be hanging on something.
It worked before. I am processing more logs don't now if this can be related.
But the logs are all in processed status.
06-09-2022 07:42 AM
Hi Lychiang,
You have an idea on how to troubleshoot this?
06-09-2022 08:11 AM
@zGomez What version of the expedition you are running ? Also is the serial # of the firewall in the traffic log you processed match the serial # of the firewall you selected in the log connector. Is there live connectivity to Panorama ?
06-09-2022 11:41 PM
Hi Lychian,
I am using version 1.2.19. The serial number matches the log connector. I have added panorama using the API key so there is a live connectivity.
06-10-2022 09:19 AM
Could you try to upgrade to the latest version v1.2.22 , we have some fixed related retrieving config from panorama device in this release
06-12-2022 11:40 PM
Hi Lychiang,
Tnx already! Unfortunately it did not fix the problem.
06-13-2022 09:26 AM
@zGomez Please check serial# listed in your traffic log , and in the log connector, only selected the one firewall that matching the serial# , I seen you selected two firewalls.
07-27-2022 12:57 PM
Is this still an active Bug/Issue? I am updated to latest I think and am running into the same problem. I can analyze logs fine but then can't import or do basically anything on the right side of the ML Discovery window
07-27-2022 01:00 PM
07-28-2022 08:16 AM
OK, I messed with it for a bit and determined that if your Device Group has more than one device assigned to it then it breaks the Machine Learning function. I don't understand why this is a limitation. If you have Global rules that apply to multiple devices, and in my case I have one Global ruleset and no rules in the device groups the devices are assigned, then you can analyze the logs and it will do a great job of that but trying to import the rules or do anything else it will break. I have 20 devices below my Global in individual Device Groups and if I create a connector with 20 devices using my global, it will do everything but allow me to import rules into that devicegroup. Everything else works without this limitation, Rule Enrichment AppID adoption etc. @lychiang Can you let us know if there is a way around this or why this is the design?
07-29-2022 07:58 AM
I believe I have a workaround. So I am able to do Log analysis with multiple devices in a Connector assigned Device Group, I just can't change any of the settings for Analyze Data dropdown in advance. It already has basically everything by default so that's fine. And you just ignore the Loading Serial/Vsys thing and click Analyze Data. Analysis completes fine with this Connector and I get my nice rules by App. Then what I did was create a Dynamic Connector which doesn't do anything for ML,but I enable that connector anyway. However, it keeps my previously created ML policies and opens the door to do all of the Imports. I was able to then execute what I wanted in Import. Hope this helps if you're stuck and maybe helps Dev team.
07-29-2022 08:15 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
