I have firewalls managed by Panorama that I want to do some ML and RE on traffic logs. Right now I have this setup for 2 firewalls using the log export feature on the firewalls. Each firewall exports traffic logs to a different folder on my Expedition server. In Expedition I have added my Panorama and from the devices tab, I show all devices to see the firewalls managed by Panorama. Within the firewalls, I have setup the appropriate folder on the M. Learning tab and all of that works as expected.
My issue is when I go to the Panorama object under Devices and click on the M. Learning tab, I see all the logs from the 2 firewalls but under the "Device" column, it shows a totally different firewall that has nothing to do with this other than the fact it's also managed by Panorama. When I try to do any ML or RE for the firewalls that are sending logs, it fails, I assume because Panorama thinks those logs are for the other firewall.
Has anyone seen this before or know how to fix it?
It is kinda hard to understand the issue here, but usually the serial number is the separate firewall identifier we use to isolate the log files. Can you provide screenshots of what you are saying? If you're unable to do that please email us at email@example.com
Also please include your version of expedition I know we had some problems with ML on 1.1.104 so if you're running that version of expedition please upgrade to the latest version.
Thanks for replying and my apologies if the original posts were confusing. I did reach out to that email address over the weekend and am waiting to hear back.
Hopefully this is a better explanation of the issue...
The firewalls are set to export traffic logs to the expedition server which works fine. Before Expedition processes the logs, if I look at the ML.Learning tab for Panorama, I see the logs there and the device column matches up to the correct device, but when the logs get processed, the device name changes to a totally different firewall. If I try to run ML or RE on any of the firewalls that have had logs processed, it just sits on initializing forever so it seems as if because after processing of logs, the logs are "assigned" to a different firewall.
Attached are a couple of screenshots although I had to scrub out full names. One shows a log file for a firewall with DC-MDF1-FW01 in the name and the device column is correct. This is before that log file is processed. The next screenshot shows after processing and you can see that the device column now shows a totally different firewall.
Instead of going Devices>Panorama>M.Learning , go Devices>Panorama>expand list>[FW in question]
Not sure if you're doing this already but your screenshots show Panorama instead of FWs themselves. I'm not sure how the GUI is supposed to work where Panorama is managing firewalls in this regard, but in my experience with ML and Panorama, I go this route to configure the log ingestion processing for ML on each FW. Config for rules comes via syncing it from Devices>Panorama as normal.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!