This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Real-time update tab in Devices

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Real-time update tab in Devices

Go to solution
rodvand_de
L1 Bithead

‎01-23-2019 05:09 AM

Under a device in Expedition there is a tab called Real-time updates. It seems to be a syslog receiver for changes.

 

Can someone confirm how to use this feature?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
dgildelaig
L5 Sessionator

‎01-23-2019 08:20 AM - edited ‎01-23-2019 08:22 AM

This feature is not complete, unfortunatelly.

 

What does feature this do?

Let me explain what it is meant to do when complete:

  1.  If you define in your PA to send Config syslog entries to Expedition, Expedition will parse such changes and check which modifications it would require into your policies to keep them in synch.
  2. It will require the System syslog entries as well, to determine when a Commit has been applied and know then that the changes need to me transferrerd into the projects. If the System info would report that you went back to Running Config, the pending changes would be discarded. However, if a specific config is loaded (for instance, a saved config in the PA), the project will get into an unsynch state, as we would not know which changes are present in the new config.

Notice that the controls to keep the projects in synch with the policies are very complex. We need to identify which objects are changing, which rules are being modified or moved, etc. and to know how would that effect to the current changes that you may have in the Expedition project. 

 

Let's put one example:

Imagine you decided to delete an address object in the Expedition project, because you are doing some cleaning (you decided that using a range instead of multiple IP addresses as a source would increase the readability of the config).

However, somebody in the PA, decided to modify the address object and convert it into a subrange.

What should Expedition do in such case? Create the address object again? Verify that the new object is still redundant given the changes in your project? Raise a warning because you may overwrite some "interesting" changes in your PA?

 

In Which state is this feature now?

We have been covering quite a large subset of these changes, and only for Security Rules and Nat Rules (including address, services, apps, etc.) but there are several features that we have not covered, such as network settings.

 

For this reason, this feature has not been promoted and we may retake its implementation for PANOS 9.0, where we expect to be able to track the changes better.

 

What does it require to activate it?

Take a look into the rsyslog file in 

/var/www/html/OS/rsyslog/rsyslog.conf

You will see that this config in rsyslog has a logic to identify different types of Config and System syslog actions, and executes some database inserts to report seen config modifications. It requires of the module

mmnormalize

to know how to read the syslog messages, which are defined in

/var/www/html/OS/rsyslog/palo_alto_networks.rb

However, we will have to extend thaose schemas to support PANOS 9.0 when we retake this task, as we were doing this implementation during PANOS 7.1.

 

I want to help

Suggestions or coding hands will be welcome to help into this feature completeness. 😉

You can contact us at fwmigrate at paloaltonetworks dot com or directly to me at dgildelaig at paloaltonetworks dot com

View solution in original post

2 REPLIES 2

Go to solution
dgildelaig
L5 Sessionator

‎01-23-2019 08:20 AM - edited ‎01-23-2019 08:22 AM

This feature is not complete, unfortunatelly.

 

What does feature this do?

Let me explain what it is meant to do when complete:

  1.  If you define in your PA to send Config syslog entries to Expedition, Expedition will parse such changes and check which modifications it would require into your policies to keep them in synch.
  2. It will require the System syslog entries as well, to determine when a Commit has been applied and know then that the changes need to me transferrerd into the projects. If the System info would report that you went back to Running Config, the pending changes would be discarded. However, if a specific config is loaded (for instance, a saved config in the PA), the project will get into an unsynch state, as we would not know which changes are present in the new config.

Notice that the controls to keep the projects in synch with the policies are very complex. We need to identify which objects are changing, which rules are being modified or moved, etc. and to know how would that effect to the current changes that you may have in the Expedition project. 

 

Let's put one example:

Imagine you decided to delete an address object in the Expedition project, because you are doing some cleaning (you decided that using a range instead of multiple IP addresses as a source would increase the readability of the config).

However, somebody in the PA, decided to modify the address object and convert it into a subrange.

What should Expedition do in such case? Create the address object again? Verify that the new object is still redundant given the changes in your project? Raise a warning because you may overwrite some "interesting" changes in your PA?

 

In Which state is this feature now?

We have been covering quite a large subset of these changes, and only for Security Rules and Nat Rules (including address, services, apps, etc.) but there are several features that we have not covered, such as network settings.

 

For this reason, this feature has not been promoted and we may retake its implementation for PANOS 9.0, where we expect to be able to track the changes better.

 

What does it require to activate it?

Take a look into the rsyslog file in 

/var/www/html/OS/rsyslog/rsyslog.conf

You will see that this config in rsyslog has a logic to identify different types of Config and System syslog actions, and executes some database inserts to report seen config modifications. It requires of the module

mmnormalize

to know how to read the syslog messages, which are defined in

/var/www/html/OS/rsyslog/palo_alto_networks.rb

However, we will have to extend thaose schemas to support PANOS 9.0 when we retake this task, as we were doing this implementation during PANOS 7.1.

 

I want to help

Suggestions or coding hands will be welcome to help into this feature completeness. 😉

You can contact us at fwmigrate at paloaltonetworks dot com or directly to me at dgildelaig at paloaltonetworks dot com

Go to solution
jasonwa
L1 Bithead
In response to dgildelaig

‎03-02-2021 02:23 AM

Hi is there an update to whether this is available on 9.x of PAN-OS or available now with the latest release of expedition?

0 Likes Likes
  • 1 accepted solution
  • 4573 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks