Trouble doing ML on security policy from panorama?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Trouble doing ML on security policy from panorama?

L1 Bithead

Can you use the ML and rule enhancements on security policy that is located in panorama.  Im struggling a bit to get it to work.  I set my project up to use panorama and then brought in the firewalls.  There is not a schedule log export function to panorama to csv so I am exporting from firewall.  I tried fwd syslog but the tool did not recognize the files.  I get deferent results if i point my log connecter to panorama or the firewall.  I get no devices in this connector If I point it at the firewall I   If point the connector at the firewall I get No rules selected for learning.

 

Here are some screenshots. Thanks for you help in advance: I did the lab at ignite and am really excited about this tool,  I'm a partner and plan on demoing it at one of our customer events in a couple of weeks.  I would really like to do it on panorama and a larger firewall.

 

 

 

firewallconn.pngfirewalloutput.pngpanoramaOutput.pngpanoramaconn.png

8 REPLIES 8

L2 Linker

What version of Expedition are you using?  I had the same issue, but it resolved itself when I upgraded to 1.0.99.

Im running 1.0.99.1 . I did get syslog working,  I had to rename my log files to csv,  I can now run ML and RE but there is no ouput after it is done. 

Yes, it is possible, but a couple of things which may get tricky:

 

  1. As we are going to work from a policy located in the Panorama device, we need to import the Panorama config. 
  2. The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
  3. We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
  4. We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
  5. The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail.

Yes, it is possible, but a couple of things which may get tricky:

 

  1. As we are going to work from a policy located in the Panorama device, we need to import the Panorama config. 
  2. The config should come from a device registered in Expedition. Uploading the Panorama XML config is not supported yet.
  3. We need to have connectivity to Panorama JUST to retrieve the connected devices. In order to know which serials we are going to learn from (the managed devices) we need to have them registered
  4. We will do the log connector using Panorama as a source, selecting the desired DG and selecting the desired fw-vsys's.
  5. The rules we flag for learning, SHOULD be from the Panorama source.

I hope this helps. If not, we could have a Zoom session to check it in detail (fwmigrate at paloaltonetworks dot com).

I get the same as described above and I'm running 1.0.101

Hi Esfeld, could you tell me how to upgrade the Tool ? I could not find a reference in the Admin/User Guides and "sudo apt-get update && apt-get upgrade" does not seem to work.

Thanks.

 

Regards,

Thomas

Those are the correct commands to run for it to get the updates.  Make sure it is allowed through your firewall.

sudo apt-get update
sudo apt-get install expedition-beta
  • 5801 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!