I am working in an environment in which all Palo Alto FWs are centrally managed by a Panorama instance. All traffic logs are sent to the Panorama.
If I follow the ML (Loggings Analysis) Guide, it is proposed to set a Scheduled Log Export from each individual FW towards the Expedition ML Server.
But what is the correct approach in case we are using a centralized Panorama instance which is already receiving all these traffic logs? Should I still configure each individual firewall with an Scheduled Log Export towards the Expedition server?
Solved! Go to Solution.
thanks for your answer.
I could solve the issue this week. I will post it here for documentation. It turns out csv traffic logs cannot be exported from the Panorama.
Even if you can configure a Scheduled Log Export centrally from the Panorama, this actually pushes the Scheduled Export to all FW devices and you still have to connect to all individual devices and click on their "SCP Test" button to exchange keys between FW-Expedition. This is because the exports are happening from the FWs and not from the Panorama.
Hi Azuniga and thanks for answering.
Your proposition is actually what I did some days ago but it does not seem to work.
I can schedule the export on the Panorama instance. The scp "ping" works fine copying a dummy file named ssh-export-test-txt. However, later when the export should happen, it does not and the destination folder on the Expedition server remains empty.
The Destination folder has following rights:
Seen this before? Could it be a bug?
Thanks for any help/hint
I checked my file permissions on my personal VM and noticed I have permissions of 755, I am wondering if your file permissions were changed? I see that yours is 750 so it might not matter if the permissions are altered unless expedition writes to the file as other. Would you mind changing that and confirming your machine learning file path is set to /data, it should be under settings > m. learning.
If you are still having issues please feel free to email us at fwmigrate (at) paloaltonetworks.com
If you can see that the ssh-export-test-txt test file gets generated in the /logs folder in your Expedition, this means that you have the settings in Expedition allowing the logs to be sent.
If so, and you still do not get logs sent, it could be:
a) did you commit the configuration in your FW to do the schedule log export?
b) do you have traffic hitting rules in your firewall? (actually, I think you should get still traffic log files, but those would be empty in Expedition)
c) are you actually seeing the traffic logs in the /logs folder? In such case, remember that you will be able to process the files in Expedition if you have imported the firewalls that own those traffic log files. Get into your Panorama device (in Expedition) and click on retrieve connected devices.
thanks for your answer.
An alternative is to use Expedition as a Syslog server and receive the traffic-logs on-realtime.
You may find some information about how to setup Expedition to activate the syslog server features in this forum
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!