Expedition Articles
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Featured Article
Context In cases where a configuration file of a significant size needs to be uploaded and Expedition is unable to process it, it becomes necessary to modify the setup of the Apache-PHP component. Requirements CLI and sudo access Solution Open a terminal to the VM Execute the below command sudo vi /etc/php/7.0/apache2/php.ini Look for the attribute upload_max_filesize Change the value to (i.e) upload_max_filesize = 300M Look for the attribute post_max_size Change the value to (i.e) post_max_size = 300M Save the changes (press esc :wq!) Restart the apache service sudo service apache2 restart Try it again, you should be able to upload files up to 300MB  
View full article
Here are all the Documents related to Expedition use and administrations   Installation Guide - Instructions to install Expedition 1 on an Ubuntu 20.04 Server and Transferring Projects between Expeditions Hardening Expedition – Follow to secure your Instance. Admin Guide – Describes the Admin section and provides advice on how to configure and properly setup. User Guide  v1.1 (will be improved) Log Analysis Feature Guide - (APP-ID Adoption, Rule Enrichment, and Machine Learning features)
View full article
Updated April 23, 2024: adding new repository to get erlang > 25+ packages Symptoms Expedition is vulnerable to CVE-2022-37026, below are the Detail about the vulnerability : In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.   Diagnosis Issue below command in Expedition CLI: $apt list --installed | grep erlang  the result will show erlang package is v22.x which is vulnerable to the CVE   Solution Summary: Run below commands in Expedition CLI to add new repositories and upgrade the two packages to the stated version:   rabbitmq-server: 3.11.4-1 erlang: 25.0.4   ------------------------------------------------------------------------------------- // execute below commands as root sudo -su root // stop mysql service so Expedition is not available service mysql stop // remove any potential version installed apt-get remove rabbitmq-server && apt-get purge rabbitmq-server apt-get remove erlang && apt-get purge erlang apt autoremove // disable the legacy repository for erlang > 25+ packages echo "#deb https://packages.erlang-solutions.com/ubuntu focal contrib" | sudo tee /etc/apt/sources.list.d/erlang-solution.list echo "#deb [trusted=yes] http://www.rabbitmq.com/debian/ testing main" | sudo tee /etc/apt/sources.list.d/rabbitmq.list // update the apt list apt update // add the new repository storing erlang > 25+ packages add-apt-repository -y ppa:rabbitmq/rabbitmq-erlang-25 // update the apt list apt update // add the rabbitmq repository $curl -s https://packagecloud.io/install/repositories/rabbitmq/rabbitmq-server/script.deb.sh | sudo bash // update the apt list apt update // fix any broken dependency  sudo apt --fix-broken install // install the rabbitmq-server $apt-get install rabbitmq-server=3.11.4-1 // remove any unneeded package $apt autoremove $apt purge // start the mysql service to make Expedition available $service mysql start   Verify the two packages are updated with the required version with below commands:   $apt list --installed | grep erlang  $apt list --installed | grep rabbitmq-server      
View full article
Expedition supports migration sections of the below Vendor's configuration to PAN-OS configuration **The list of tested Vendor OS version, version not listed here needs further validations *** The UserID CN chain is extracted from the original configuration and integrated into the migrated security rule. However, the device configuration must be manually performed on the device itself.   Table1: Expedition supports converting 3rd Party vendors config sections (Updated on 2024/01/01) Note: Table will be updated when new support added   Vendor Supported Vendor OS** Global Address Object Address Objects Address Group Objects Service Objects Service Group Objects User ID Security Policy NAT Policy Network Interface (L3 only) Routing(Static Routes Only) VPN Checkpoint R75,R77 ✔ ✔ ✔ ✔ ✔ ✔  *** ✔ ✔ ✔ ✔     > R80 ✔ ✔ ✔ ✔ ✔ ✔  *** ✔ ✔ ✔ ✔   Cisco ASA 9.0, 9.1,9.6,8.2,8.4, ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔ ✔   FirePower [only in ASA syntax] ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Fortinet Fortigate 4.0, 5.0,6.0 ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   IBM XGS 5.1   ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Juniper All Netscreen Firewalls (ScreenOS) ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔     Junos 11.4, 12.1, 12.3 ✔ ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔   Forcepoint Sidewinder   ✔ ✔ ✔ ✔   ✔   ✔ ✔     Stonesoft   ✔ ✔ ✔ ✔   ✔ ✔ ✔ ✔  
View full article
Dear Expedition2 Beta Users, We are very excited to announce release of the machine learning features in Expedition2 Beta to have parity with Expedition1. For details, please look for document named 'Machine Learning Feature Announcement' in the Expedition2 Beta shared drive.  Users not yet on beta can expect updates on General Availability in the coming weeks.   Thanks, Expedition Team  
View full article
Expedition Community,  We request your feedback on the Expedition tool. This will help us to gain insight into your utilization of Expedition and understanding the aspects that are most important to you. Please invest a quick 2 minutes to share your thoughts by completing this short survey: https://forms.gle/8AWGJTj7HX5ecqqL7    Appreciate your feedback, Expedition Team
View full article
Advisory: Guidance for Apache HTTP Server 2.4 vulnerabilities (11/06/2023)   CVE-2021-44790   Affected version: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.57.   Update 2.4.58 released 2023-10-19 Affects <=2.4.57   Diagnosis Execute below command to check the version of Apache HTTP Server 2.4:   sudo apt list --installed | grep apache   If the output showing version less than 2.4.58, you will need to perform the steps to upgrade the apache2 libraries. Solution Prerequisites: Your Expedition VM should have connectivity to http://ppa.launchpad.net and subdomains. ONLY required to do the libraries upgrade.   In Expedition CLI execute below commands:   Update the package repository: sudo apt-add-repository ppa:ondrej/apache2 Install deb lib packages: sudo apt-get install apache2 Check packages are installed sudo apt list --installed | grep apache Expected output: apache2-bin/focal,now 2.4.58-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2-data/focal,now 2.4.58-1+ubuntu20.04.1+deb.sury.org+1 all [installed,automatic] apache2-utils/focal,now 2.4.58-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,automatic] apache2/focal,now 2.4.58-1+ubuntu20.04.1+deb.sury.org+1 amd64 [installed] libapache2-mod-php7.0/now 7.0.33-57+ubuntu20.04.1+deb.sury.org+1 amd64 [installed,upgradable to: 7.0.33-68+ubuntu20.04.1+deb.sury.org+2]​ Make /tmp folder writable for apache2 service Open file to edit: sudo vi /lib/systemd/system/apache2. service Change setting PrivateTmp from true to false (PrivateTmp=false) Save file and restart below services: sudo systemctl daemon-reload; sudo systemctl restart apache2
View full article
Dear valued customers,   We are excited to introduce the beta release of Expedition 2, a cutting-edge tool designed to facilitate firewall migration from various vendors and manage Palo Alto Networks firewalls/Panoramas configuration via API. Developed with a focus on automation, rich capabilities, and streamlined network management tasks, Expedition 2 aims to significantly enhance your network administration experience.   Expedition 2 offers numerous benefits, including automating firewall migration, simplifying security policy management, and enabling bulk operations across multiple devices.   While we are confident in Expedition 2's robust features and its ability to make network management more efficient, we acknowledge that this is a beta release. As such, there may be bugs and issues we need to resolve before the official launch. We encourage you to test the beta version of Expedition 2 and share your valuable feedback, which will help us improve the tool before its GA launch.   Please note that access to the beta version is restricted, and we kindly request you to fill out the online form available at the link below to receive access to the beta files: Note: Updating google form link https://forms.gle/wHukcW8QAvXXyxgXA The form will request some information from you, which will help us understand your requirements and expectations better. Once we receive your response, we will provide you with the necessary access to the beta files. We believe that your feedback will help us improve our product and make it more user-friendly. We encourage you to test the beta version thoroughly and provide us with your honest feedback. If you encounter any issues or have any questions, please do not hesitate to contact us at fwmigrate@paloaltonetworks.com . **UPDATE: Tuesday 17th October 2023 ** In collaboration with the Expedition Team, Migration Factory team has committed to redesigning all the converters present in the Expedition tool with the goal of pushing their capabilities further and increasing maintainability. The team also develops the part of PANser, a parser for PAN-OS configuration files that is designed to be flexible and extensible, making it a valuable tool for a wide range of use cases. By using PANser as an external parser on your Expedition2 environment, you can enhance the number and variety of 3rd party parsers. Please fulfil and follow instructions on the below form to download the PANser docker image: https://forms.gle/zXGWh9cNgNaHSFBW6   We appreciate your time and consideration and look forward to hearing from you soon.   Best regards, Expedition Team
View full article
UseCase   In the ML or RE case, where Expedition is configured as syslog server , and you are forwarding traffic logs from Panorama to Expedition,  by default, the logs will be saved using Panorama_IP . The solution below provides steps on how to  split the logs per serial# of the firewall.   Solution   Split the logs per FW/Serial number by following below steps:   Step 1. Edit your rsyslog.conf file   Replace below line: $template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%HOSTNAME%traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv" to below ones: set $!SERIAL = field($msg,",",2); $template DynaTrafficLog,"/PALogs/%FROMHOST-IP%/%$!SERIAL%/%$!SERIAL%%HOSTNAME%_traffic%$YEAR%%$MONTH%%$DAY%_last_calendar_day.csv"   The intention of the above configuration is to create a folder with your Panorama IP and subfolders for each FW/Serial number.   Step 2. Restart the syslog service Issue below command: service rsyslog restart   For your reference, next Expedition releases will include a set of rsyslog configuration example files on the path /var/www/html/OS/rsyslog folder .  
View full article
Advisory: Guidance for OpenSSL Vulnerability Disclosures (02/07/23) CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286   Affected version: Impacts all versions of OpenSSL 1.1.1 (installed default version on Ubuntu 20 is 1.1.1f-1ubuntu2.16)   Diagnosis Execute below two commands to check the version of openssl and libssl1.1:   apt list --installed | grep openssl/focal-updates apt list --installed | grep libssl1.1 if the output showing version less than 1.1.1f-1ubuntu2.17 amd64 , you will need to perform the steps to upgrade the openssl and libssl1.1   Solution In Expedition CLI execute below commands:   Update the package index: sudo apt-get update Install deb lib packages: sudo apt-get install openssl sudo apt-get install libssl1.1 Check packages are installed apt list --installed | grep openssl/focal-updates Expected output: openssl/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed] apt list --installed | grep libssl1.1 Expected output: libssl1.1/focal-updates,focal-security,now 1.1.1f-1ubuntu2.17 amd64 [installed,automatic]
View full article
We are aware of the issue with Ubuntu VM on MAC with M1 chipset. Expedition installation script will fail due to dependency packages not being installed as these have not been compiled for the M1 architecture.  We will study possible alternatives for the future releases. 
View full article
Symptoms While executing a migration you get one of bellow message errors on the /tmp/error file:  Got a packet bigger than 'max_allowed_packet' bytes Error while sending QUERY|STATISTICS packet Also the migration process could be stacked at some point for a long period of time. Diagnosis MySQL is not supporting to create the among of objects defined on your config so you need to give more resources to MySQL. Solution Resize the max allowed packets property on Mysql. 1) Locate your max_allowed_packet mysql configuration (for instance inside: /etc/mysql/mariadb.conf.d/50-server.cnf). 2) Edit the mysql config file and increase the MB for the property max_allowed_packet (for instance: max_allowed_packet = 100M). 3) Restart mysql (for instance: service mysql restart).  4) Execute the migration in a new clean Expedition project.
View full article
Symptoms After a fresh installation of Expedition, error message like below shows :   Diagnosis When Execute the following command in Expedition CLI as suggested :     sudo sh /var/www/html/OS/BPA/updateBPA306.sh   Script did not finished running and encountered error message below:   × python setup.py bdist_wheel did not run successfully. │ exit code: 1 ╰─> [175 lines of output] running bdist_wheel running build running build_py creating build creating build/lib.linux-x86_64-3.8 creating build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageSequence.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/EpsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PdfImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TarIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IcoImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GifImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageShow.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PpmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageDraw.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageTransform.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ExifTags.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PdfParser.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImagePath.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TgaImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MpoImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BlpImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WmfImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PSDraw.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GimpGradientFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GbrImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcdImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SunImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageOps.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/DcxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageEnhance.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Jpeg2KImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Hdf5StubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GimpPaletteFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMath.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImagePalette.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFilter.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageCms.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/CurImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageQt.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/features.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FliImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMode.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_util.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PsdImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/McIdasImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImtImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/JpegPresets.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageGrab.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/JpegImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TiffTags.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SpiderImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IcnsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WebPImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageChops.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_tkinter_finder.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageColor.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GdImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PngImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BufrStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FtexImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_version.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageStat.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/Image.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MspImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PalmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PaletteFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MicImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ContainerIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/TiffImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XVThumbImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/_binary.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FitsStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BmpImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PixarImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/IptcImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageFont.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/OleFileIO.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/SgiImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PyAccess.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/BdfFontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageWin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XbmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/__init__.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/WalImageFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/XpmImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/PcfFontFile.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageTk.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/FpxImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/MpegImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageMorph.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/GribStubImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/DdsImagePlugin.py -> build/lib.linux-x86_64-3.8/PIL copying src/PIL/ImageDraw2.py -> build/lib.linux-x86_64-3.8/PIL running egg_info writing src/Pillow.egg-info/PKG-INFO writing dependency_links to src/Pillow.egg-info/dependency_links.txt writing top-level names to src/Pillow.egg-info/top_level.txt reading manifest file 'src/Pillow.egg-info/SOURCES.txt' reading manifest template 'MANIFEST.in' warning: no files found matching '*.c' warning: no files found matching '*.h' warning: no files found matching '*.sh' no previously-included directories found matching 'docs/_static' warning: no previously-included files found matching '.appveyor.yml' warning: no previously-included files found matching '.coveragerc' warning: no previously-included files found matching '.codecov.yml' warning: no previously-included files found matching '.editorconfig' warning: no previously-included files found matching '.landscape.yaml' warning: no previously-included files found matching '.readthedocs.yml' warning: no previously-included files found matching '.travis' warning: no previously-included files found matching '.travis/*' warning: no previously-included files found matching 'tox.ini' warning: no previously-included files matching '.git*' found anywhere in d istribution warning: no previously-included files matching '*.pyc' found anywhere in d istribution warning: no previously-included files matching '*.so' found anywhere in di stribution writing manifest file 'src/Pillow.egg-info/SOURCES.txt' running build_ext The headers or library files could not be found for jpeg, a required dependency when compiling Pillow from source. Please see the install instructions at: https://pillow.readthedocs.io/en/latest/installation.html Traceback (most recent call last): File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 765, in <module> setup(name=NAME, File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 144, in setup return distutils.core.setup(**attrs) File "/usr/lib/python3.8/distutils/core.py", line 148, in setup dist.run_commands() File "/usr/lib/python3.8/distutils/dist.py", line 966, in run_commands self.run_command(cmd) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3/dist-packages/wheel/bdist_wheel.py", line 223, in run self.run_command('build') File "/usr/lib/python3.8/distutils/cmd.py", line 313, in run_command self.distribution.run_command(command) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3.8/distutils/command/build.py", line 135, in run self.run_command(cmd_name) File "/usr/lib/python3.8/distutils/cmd.py", line 313, in run_command self.distribution.run_command(command) File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command cmd_obj.run() File "/usr/lib/python3.8/distutils/command/build_ext.py", line 340, in r un self.build_extensions() File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 612, in build_extensions raise RequiredDependencyException(f) __main__.RequiredDependencyException: jpeg During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<string>", line 2, in <module> File "<pip-setuptools-caller>", line 34, in <module> File "/tmp/pip-install-nbk4y0xj/pillow_f525a19fbf1d4101aeddc513ddad3999/ setup.py", line 812, in <module> raise RequiredDependencyException(msg) __main__.RequiredDependencyException: The headers or library files could not be found for jpeg, a required dependency when compiling Pillow from source. Please see the install instructions at: https://pillow.readthedocs.io/en/latest/installation.html [end of output] Solution The error caused by libjpeg-dev package is missing , solution is to install the missing package before re-run the script, issue below commands first: sudo apt-get install libjpeg-dev Then re-run the script: sudo sh /var/www/html/OS/BPA/updateBPA306.sh   Script will be completed without error , and you can verify the error message in dashboard is remediated.  
View full article
Symptoms After upgrade Expedition from 1.1.x to 1.2.x , Radius authentication stop working  Diagnosis Module php7.0-radius is missing  Solution Please follow below steps :  1) Check if php7.0-radius installed on your VM:  php -m  2) If it’s not installed , run below command to install radius php7.0 sudo apt-get install php7.0-radius 3) Remove packages not needed. sudo apt autoremove 4) Check again if php7.0-radius is installed on the VM  php -m 5) Confirm php CLI is 7.0 php -version 6) Restart apache2 sudo apache2ctl restart
View full article
Your Expedition VM might be vulnerable to the CVE-2021-4034, here is the Info regarding the vulnerability:   Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged ones. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). Please refer to the website for detail info : https://ubuntu.com/security/cve-2021-4034 To Patch your Ubuntu system, please follow below steps:   1. Adding below line to the /etc/apt/sources.list : deb http://security.ubuntu.com/ubuntu focal-security main 2. Run below commands to update the policy-1 package: $sudo apt-get update $sudo apt-get install policykit-1 3. Verify the policykit-1 package has been updated to v. 0.105-26ubuntu1.2 as shown in below screen:     Those who can’t patch immediately should use below command to remove the SUID-bit from pkexec:   $chmod 0755 /usr/bin/pkexec  
View full article
Question I am running out of the HD space in Expedition server , need to add more HD space. Answer Please refer below article for the instructions on adding a new drive and mount the drive to be used by Expedition: https://help.ubuntu.com/community/InstallingANewHardDrive
View full article
Question   I am getting below errors when issue $sudo apt-get update to update expedition to the latest package, how do I fix it ?   Err:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages Could not open file /var/lib/apt/lists/partial/conversionupdates.paloaltonetworks.com_expedition-updates_Packages.gz - open (13: Permission denied) Fetched 114 kB in 1s (57.0 kB/s) Reading package lists... Done W: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file. N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use. N: See apt-secure(8) manpage for repository creation and user configuration details. E: Failed to fetch https://conversionupdates.paloaltonetworks.com/expedition-updates/Packages Could not open file /var/lib/apt/lists/partial/conversionupdates.paloaltonetworks.com_expedition-updates_Packages.gz - open (13: Permission denied) E: Some index files failed to download. They have been ignored, or old ones used instead.   Answer   Run below command: sudo rm /var/lib/ap t/lists/partial/* Then run below commands for updating Expedition to the latest version: sudo apt-get update sudo apt-get install expedition-beta  
View full article
Hello!   We know you are all concerned on having the Expedition tool on an old not-supported Ubuntu. You had requested several times to increase support for newer versions of the OS, and we have finally reached to the point we can present Expedition on Ubuntu 20.04 LTS.   We have updated our Expedition installer and some internal modules (Spark codes, database structures and webserver backend) to be able to support the tool installation on the current Ubuntu 20.04 LTS. The installation process is very similar as it used to be, but to help you in the task, we have written an Instructions document with multiple images that will certainly guide you.   And, on top of all this, we are providing a Transfer Assistant that will help you transferring all your Expedition projects, devices, user credentials, traffic logs, etc. from your old Expedition to a new one.   You will find the Installation document in our Expedition Documents section: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619   Let's start a new Expedition together!
View full article
  Palo Alto Networks, August 2, 2021   Dear Expedition Users,   During the years, we have evidenced a sustained and increased usage of the Expedition 1.0 tool, earlier known as the Migration Tool. As many of you know, we want to increase the number of functionalities in our tools, to enhance existing functionalities and to improve their quality.   To achieve these improvements, we have decided to join efforts with Professional Services. A dedicated team in Professional Services will take ownership of the code used for configuration translations from third party vendors to PANOS.   This strategy will improve the migrations that we have been offering during the years with the Expedition tool,  increasing the resources in the team dedicated to the translations,  improving the quality assurance with fewer bugs, having a closer the relationship with the Professional Services consultants that consume the translation functionalities on a daily basis,  increasing the number of Use Cases that are supported and decreasing the response time to support new functionalities , making the migrations in your projects more pleasant and efficient.   As a consequence, we have taken the decision to postpone the launch of Expedition 2.0 until April 2022, to guarantee the quality of the release and to extend the functionalities that the tool will provide. During this period, Expedition 1.0 will continue to be supported by the Expedition team, and we are working on updating our code and installation process to make it available for Ubuntu Server 20.04.   We would like to remark that Expedition 2.0 will continue being offered free of charge, as well as the translations from third party vendors to PANOS.   The Expedition Team  
View full article
Here you can find details about the Expedition Migration Tool Agreement.  
View full article
With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed.    Exporting Configuration   To export the configuration from a Checkpoint R80 we are gonna need to download a tool from the Checkpoint's Github. We want to be sure we download latest version of the tool since the one it comes installed in your SmartCenter usually is old and may contain bugs.   So first open your preferred web browser and go to:   https://github.com/CheckPointSW/ShowPolicyPackage/releases   Check the latest, at the moment of updating this post latest version was 2.0.6, so in order to download it we have to click on the file named: web_api_show_package-jar-with-dependencies.jar   https://github.com/CheckPointSW/ShowPolicyPackage/releases/download/V2.0.6/web_api_show_package-jar-with-dependencies.jar   After download the file you have to UPLOAD it to your SmartCenter Server where Checkpoint R80 management is running. Use your SCP preferred tool to do it.   Please read the README.md file shown in https://github.com/CheckPointSW/ShowPolicyPackage to understand how to run the downloaded file properly, pay special attention to the Examples   Before you run the command verify the Checkpoint API is running otherwise this tool will fail to execute. Please read this if you don' t know how to enable/verify if your API is UP and Running   Now you can RUN the tool from CLI as EXPERT   java -jar web_api_show_package-jar-with-dependencies.jar -v   The output from that command will let you know what Packages are available to export   Last command we have to run is the following where PACKAGE_NAME is the name you have chosen from the previous command and in case you are in a MULTI-DOMAIN environment specify the DOMAIN_NAME too (-d is OPTIONAL):    java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>   This will create a new tgz file which you will use as is to import into Expedition Importation page.   Exporting Routing and interfaces   From the Firewall CLI, you can run the following:   netstat -nr > routes.txt   With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80.   Assign a name to your configuration such as "MyInternetGW" Select the tgz file and attache it to the proper input Select the routes.txt for the routes Click UPLOAD   References: Checkpoint Website article about the show package tool    
View full article
Symptoms When Importing either PAN-OS configuration or 3rd party vendor configuration, the import progress bar stuck in the middle without throwing any errors.    Diagnosis All migrations in Expedition 1 leave traces for debugging in the error file located in /tmp/error. Below we present an example of an error that could be reported on a migration:    In this specific case, the migration parser could not complete due to a limit amount of RAM allowed to be used in the migration process (Allowed memory size of 4GB exhausted) Solution Fortunately, this is RAM limit simple to handle. In your Expedition WEBUI, go to "Settings" -> "CUSTOM PARAMS", increase the allowed RAM ("PARSER_max_execution_memory") to a larger value without exceeding your VM RAM. If you have 16G RAM in your expedition VM, you could change the value up to "16G"  as shown in the below screenshot below. Notice that in most of the cases, your configuration won't be as large that becomes necessary to allocate such a large amount of "Allowed RAM". For most scenarios, 4GB should be enough, therefore try allocating 6GB or 8GB until your migration can be completed.    
View full article
Expedition – The Glue Between IronSkillet and Best Practices Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet 
View full article
Access Expedition GUI Using Google Chrome with Certification Error   Symptoms Can't access Expedition GUI using Google chrome, error message 'NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website.  Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site.   View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL.   Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en   Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ( Replace this with your county name) ST = VA  ( Replace this with your state name) L = SomeCity  ( Replace this with your city name) O = MyCompany ( Replace this with your company name) OU = MyDivision ( Replace this with your organization name) CN = 192.168.44.131 ( Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 = company.com  DNS.3 = company.net ........................................................................................       saves the changes with ESC :wq!   Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/   Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf  Find below two lines in the default-ssl.conf and replace the path  SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key    with    SSLCertificateFile   /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key   saves the changes with ESC :wq   Restart Apache by issue below command: $ sudo systemctl restart apache2   Try access the Expedition GUI again Google chrome should now present you an option under "Advanced" to proceed to the URL. 
View full article
ABOUT Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition (Migration Tool), everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results. Expedition (Migration Tool) 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well. READ MORE    NOTE: Expedition is supported by the community as best effort. The Palo Alto Networks TAC does not provide support, so please post your questions in the community by clicking "Ask Questions" below.   Get the Expedition Installer   Expedition Installation This video provides a quick tutorial on installing Expedition on Ubuntu Server 16.04.   Get the Legacy Expedition OVA   Get the Legacy Expedition VM   Ask Questions   Get the Guides   Tutorial Videos  
View full article
Be the first to discover the new dynamic log connector functionality and learn about App-ID Adoption and the new Device Monitor...
View full article
Explore the Expedition Dashboard   Expedition Dashboard   There are 2 parts related to the VM Stats, one controls the stats for the local VM running the GUI and the ML Health in case is running on another VM shows the stats from the remote Expedition VM.   That means you can setup 2 Expedition VMs and use one for the GUI and another with more CPU and RAM to run the data analysis and machine learning. If this is your case just go to SETTINGS -> M. Learning and setup the IP address where your Expedition with more resources is running and click on SAVE.   The Task Manager must be always UP and controls all the backend jobs requested from the GUI like to retrieve contents from a device using the API keys.   Expedition comes with a self-check list to at least show you if there is something that can be improved in the system or if some dependencies or required functions are working properly or missing.   Close to the logo you can find the version and the released day plus what version of the Best Practices Assessment Tool is running.
View full article
What is Expedition?   Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks.   By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well.   With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS, but we want to ensure the outcome is the best as possible. This is why we added a Machine Learning module that can help you generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts.   With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier.   NOTE: Expedition is supported by the community as best effort   The Palo Alto Networks TAC does not provide support, so please post your questions in the community.   Go to: Expedition landing page on LIVEcommunity
View full article
This document describes the advantages of using Regions objects when importing the Rule Enrichment policy recommendations.
View full article
(DO NOT EDIT resolv.conf)   If needed, the steps to statically configure a DNS server to the Expedition server will be to edit the dns-nameserver in the /etc/network/interfaces file.    Editing resolv.conf is not reliable as any edits will be overwritten on reboot of the Expedition server.   expedition@Expedition:/etc/network$ sudo vi interfaces   Configured to use DHCP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet dhcp dns-nameservers  8.8.8.8  4.2.2.2   Configured with a static IP   # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).   source /etc/network/interfaces.d/*   # The loopback network interface auto lo iface lo inet loopback   # The primary network interface auto ens33 iface ens33 inet static        address 192.168.252.136        netmask 255.255.255.0        gateway 192.168.252.2        dns-nameservers      8.8.8.8 4.2.2.2
View full article
  • 53 Posts
  • 265 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Top Contributors
Top Liked Posts in LIVEcommunity Article
Top Liked Authors