Академический Документы
Профессиональный Документы
Культура Документы
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
© 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
Overview ...................................................................................................................................................... 4
• Execute the following commands to verify that mysqli.reconnect value is set to On and
restart apache if needed.
expedition@Expedition:/datastore$ grep mysqli.reconnect /etc/php/7.0/apache2/php.ini
mysqli.reconnect = On
expedition@Expedition:/datastore$ grep mysqli.reconnect /etc/php/7.0/cli/php.ini
mysqli.reconnect = On
expedition@Expedition:/datastore$ sudo service apache2 restart
• Syslog forwarding from firewall. Firewall can be configured to forward the traffic log to a syslog
server. This method is the one that will be used in our example. The configuration steps for
syslog forwarding for a firewall managed by Panorama are described below.
− From Panorama, under Templates > Device, select the template that is relevant to your
firewall.
• Go to Device Group > Objects > Log Forwarding. Select the device group that is releveant to
your firewall in the Device Group drop-down box and click Add at the bottom.
• Enter a Name for the Log Forwarding Profile Match List (for example, ALL-TRAFFIC-
EXPEDITION).
• Under Syslog section, click Add, and select the Syslog Server Profile you previously created.
• Click OK.
• Click on the security rule(s) you need to analyze and go to Actions. Click the Log Forwarding
drop-down box and select the log forwarding profile you created previously.
• Click OK.
• Click Commit and select Commit and Push. Click the Commit And Push button.
• Create a folder to store the logs received from firewalls and give it the appropriate permissions
using the following commands:
admin@expedition$sudo mkdir -p /PALogs/syslog
admin@expedition$sudo chown www-data /PALogs/syslog
admin@expedition$sudo chmod u=rwx,g=rwx,o=rwx /PALogs/syslog
• Create a syslog-ng configuration file to forward the firewall logs to our newly created folder.
admin@expedition$sudo nano /etc/syslog-ng/conf.d/firewalls.conf
##################################################
source s_udp {
network (
ip-protocol(6)
transport("udp")
port(514)
);
network (
transport("udp")
port(514)
);
};
##################################################
destination d_host-specific {
file("/PALogs/syslog/$HOST-$YEAR-$MONTH-$DAY.csv");
};
log {
source(s_udp);
destination(d_host-specific);
};
Step 6 – Make sure incoming syslog traffic is allowed on the Expedition instance.
• Log into Expedition instance using SSH, and enter the following commands:
admin@expedition$sudo firewall-cmd --permanent --zone=public --add-port 514/udp
• Log into the Expedition instance using SSH to create the datastore folder and assign ownership
and permissions.
admin@expedition$sudo mkdir /datastore
• From the Expedition GUI, go to DEVICES and click the + button on the to right to add the
Panorama device.
• The Panorama device should now appear in the list of IMPORTED DEVICES. Double-click the
device itself to open its configuration dialog box.
• In Username and Password text boxes, type the credentials that will be used to access the
device and click Add. An API key will be automatically generated.
• Go to PANORAMA DEVICES and click Retrieve Connected Devices. After all devices
managed by Panorama have been retrieved, click Save. The managed devices should now
appear in the list of imported devices along with Panorama.
• Click Process Files. After a few seconds, a link should appear at the bottom of the dialog box. By
clicking it, you’ll open a new browser tab showing the status of the processing by the Spark
engine. Keep refreshing the tab until it displays an error which indicates that processing is
complete. Click Save.
Step 8 – Create a new Expedition project.
• From Expedition GUI, go to PROJECTS and click the + sign at the right to create a new project.
In the dialog box, type a Name for the project and select Greenfield ML as the purpose of the
project. Click Create Project.
• Double-click your project, then click on the IMPORT tab. Your devices should appear in the
DEVICES tab in the bottom pane. Select the Panorama device and click Import Device button at
the bottom right. Device import starts, and after a few moments, the Global Summary page
under Dashboard tab should appear.
• After the processing is complete, a list of learned security rules should appear in the Learning
Results pane. Before importing the rules into project, you might want to review them. By clicking
on the arrow next to each column, you have a list of options that allow you display the rules in the
way that makes it easier for you to review. In our case, we want to group the rules by application
to review them. Additionally, the rules can be exported to an excel file and shared for additional
review.
• In the list of API commands, locate the one specific to the new security rule we want to add (ID 15
in our case) and double-click it. Make sure that the selected device is the Panorama device in the
bottom drop-down box and click Send API Call. After a few moments, a “command succeeded”
message should appear.