Panorama M600 PANOS v11.2.4-h2 Firewall PA-3260 PANOS v10.1.7 Expedition VM v1.2.102 Let me preface this with I need the logs from Panorama (30 Days) because the local Firewall does not store that many days worth... and syslog isn't an option. If I export from Firewall, Expedition supports and processes successfully. If I export from Panorama, Expedition reports 'unsupported'.
As an attempt to circumvent Expedition, I compared the two .csv files and changed Panorama to match:
- remove (5) Panorama columns (not in Firewall .csv)
AI Traffic
AI Forward Error
flow_type
cluster_name
K8S Cluster ID
- delete data in column ‘XFF address’ to match Firewall
- change ‘Domain’ column data from ‘0’ to ‘1’
- change ‘Config Version’ column from ‘0’ ‘2561’ to match Firewall ** This allowed Expedition to recognize the file and start the processing, however, it still fails to fully complete the processing. Is this an Expedition bug? Is there another way around the issue? Is there something I'm missing in the Panorama .csv file that I can change to allow Expedition to process it successfully? How does Expedition distinguish a file from Panorama verse a file from the Firewall? I've attached a sample of the Panorama exported firewall traffic logs .csv file for review (in .ZIP). ** some information skewed and/or renamed in file to make data generic Any assistance and direction is helpful and appreciated! Thank you.
... View more
