What are the AIOps plugin FAQ's?
10042
Created On 06/01/22 21:27 PM - Last Modified 06/20/23 18:54 PM
Question
What are the AIOps plugin Frequently Asked Questions?
Environment
AIOps Plugin for Panorama
Answer
Q: What is the AIOps plugin for Panorama?
A: It is the plugin required in order to use the Proactive BPA (Best Practice Assessment) service. This plugin will be responsible for extracting the Panorama candidate configuration and uploading to the cloud service for analysis during the commit/validate job. The plugin will either allow commit or block commit based on the verdict it receives from the cloud service. The commit on Panorama will have to get a green light from AIOps plugin for successful commit.
Q: What is required to get ready?
A: All items below. (For more info see AIOps Plugin for Panorama )
- Panorama running PAN-OS 10.2.1 or newer
- AIOps plugin installed
- Panorama needs to have Premium license of AIOps associated with a customer account/AIOps instance.
- Premium AIOps instance
- Device certificate installed on Panorama (Install the Panorama Device Certificate )
- Existing Device Telemetry feature is enabled (Enable Device Telemetry )
- A Security Rule to allow traffic to the upstreaming device on the network (see next question for more info)
Q: What traffic needs to be allowed in upstreaming devices.
A: If your traffic passes through network equipment you will need to allow the FQDN to ensure communication. See link below for the list of FQDN's to allow which includes Domains to Access AIOps for NGFW and App-IDs and Domains to Send Telemetry.
Q: Does Telemetry data (uploaded by existing Telemetry feature) affect the verdict seen in the AIOps plugin feature?
A: No. Only configuration used for commit on Panorama is analyzed as a data source.
Q: Is there a list of BPA (Best Practice Assessment) violations?
A: Yes. From the AIOps for NGFW App click Instance Settings > Security Checks there is a list of BPA.
Q: Will a BPA violation cause a commit block by default?
A: No, by default, any BPA violations are reported as "alert" in AIOps instance.
In order to block commit, you need to change plugin action to "fail commit" in Settings > Security Checks in the AIOps section.
Note: In case of commit block, only blocked BPAs and their details are shown in the commit message. No other detail for "alert" BPA will be shown in commit message. Additionally, any alerts on the blocked config will not show in AIOps in case of commit block.
Q: How can I disable the proactive BPA commit-block feature?
A: You can disable the feature by running the command request plugin aiops commit-block disable from the Panorama CLI
Note: This command will not only disable the “commit-block”, it also does not send the config to the cloud service and no further action on the plugin feature.
Q: Can we see the status of cloud connection and plugin state?
A: Yes, from the Panorama CLI run "show plugins aiops status"