topic Re: PAN-OS 7.1 change to query interpretation in General Topics

PAN-OS 7.1 change to query interpretation

djr — Thu, 01 Dec 2016 12:44:21 GMT

I have a report which has been working fine for ages then it has just stopped, possibly when we upgraded from 6.1.14 to 7.1.6

The report has just stopped returning any data, so I looked into the query string and found that one element of the query seems to be causing the problem

The original query was:

((filename contains DVD) or (filename contains dvd) or (filename contains 1080p)) and not (filename contains .swf) and (user.dst neq '')

But it works if I take the dot off the swf file extension so this works:

((filename contains DVD) or (filename contains dvd) or (filename contains 1080p)) and not (filename contains swf) and (user.dst neq '')

So that means that between v6.1 and 7.1 the dot has become significant. I tried a couple of ways to "escape" it, but neither worked, so is there a way to allow a dot in the query string?

Re: PAN-OS 7.1 change to query interpretation

BPry — Thu, 01 Dec 2016 13:49:22 GMT

The filetype has dropped the '.' on the name. So you'll see 'pdf' in the logs instead of '.pdf'

Re: PAN-OS 7.1 change to query interpretation

djr — Thu, 01 Dec 2016 15:08:42 GMT

I dropped the dot in the filetype to make the report work again - that's what I am posting about. If you include the dot, the report finds no matches. However it used to work fine in V6.1 with the dot included. Without it, the query will match any filename with swf in it rather than only those with ".swf". Still not perfect but more likely to be an extension than without the dot.

That's why I asked if there is a way to allow a dot in the query string now that V7.1 behaves differently

Re: PAN-OS 7.1 change to query interpretation

BPry — Thu, 01 Dec 2016 15:49:01 GMT

Just generate the report with the query (filetype eq swf) and it will include only the swf file type instead of searching for swf across the whole filename

Re: PAN-OS 7.1 change to query interpretation

djr — Thu, 01 Dec 2016 16:02:32 GMT

Except there is no filetype variable available in the query builder?

Re: PAN-OS 7.1 change to query interpretation

BPry — Thu, 01 Dec 2016 19:05:35 GMT

Where are you trying to generate this report and what database are you running the query against?

Re: PAN-OS 7.1 change to query interpretation

djr — Mon, 05 Dec 2016 15:44:26 GMT

It's a custom report in Panorama, using the Panorama Data Filtering log. As I said, it is querying the whole filename including the suffix, it is just that the query will no longer allow me to use the "." character in the query.

Re: PAN-OS 7.1 change to query interpretation

BPry — Mon, 05 Dec 2016 16:01:01 GMT

That makes sense, filetype is only available in wildfire which is where I thought you were searching for this info. The (filename contains .swf) query works perfectly fine on a standalone PA-200 and PA-3020 that I tested it on.

Potentially this is an issue due to running it through Panorama? Can you try to run the query on just one of the devices you are trying to target and see if it works properly?

Re: PAN-OS 7.1 change to query interpretation

djr — Wed, 14 Dec 2016 17:10:52 GMT

I raised it with support and they have confirmed it's a bug so it will be fixed in a future patch release.

Thanks