topic Re: IP Wildcard in custom report? in General Topics

IP Wildcard in custom report?

RobinClayton — Fri, 16 Feb 2018 12:17:45 GMT

I have a custom report, I need to exclude 40 Instances of

192.168.x.100 to dest port (1234 or 1235)

is there a short way to do this or am I faced with 40 repeating lines like this....

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

Re: IP Wildcard in custom report?

RobinClayton — Fri, 16 Feb 2018 13:05:03 GMT

Wow this is proving to be frustrating...

Although I can run myu LARGE query , I can't save it as there is a 2048 Character limit..

I tried by host name "Branch Office * "

But the * wildcard does nothing....

Re: IP Wildcard in custom report?

BPry — Fri, 16 Feb 2018 15:38:06 GMT

You can't use wildcard in query, therefor you can't utilize it within the custom report.

Re: IP Wildcard in custom report?

RobinClayton — Fri, 16 Feb 2018 15:41:30 GMT

Any idea how I can excluded the 40 entries from the report then?

Cheers

Rob

Re: IP Wildcard in custom report?

BPry — Fri, 16 Feb 2018 15:43:54 GMT

@RobinClayton,

It looks like your trying to obfuscate your actual query, which I can understand, but you've done it to the degree that you'll need to let on a little bit more on what you are actually trying to do.

What actually changes in your query? The src IP, the negated ports, from what you have displayed your query doesn't make much sense.

Re: IP Wildcard in custom report?

RobinClayton — Fri, 16 Feb 2018 15:51:43 GMT

Was an error in my obfuscation, the third octet changes

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.11.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.12.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

Re: IP Wildcard in custom report?

RobinClayton — Mon, 19 Feb 2018 14:25:59 GMT

anyone think of a solution??

Thanks

Robin

Re: IP Wildcard in custom report?

clonesheep — Mon, 19 Feb 2018 15:02:05 GMT

Use a host range? something like a.a.a.a /CIDR

( addr.src notin 192.168.0.0/16 and ((port.dst neq 1234) or (port.dst neq 1235))

then you have all 192.168.0.0 to 192.168.255.255 or set this to "192.168.10.100 - 192.168.20.100"

Look here.. https://live.paloaltonetworks.com/t5/Featured-Articles/Basics-of-Traffic-Monitor-Filtering/ta-p/65244

or do I get it wrong?

Re: IP Wildcard in custom report?

BPry — Mon, 19 Feb 2018 15:41:31 GMT

I don't think the solution that @clonesheep mentioned is going to work here because you vary the third octet. You could do the entire range and just negate the specific destination ports that you don't want in the report; but I'm guessing that if that was an option you would have already done so.

If you don't care about the logs for this traffic at all, for example if it's AD traffic you are trying to ignore, you could push out a security policy that didn't actually have any logging enabled. That way you wouldn't have to worry about the logs at all, you could run the reports as needed, and if you have an issue you could simply update the policy to enable logging again. Maybe that would be a solution?

Re: IP Wildcard in custom report?

RobinClayton — Mon, 19 Feb 2018 16:02:42 GMT

Think I have it now, I am not sure if the logic was just wrong somewhere or if the parsing is not quite what I was expecting.

Anyway i changed where the "not s " were

and made the whole match "and not" instead of "not"

That's sorted it, not very elegant but works, not sure how many characters it takes up and what the maximum would be. Certainly it's not going to be great if we need more exclusions for other items.

(action neq allow)
and
(zone.src eq TRUST)
and
(zone.dst eq UNTRUST)
and not
((( addr.src in 10.100.20.123 )
or( addr.src in 10.100.21.123 )
or( addr.src in 10.100.22.123 )
or( addr.src in 10.100.23.123 )
or( addr.src in 10.100.24.123 )
or( addr.src in 10.100.25.123 )
or( addr.src in 10.100.26.123 )
or( addr.src in 10.100.27.123 )
or( addr.src in 10.100.28.123 )
or( addr.src in 10.100.29.123 )
or( addr.src in 10.100.30.123 )
or( addr.src in 10.100.31.123 )
or( addr.src in 10.100.32.123 )
or( addr.src in 10.100.33.123 )
or( addr.src in 10.100.34.123 )
or( addr.src in 10.100.35.123 )
or( addr.src in 10.100.36.123 )
or( addr.src in 10.100.37.123 )
or( addr.src in 10.100.38.123 )
or( addr.src in 10.100.39.123 )
or( addr.src in 10.100.40.123 )
or( addr.src in 10.100.41.123 )
or( addr.src in 10.100.42.123 )
or( addr.src in 10.100.43.123 )
or( addr.src in 10.100.44.123 )
or( addr.src in 10.100.45.123 )
or( addr.src in 10.100.46.123 )
or( addr.src in 10.100.47.123 )
or( addr.src in 10.100.48.123 )
or( addr.src in 10.100.49.123 )
or( addr.src in 10.100.50.123 )
or( addr.src in 10.100.51.123 )
or( addr.src in 10.100.52.123 )
or( addr.src in 10.100.53.123 )
or( addr.src in 10.100.54.123 )
or( addr.src in 10.100.55.123 )
or( addr.src in 10.100.56.123 )
) and ((port.dst eq 8800)
or (port.dst eq 12366)))