Wondering if there's a way to filter the results from ML to only show results for destination IP's in the 10.0.0.0/8 range? I'm building out a greenfield rulebase, would prefer to ignore any suggested rules for external networks at this stage.
I tried the below but doesn't seem to work.
In your project, in the M.Learning tab, you can set your enabled networks to only include internal stuff that you want to make rules for. Once you have analyzed the enabled networks, doing m.learning on any policies should only reflect that new ip space.
Replied too fast just now!
I typically go slowly when building filters and sorting the machine learning results in greenfield. Personally I like to add application column, group by dst-address or src-address, then sort on that field. Can use default view that groups by app to show some higher-risk apps like rdp or ssh and start breaking rules out like that, but I usually end up grouping by IP since customer has inventory that they are working from and we go down that list to make sure we cover everything. My case is assuming 5000+ hosts in the environment, so the recommendations get noisy.
Once you're grouping by IP, can easily add filter there. FWIW, the filters aren't amazing (10.10.10.10 will match 10.10.10.100 too), but they help a ton if you can layer the filters on results.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!