I'm interested in blocking inbound traffic from known TOR exit nodes. I have the EDL but want to see what the impact of this policy will be before enabling it, so I'd like to search the traffic logs or run a custom report using the EDL like an address group. Our 7050 (9.0.9h-1) doesn't like the EDL as a search term. Is there a way to do this?
You can grab the addresses reported in the EDL from the firewall via CLI or SSH and script checking logs against them individually easily enough. By itself the logs don't have any knowledge of the EDLs and the search function will only search for address or address-group objects, it completely ignores EDLs.
This is primarily due to the sheer size supported by the EDLs. You wouldn't want the firewall to search through thousands of addresses when you attempt to pull search results.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!