05-02-2011 08:16 AM
I want create a custom reports for identify all User there are not identified by the PALO-ALTO
I can do that with the traffic log with the fitler : not (user.src neq '') ( I do a negate on user is present)
I can see the unknow users in real time, in cli with : show user ip-user-mapping | match unknow
but with the custom report filter is not possible to use "negate" and the blank space doesnt WORK
i can juste use ( =, in, is present, not in, !=) for the source user culomn.
AND I don't know how to see wich ip no match user during a period.
PS: when I create a report with destination hostname I see correctly the hostname but When I do an export I see the ip address not the hostname!
05-11-2011 08:58 PM
Current there is no way from the WebUI to add a custom rule with with a search value of NO user. I would send a feature request to your SE.
There is however a work around for this. The is present search string creates a value which you can change in the xml manually.
If you export your XML and search for the rule name you will see this; <query>user.src neq ''</query>. You can change the neq to eq and and reimport the config which will change the rule to user = <blank Value>, and it will search for users without username.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!