02-16-2018 04:17 AM
I have a custom report, I need to exclude 40 Instances of
192.168.x.100 to dest port (1234 or 1235)
is there a short way to do this or am I faced with 40 repeating lines like this....
( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
02-16-2018 05:05 AM
Wow this is proving to be frustrating...
Although I can run myu LARGE query , I can't save it as there is a 2048 Character limit..
I tried by host name "Branch Office * "
But the * wildcard does nothing....
02-16-2018 07:38 AM
You can't use wildcard in query, therefor you can't utilize it within the custom report.
02-16-2018 07:41 AM
Any idea how I can excluded the 40 entries from the report then?
Cheers
Rob
02-16-2018 07:43 AM
It looks like your trying to obfuscate your actual query, which I can understand, but you've done it to the degree that you'll need to let on a little bit more on what you are actually trying to do.
What actually changes in your query? The src IP, the negated ports, from what you have displayed your query doesn't make much sense.
02-16-2018 07:51 AM
Was an error in my obfuscation, the third octet changes
( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
( addr.src notin 192.168.11.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
( addr.src notin 192.168.12.100 and ((port.dst neq 1234) or (port.dst neq 1235)))
and
02-19-2018 06:25 AM
anyone think of a solution??
Thanks
Robin
02-19-2018 07:02 AM
Use a host range? something like a.a.a.a /CIDR
( addr.src notin 192.168.0.0/16 and ((port.dst neq 1234) or (port.dst neq 1235))
then you have all 192.168.0.0 to 192.168.255.255 or set this to "192.168.10.100 - 192.168.20.100"
Look here.. https://live.paloaltonetworks.com/t5/Featured-Articles/Basics-of-Traffic-Monitor-Filtering/ta-p/6524...
or do I get it wrong?
02-19-2018 07:41 AM
I don't think the solution that @clonesheep mentioned is going to work here because you vary the third octet. You could do the entire range and just negate the specific destination ports that you don't want in the report; but I'm guessing that if that was an option you would have already done so.
If you don't care about the logs for this traffic at all, for example if it's AD traffic you are trying to ignore, you could push out a security policy that didn't actually have any logging enabled. That way you wouldn't have to worry about the logs at all, you could run the reports as needed, and if you have an issue you could simply update the policy to enable logging again. Maybe that would be a solution?
02-19-2018 08:02 AM
Think I have it now, I am not sure if the logic was just wrong somewhere or if the parsing is not quite what I was expecting.
Anyway i changed where the "not s " were
and made the whole match "and not" instead of "not"
That's sorted it, not very elegant but works, not sure how many characters it takes up and what the maximum would be. Certainly it's not going to be great if we need more exclusions for other items.
(action neq allow)
and
(zone.src eq TRUST)
and
(zone.dst eq UNTRUST)
and not
((( addr.src in 10.100.20.123 )
or( addr.src in 10.100.21.123 )
or( addr.src in 10.100.22.123 )
or( addr.src in 10.100.23.123 )
or( addr.src in 10.100.24.123 )
or( addr.src in 10.100.25.123 )
or( addr.src in 10.100.26.123 )
or( addr.src in 10.100.27.123 )
or( addr.src in 10.100.28.123 )
or( addr.src in 10.100.29.123 )
or( addr.src in 10.100.30.123 )
or( addr.src in 10.100.31.123 )
or( addr.src in 10.100.32.123 )
or( addr.src in 10.100.33.123 )
or( addr.src in 10.100.34.123 )
or( addr.src in 10.100.35.123 )
or( addr.src in 10.100.36.123 )
or( addr.src in 10.100.37.123 )
or( addr.src in 10.100.38.123 )
or( addr.src in 10.100.39.123 )
or( addr.src in 10.100.40.123 )
or( addr.src in 10.100.41.123 )
or( addr.src in 10.100.42.123 )
or( addr.src in 10.100.43.123 )
or( addr.src in 10.100.44.123 )
or( addr.src in 10.100.45.123 )
or( addr.src in 10.100.46.123 )
or( addr.src in 10.100.47.123 )
or( addr.src in 10.100.48.123 )
or( addr.src in 10.100.49.123 )
or( addr.src in 10.100.50.123 )
or( addr.src in 10.100.51.123 )
or( addr.src in 10.100.52.123 )
or( addr.src in 10.100.53.123 )
or( addr.src in 10.100.54.123 )
or( addr.src in 10.100.55.123 )
or( addr.src in 10.100.56.123 )
) and ((port.dst eq 8800)
or (port.dst eq 12366)))
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
