03-31-2011 06:44 AM
I was wondering if wildcards are supported on the reporting interface of the Panorama?
Actually I would like to run a very specific query on the traffic log. In the normal traffic log we see all the traffic of all our users.
I would like to report on the traffic patterns based on a certain kind of domain users. Therefor I need to be able to single them out.
Ip-addresses or IP-ranges is not a working scenario. So I was wondering if I could use wildcards in any kind of reports and query on Panorama.
We are running PANOS-3.1.6.
03-31-2011 07:17 AM
Hi There,
You can use subnets - (addr in 192.168.1.0/24)
Or you can search on AD Domain Groups: (user in 'impressive\domain users')
Thanks
James
04-04-2011 05:36 AM
James,
Thanks for your answer.
The AD domain group is not working for us (although it could have been a solution).
We have different types of users in one and the same AD-group, and I want to isolate a particular group of users in that domain group.
Let me give you an example:
In AD Domain Group 'impressive\domain users' we have three types of users with a predefined format for their user-IDs:
AB000001
AB000002
...
...
...
AB099999
TR000001
TR000002
...
...
...
TR099999
ZD0000001
ZD0000002
...
...
...
ZD0999999
The user-Ids which start with ZD have more digits than the user-IDs with "AB" and "TR". Our AD organisation is historical and making changes to the AD for reporting reasons is not feasable.
I would be intrested to see if there is a significant difference in behaviour for the three groups. So I would like to make one report for each user group:
'impressive\domain users\AB* (where * would be a wildcard disregarding the number of digits of characters)
'impressive\domain users\TR* (where * would be a wildcard disregarding the number of digits of characters)
'impressive\domain users\ZD* (where * would be a wildcard disregarding the number of digits of characters)
OR
'impressive\domain users\AB?????? (where ? would be a wildcard for one character)
'impressive\domain users\TR?????? (where ? would be a wildcard for one character)
'impressive\domain users\ZD??????? (where ? would be a wildcard for one character)
I'm not sure it's doable, taking into account that we have 10.000+ users going through our device and that we currently have 700Gb of logging data on the Panorama-server.
Wildcards would be the most flexible and easiest solution. We also do not correlate group data with users in Panorama. We have a lot of groups and users and the PA-agent takes a lot of time to read the group memberschips.
04-04-2011 09:52 AM
Hi There,
You may need to contact your local sales team to file a feature request.
Many Thanks
James
04-05-2011 09:16 AM
you could experiment with adding monitoring specific groups on your AD and using these in the filters ...
eg.: add group monitoringAB monitoringTR and monitoringZD, add the users in there and then filter for impressive\monitoringAB
regards
Tom
08-23-2023 01:43 AM
Hello,
I know this thread is pretty old but is there a Solution yet. A AD Group is no solution, it is a workaround for a specific use case, which will not work in my case.
Regex is/should be a pretty good standard for filtering stuff.
Best Regards
Phil
08-27-2023 12:29 AM
Hi @Dat_Phil
No, not yet. In pan-os/panorama you only have the existing filterpossibilities but not wildcard or regex. If you really need that, unfortunately there is no other way than using a third party solution like Splunk to filter for exactly what you need.
Or you can tell us mlre about your specific use case - maybe someone knows a solution to it without buying additional software or using additional tools.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
