Using wildcards in a query on the traffic log and in custom reports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using wildcards in a query on the traffic log and in custom reports

Not applicable

I was wondering if wildcards are supported on the reporting interface of the Panorama?

Actually I would like to run a very specific query on the traffic log. In the normal traffic log we see all the traffic of all our users.

I would like to report on the traffic patterns based on a certain kind of domain users. Therefor I need to be able to single them out.

Ip-addresses or IP-ranges is not a working scenario. So I was wondering if I could use wildcards in any kind of reports and query on Panorama.

We are running PANOS-3.1.6.

6 REPLIES 6

L4 Transporter

Hi There,

You can use subnets - (addr in 192.168.1.0/24)

Or you can search on AD Domain Groups: (user in 'impressive\domain users')

Thanks

James

James,

Thanks for your answer.

The AD domain group is not working for us (although it could have been a solution).

We have different types of users in one and the same AD-group, and I want to isolate a particular group of users in that domain group.

Let me give you an example:

In AD Domain Group 'impressive\domain users' we have three types of users with a predefined format for their user-IDs:

AB000001

AB000002

...

...

...

AB099999

TR000001

TR000002

...

...

...

TR099999

ZD0000001

ZD0000002

...

...

...

ZD0999999

The user-Ids which start with ZD have more digits than the user-IDs with "AB" and "TR". Our AD organisation is historical and making changes to the AD for reporting reasons is not feasable.

I would be intrested to see if there is a significant difference in behaviour for the three groups. So I would like to make one report for each user group:

'impressive\domain users\AB*                (where * would be a wildcard disregarding the number of digits of characters)

'impressive\domain users\TR*                 (where * would be a wildcard disregarding the number of digits of characters)

'impressive\domain users\ZD*                 (where * would be a wildcard disregarding the number of digits of characters)

OR

'impressive\domain users\AB??????                (where ? would be a wildcard for one character)

'impressive\domain users\TR??????                (where ? would be a wildcard for one character)

'impressive\domain users\ZD???????               (where ? would be a wildcard for one character)

I'm not sure it's doable, taking into account that we have 10.000+ users going through our device and that we currently have 700Gb of logging data on the Panorama-server.

Wildcards would be the most flexible and easiest solution. We also do not correlate group data with users in Panorama. We have a lot of groups and users and the PA-agent takes a lot of time to read the group memberschips.

Hi There,

You may need to contact your local sales team to file a feature request.

Many Thanks

James

you could experiment with adding monitoring specific groups on your AD and using these in the filters ...

eg.: add group monitoringAB monitoringTR and monitoringZD, add the users in there and then filter for impressive\monitoringAB

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

I know this thread is pretty old but is there a Solution yet. A AD Group is no solution, it is a workaround for a specific use case, which will not work in my case.

Regex is/should be a pretty good standard for filtering stuff.

Best Regards

Phil

Hi @Dat_Phil 

No, not yet. In pan-os/panorama you only have the existing filterpossibilities but not wildcard or regex. If you really need that, unfortunately there is no other way than using a third party solution like Splunk to filter for exactly what you need. 

Or you can tell us mlre about your specific use case - maybe someone knows a solution to it without buying additional software or using additional tools.

  • 5144 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!