Panorama Log Collector Forwarding Traffic Strings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama Log Collector Forwarding Traffic Strings

L2 Linker

Hi All,

 

Currently we have Panorama set up to forward all logs to an external log collection service. Due to the cost we would like to reduce the traffic logs that we are forwarding.

 

The traffic logs we wish to exclude from being forwarded are the below:

 

DNS traffic to 10.0.0.0/8

DNS traffic to 8.8.8.8

DNS traffic to 8.8.4.4

 

Ping traffic from 10.29.100.1

Ping traffic from 10.29.100.2

Ping traffic from 10.29.100.3

 

Kerberos traffic to 10.0.0.0/8

 

I have tried using the below string (and many variations) however it either doesn't filter out the above or only filters shows the above!

I think my issue is a case of not putting the () in the correct places?

 

( app eq dns ) and ( addr.dst notin 10.0.0.0/8 ) and ( addr.dst notin 8.8.8.8 ) and ( addr.dst notin 8.8.4.4 ) and (( app eq ping ) and ( addr.src notin 10.29.100.1 ) or ( addr.src notin 10.29.100.2 ) or ( addr.src notin 10.10.29.100.3 )) and (((app eq kerberos) and ( addr.dst notin 10.0.0.0/8 )))

 

Thanks for any assistance

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for reply @ElliotM

 

for dns log part, I tested it in my Panorama and I got desired result, so I am not sure what the issue is. For other part, I changed syntax. Could you test below string?

 

!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src eq 10.29.100.1) or ( addr.src eq 10.29.100.2) or ( addr.src eq 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst eq 10.0.0.0/8))

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @ElliotM 

 

thanks for the post.

 

Could you check whether this string works for your filter?

 

!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src notin 10.29.100.1) or ( addr.src notin 10.29.100.2) or ( addr.src notin 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst notin 10.0.0.0/8))

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK ,

 

Thanks for replying however it doesn't seem to work as expected.

 

I don't see ANY dns traffic to other destinations and i am also still seeing kerberos traffic.

 

Cyber Elite
Cyber Elite

Thank you for reply @ElliotM

 

for dns log part, I tested it in my Panorama and I got desired result, so I am not sure what the issue is. For other part, I changed syntax. Could you test below string?

 

!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src eq 10.29.100.1) or ( addr.src eq 10.29.100.2) or ( addr.src eq 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst eq 10.0.0.0/8))

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK

This is working as expected from what i can see, thanks for the help.

  • 1 accepted solution
  • 2517 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!