06-16-2022 03:29 AM
Hi All,
Currently we have Panorama set up to forward all logs to an external log collection service. Due to the cost we would like to reduce the traffic logs that we are forwarding.
The traffic logs we wish to exclude from being forwarded are the below:
DNS traffic to 10.0.0.0/8
DNS traffic to 8.8.8.8
DNS traffic to 8.8.4.4
Ping traffic from 10.29.100.1
Ping traffic from 10.29.100.2
Ping traffic from 10.29.100.3
Kerberos traffic to 10.0.0.0/8
I have tried using the below string (and many variations) however it either doesn't filter out the above or only filters shows the above!
I think my issue is a case of not putting the () in the correct places?
( app eq dns ) and ( addr.dst notin 10.0.0.0/8 ) and ( addr.dst notin 8.8.8.8 ) and ( addr.dst notin 8.8.4.4 ) and (( app eq ping ) and ( addr.src notin 10.29.100.1 ) or ( addr.src notin 10.29.100.2 ) or ( addr.src notin 10.10.29.100.3 )) and (((app eq kerberos) and ( addr.dst notin 10.0.0.0/8 )))
Thanks for any assistance
06-20-2022 04:03 PM - edited 06-21-2022 04:50 AM
Thank you for reply @ElliotM
for dns log part, I tested it in my Panorama and I got desired result, so I am not sure what the issue is. For other part, I changed syntax. Could you test below string?
!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src eq 10.29.100.1) or ( addr.src eq 10.29.100.2) or ( addr.src eq 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst eq 10.0.0.0/8))
Kind Regards
Pavel
06-16-2022 05:54 AM
Hello @ElliotM
thanks for the post.
Could you check whether this string works for your filter?
!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src notin 10.29.100.1) or ( addr.src notin 10.29.100.2) or ( addr.src notin 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst notin 10.0.0.0/8))
Kind Regards
Pavel
06-20-2022 06:31 AM
Hi @PavelK ,
Thanks for replying however it doesn't seem to work as expected.
I don't see ANY dns traffic to other destinations and i am also still seeing kerberos traffic.
06-20-2022 04:03 PM - edited 06-21-2022 04:50 AM
Thank you for reply @ElliotM
for dns log part, I tested it in my Panorama and I got desired result, so I am not sure what the issue is. For other part, I changed syntax. Could you test below string?
!(( app eq dns ) and (( addr.dst in 10.0.0.0/8) or ( addr.dst in 8.8.8.8) or ( addr.dst in 8.8.4.4))) and !(( app eq ping ) and (( addr.src eq 10.29.100.1) or ( addr.src eq 10.29.100.2) or ( addr.src eq 10.10.29.100.3))) and !(( app eq kerberos ) and ( addr.dst eq 10.0.0.0/8))
Kind Regards
Pavel
06-21-2022 03:31 AM
Hi @PavelK
This is working as expected from what i can see, thanks for the help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
