This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

RQL - Get if there is a ip other than certain ip in the rule and 22 port is open

SMutlu
L1 Bithead

‎04-13-2023 03:38 AM

Hi All, 

 

I am looking for some support for the RQL.

 

I am trying to detect if any firewall rule on GCP allows SSH port 22 traffic from except the PSM IP addresses. I developed some queries but it's not able to catch every scenario. I am trying to develop a query that should check exact match with the IP addresses that I've write. Need your comments for this use-case. Thank you !

 

Example Query :

config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-firewall-rules-list' AND json.rule = disabled is false and direction equals INGRESS and sourceRanges[*] is not member of (IP Addresses separeted with comma) and allowed[?any(ports is member of (22) or ports contains _Port.inRange(22,22) and (ports does not exist and (IPProtocol contains tcp)))] exists
 
Kind Regards
1 person had this problem.
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks