FSM Traffic Monitor Search Expressions for AND
I know if I enable regular expressions I can use | as an OR (i.e. DENY|udp, which shows all lines that contains deny or udp). How do I do an AND? So I want to see all the entries that are Deny and contains udp (logic to me is DENY&udp, but this doesn't seem to work).
dcc
0
Sign In to comment.
Comments
give this a try: (?=.deny)(?=.udp)
No - that didn't work. And I even tried switching it to (?=.deny)(?=.tcp) to double check.
sorry, that didn't post correctly
(?=.*deny)(?=.*udp)Ah - that's much better. Thanks Matt! I sure wish there was more details on this in the documentation. I even went and watched the section in the current Fireware 12.7 network essentials training video this morning and it's not even mentioned.
dcc
I tried this on one of my devices ... it works but waw it is so slow when the firebox has a lot of logging. In my case FSM nearly halts and is using 50% cpu usage when i enbale regular expressions.
Yup - I saw the exact same results on my M370
Thank you, MattS!
Gregg Hill
"deny.+udp" seems to stop the 50% CPU utilization and FSM having fits, yet still accomplishes the results I'm looking for. As was just explained to me by the WG sales engineer responsible for our Partner account:
We do not have the “AND” operator but I usually do a search with the “anything” string between the 2 expression I am looking for. The period (.) is the wildcard and the * or the + are the repetition indicators, so if you are looking for “deny” and “udp”, I go with the following expression “deny.+udp”.
We use these regular expression in Fireware OS and it is the same thing in FSM. Here is the doc: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/regular_expressions_c.html