Firebox system manager regular expression filtering
In the latest releases of FSM,currently 12.5, if we search for a specific ip address, like 192.168.1.1, FSM will not only show this values in the search, but also values like 192.168.1.11, 192.168.1.125, 192.168.1.1xxxxxxxxxx.
Disable "regular expression filtering" in FSM do not change this behaviour. Looks like a bug, as this used to work.
/Robert
0
Sign In to comment.
Comments
Add space character at the end of your search string
of cause - why did i not think of that!
I tried a lot of other thinks
FYI - this has search result been happening for a very long time.
I posted the same solution on 11/16/2016 12:49:17 PM on the old boards (now going away) to someone who was running XTM 515 WSM / FSM 11.10.5
Or you can use WebUI.
Adrian from Australia
You and the damn Web UI !!!
Adrian from Australia
When I went to OZ a number of years back, I do not recall that on the forms I needed to sign - any question related to bringing in a can of red (or any other color) paint
In the web UI Traffic Monitor, it does the exact same thing. Searching for "192.168.16.1" shows anything with that string in it, including 192.168.16.11, 192.168.16.101, etc. Adding a space so it's "192.168.16.1 " being searched fixes it in the web UI as well.
Adrian, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor?
Gregg Hill
Why would you want to do that? Experienced admins know the field name and they are in different colours..
Adrian from Australia
Definitely question 7 - most people miss that one and end up on TV in the show "Border Security" - in handcuffs...
See https://en.wikipedia.org/wiki/Border_Security:_Australia%27s_Front_Line
Adrian from Australia
I have been doing WatchGuard firewalls for ten years and still like to see the field names.
1) It's one less thing to have to remember at 2:00AM when working after a long day.
2) Searching for something, say a search for port 80, can be done better when field names are visible. In FSM Traffic Monitor, I can search for "dst_port=80 " and it will show only those port 80 results going out. I can flip it to show only incoming port 80 by changing to ""dst_port=80 " as the search. Without field names in the web UI, I cannot do that same search. I can search for "80 " and get tons of results for any line containing "80" in it, and that includes lines with destination ports that are NOT port 80.
3) The text in FSM traffic monitor is FAR clearer than the same text in the web UI, and I can see more of it in FSM.
So, to answer the actual question, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor? Am I missing it, or is it just another shortcoming of the web UI?
Gregg
Gregg Hill
If I want to search port 80 going out I just type http/tcp.. If I want to see the ones coming in, I type "xxx.xxx.xxx.xxx http/tcp" where the xxx represents the my external IP address..
Not a shortcoming, just not necessary..
Adrian from Australia
With the Web UI, in Traffic Monitor, all one can see is what is in memory.
With FSM, one can set up to show up to 25,000 log entries. To get to this limit, FSM does need to be connected to the firewall for a fair period of time.
I find this to be useful feature for me.
Doesn't "If I want to search port 80 going out I just type http/tcp" show both inbound and outbound?
I knew that I should not have used port 80 as an example! What do you do for more obscure ports?
Gregg Hill
1010/tcp is another example... For port 1010.. It works the same way..
Adrian from Australia
And does that show both inbound and outbound? My way shows only what I want to see.
Gregg Hill