FSM Traffic Monitor Search Expressions for AND

I know if I enable regular expressions I can use | as an OR (i.e. DENY|udp, which shows all lines that contains deny or udp). How do I do an AND? So I want to see all the entries that are Deny and contains udp (logic to me is DENY&udp, but this doesn't seem to work).

dcc

Comments

  • give this a try: (?=.deny)(?=.udp)

  • No - that didn't work. And I even tried switching it to (?=.deny)(?=.tcp) to double check.

  • sorry, that didn't post correctly (?=.*deny)(?=.*udp)

  • Ah - that's much better. Thanks Matt! I sure wish there was more details on this in the documentation. I even went and watched the section in the current Fireware 12.7 network essentials training video this morning and it's not even mentioned.

    dcc

  • I tried this on one of my devices ... it works but waw it is so slow when the firebox has a lot of logging. In my case FSM nearly halts and is using 50% cpu usage when i enbale regular expressions.

  • Yup - I saw the exact same results on my M370

  • Thank you, MattS!

    Gregg Hill

  • "deny.+udp" seems to stop the 50% CPU utilization and FSM having fits, yet still accomplishes the results I'm looking for. As was just explained to me by the WG sales engineer responsible for our Partner account:

    We do not have the “AND” operator but I usually do a search with the “anything” string between the 2 expression I am looking for. The period (.) is the wildcard and the * or the + are the repetition indicators, so if you are looking for “deny” and “udp”, I go with the following expression “deny.+udp”.

    We use these regular expression in Fireware OS and it is the same thing in FSM. Here is the doc: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/regular_expressions_c.html

Sign In to comment.