Firebox system manager regular expression filtering

In the latest releases of FSM,currently 12.5, if we search for a specific ip address, like 192.168.1.1, FSM will not only show this values in the search, but also values like 192.168.1.11, 192.168.1.125, 192.168.1.1xxxxxxxxxx.

Disable "regular expression filtering" in FSM do not change this behaviour. Looks like a bug, as this used to work.

/Robert

Comments

  • Add space character at the end of your search string

  • of cause - why did i not think of that!
    I tried a lot of other thinks :/

  • FYI - this has search result been happening for a very long time.
    I posted the same solution on 11/16/2016 12:49:17 PM on the old boards (now going away) to someone who was running XTM 515 WSM / FSM 11.10.5

  • Or you can use WebUI. :)

    Adrian from Australia

  • You and the damn Web UI !!!

  • B)

    Adrian from Australia

  • When I went to OZ a number of years back, I do not recall that on the forms I needed to sign - any question related to bringing in a can of red (or any other color) paint

  • @xxup said:
    Or you can use WebUI. :)

    In the web UI Traffic Monitor, it does the exact same thing. Searching for "192.168.16.1" shows anything with that string in it, including 192.168.16.11, 192.168.16.101, etc. Adding a space so it's "192.168.16.1 " being searched fixes it in the web UI as well.

    Adrian, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor?

    Gregg Hill

  • @GreggHill said:

    Adrian, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor?

    Why would you want to do that? Experienced admins know the field name and they are in different colours.. :)

    Adrian from Australia

  • edited July 2019

    @Bruce_Briggs said:
    When I went to OZ a number of years back, I do not recall that on the forms I needed to sign - any question related to bringing in a can of red (or any other color) paint

    Definitely question 7 - most people miss that one and end up on TV in the show "Border Security" - in handcuffs... :) See https://en.wikipedia.org/wiki/Border_Security:_Australia%27s_Front_Line

    Adrian from Australia

  • @xxup said:

    @GreggHill said:

    Adrian, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor?

    Why would you want to do that? Experienced admins know the field name and they are in different colours.. :)

    I have been doing WatchGuard firewalls for ten years and still like to see the field names.

    1) It's one less thing to have to remember at 2:00AM when working after a long day.

    2) Searching for something, say a search for port 80, can be done better when field names are visible. In FSM Traffic Monitor, I can search for "dst_port=80 " and it will show only those port 80 results going out. I can flip it to show only incoming port 80 by changing to ""dst_port=80 " as the search. Without field names in the web UI, I cannot do that same search. I can search for "80 " and get tons of results for any line containing "80" in it, and that includes lines with destination ports that are NOT port 80.

    3) The text in FSM traffic monitor is FAR clearer than the same text in the web UI, and I can see more of it in FSM.

    So, to answer the actual question, where is the option to "show log field names" like we have in the desktop program for Traffic Monitor? Am I missing it, or is it just another shortcoming of the web UI?

    Gregg

    Gregg Hill

  • edited July 2019

    If I want to search port 80 going out I just type http/tcp.. If I want to see the ones coming in, I type "xxx.xxx.xxx.xxx http/tcp" where the xxx represents the my external IP address..

    Not a shortcoming, just not necessary..

    Adrian from Australia

  • With the Web UI, in Traffic Monitor, all one can see is what is in memory.

    With FSM, one can set up to show up to 25,000 log entries. To get to this limit, FSM does need to be connected to the firewall for a fair period of time.
    I find this to be useful feature for me.

  • @xxup said:
    If I want to search port 80 going out I just type http/tcp.. If I want to see the ones coming in, I type "xxx.xxx.xxx.xxx http/tcp" where the xxx represents the my external IP address..

    Not a shortcoming, just not necessary..

    Doesn't "If I want to search port 80 going out I just type http/tcp" show both inbound and outbound?

    I knew that I should not have used port 80 as an example! What do you do for more obscure ports?

    Gregg Hill

  • 1010/tcp is another example... For port 1010.. It works the same way..

    Adrian from Australia

  • @xxup said:
    1010/tcp is another example... For port 1010.. It works the same way..

    And does that show both inbound and outbound? My way shows only what I want to see.

    Gregg Hill

Sign In to comment.