topic possible to filter logs by geo location policy in Firewall and Security Management

possible to filter logs by geo location policy

nflnetwork29 — Fri, 11 Mar 2022 16:25:13 GMT

can i create log filter that only shows traffic blocked "dropped" because of Geo-location inbound enforcement?

Log server is R81.10

Re: possible to filter logs by geo location policy

CE_SE — Fri, 11 Mar 2022 17:28:44 GMT

You can simply use the search field for the specific country your looking for if you're tracking that specific rule.

Re: possible to filter logs by geo location policy

the_rock — Fri, 11 Mar 2022 18:37:34 GMT

You can do something like this in log search:

src_country: "Israel"

You can apply same logic to dst country

dst_country: "China"

Re: possible to filter logs by geo location policy

nflnetwork29 — Fri, 11 Mar 2022 21:15:56 GMT

hmmm not working for me

Re: possible to filter logs by geo location policy

the_rock — Fri, 11 Mar 2022 21:21:06 GMT

Not sure what to tell you then...I just did 3 filters on customer's environment and did below:

src_country: "Canada"

dst_country: "Canada"

dst_country: "China"

All 3 worked fine...can you attach a screenshot?

Re: possible to filter logs by geo location policy

CE_SE — Fri, 11 Mar 2022 21:26:43 GMT

I agree using the above search method is successful.

Re: possible to filter logs by geo location policy

the_rock — Sat, 12 Mar 2022 02:51:15 GMT

Well, works the same way, with or without the quotes : - )

Re: possible to filter logs by geo location policy

Amir_Senn — Sat, 12 Mar 2022 14:15:33 GMT

If you're using the new Geo Policy (In Access Control policy) I suggest you filter by rule name.

If you're not using the new Geo Policy I suggest to move to the new. It's better and future features would be available for it.

Here's how:

1) Go to Access Control policy

2) Add a new rule and in the source/destination you can click on the "+" , Import -> Updateable Objects... (see attached picture).

3) In the object, search for "GEO Locations", and further select the countries you wish to use in the rule. You can use multiple countries per rule.

4) Define action and in the track put the desired log level.

5) Install policy.

Re: possible to filter logs by geo location policy

Paul_Hagyard — Wed, 11 Oct 2023 00:00:49 GMT

Hi,

Given that many people will be using updatable objects rather than the old geo-policy, being unable to search logs directly by country seems to be quite a limitation. The suggestion of adding additional rules to allow filter based on rule UID is not a great workaround for (most) environment where change control is required for a rule.

"I need to add a rule because the product does not permit viewing logs by country"... If it's possible to display the flag in the log view then surely it must be possible to extend this to a search field. This shouldn't need a RFE, it should be included already.

Paul

Re: possible to filter logs by geo location policy

the_rock — Wed, 11 Oct 2023 01:12:30 GMT

You dont need to add any rules to search by country, works fine by using src_country and dst_country filters as examples we gave in the post.

Andy

Re: possible to filter logs by geo location policy

Paul_Hagyard — Wed, 11 Oct 2023 01:39:34 GMT

I'm using R81.20 JHF 26 SC/GW and it's not working. If I filter on src_country:"New Zealand" all I see is my Mobile Access logs - despite there being numerous firewall blade logs from New Zealand sources. I even have NZ as an updatable object in a rule.

Again, the log viewer can show a flag, I shouldn't need to import updatable objects to filter in the log viewer.

Re: possible to filter logs by geo location policy

the_rock — Wed, 11 Oct 2023 01:43:09 GMT

Thats very odd, because I mever had the issue even back in R81.10. I agree with your assesment that you should not need to import updatable object to do the filter. Are you able to send a screenshot of the filter?

Andy

Re: possible to filter logs by geo location policy

Paul_Hagyard — Thu, 12 Oct 2023 01:29:12 GMT

Current logs on the firewall blade showing traffic from Australia:

Attempt to filter by country shows no logs:

I went for Aussie as it removes the chance of some issue with spaces in the country name. I've tried without the quotes, with single quotes... nada

If I remove the filter on blade and change to src_country:"New Zealand" then I can see my VPN RAS connections from yesterday:

Re: possible to filter logs by geo location policy

the_rock — Thu, 12 Oct 2023 01:35:22 GMT

I just found that one of our customers had this issue last year and it was solved by running cloudguard stop and cloudguard start on the mgmt server. Not saying it will work for you, but worth a try. If not, I would maybe reach out to TAC to see what they advise. Also, does not hurt to reboot the mgmt server either, as it does not cause any traffic issues.

Andy

Re: possible to filter logs by geo location policy

Paul_Hagyard — Thu, 12 Oct 2023 02:31:26 GMT

That sounds like the service desk: "have you tried turning it off and on again?" 🙂 Does appear to work as often for infrastructure as endpoints...

No change restarting the CloudGuard controller or cpstop/cpstart. TAC request would require having a customer wanting me to spend more of their time on this!

Exporting to CSV from SmartView includes columns src_uo_name and dst_uo_name (source/destination updatable object name"), so if you have the updatable objects defined (and probably active in a rule) you could use SmartView - but hardly convenient. You seemingly can't filter on these columns (src_uo_name etc) in SmartConsole either.

Re: possible to filter logs by geo location policy

the_rock — Thu, 12 Oct 2023 02:39:44 GMT

Sorry mate, not sure what else to suggest. I had never had this problem myself, so if those things we discussed did not work, then only other logical options I see are either TAC case or see if someone else on here might have a better suggestions.

Cheers,

Andy