topic Re: Log query R80.10 in Firewall and Security Management

Log query R80.10

resu — Thu, 19 Sep 2019 19:48:35 GMT

I would like to run a query (something like NOT action:drop) on a list of unique IP addresses. I've looked through documentation and tried IP's with a space between, with "AND" (no quote marks) between. Neither worked.
Any advice is appreciated.

Re: Log query R80.10

Gomboragchaa — Fri, 20 Sep 2019 01:08:29 GMT

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

http://downloads.checkpoint.com/dc/download.htm?ID=65843

Re: Log query R80.10

Dror_Aharony — Sun, 22 Sep 2019 09:21:22 GMT

Hi resu,

Can you please share the exact queries that fail to find your desired results and exact R80.10 JHF-version?

Re: Log query R80.10

resu — Tue, 24 Sep 2019 22:23:01 GMT

Version: R80.10
Build: SmartConsole 991140013

I would like to query a list of unique IP addresses. So two (possible) queries might look like this (separated by a space, since the AND is implicit):

Query 1:

IP1 IP2 IP3

Query 2:

IP2 IP2 IP3 NOT action:drop

Re: Log query R80.10

Dror_Aharony — Wed, 25 Sep 2019 08:40:14 GMT

if both these queries fail (even without the NOT), only free-text IPs, then it's already fixed in the latest JHF.

for R80.10 only, you need to write either a src or dst. as a complete IP free-text wasn't supported.

Also, I think what you're looking for is an OR, not an AND here. (as you'll probably never have 3 unique IPs in the same log).

example: (src:X OR dst:X) OR (src:Y OR dst:Y)

then you can add: AND action:Drop.

Best to install the latest JHF anyway.

Re: Log query R80.10

resu — Tue, 17 Mar 2020 19:55:04 GMT

Apologies. I may have misunderstood how you define "log".

Does "log" mean a single line item of traffic? I was thinking of that as an "entry" or "record" but am happy to be corrected.

If "log" means a collection of rows of traffic events, then I would say that I see multiple IP's in a log all the time.

I'm using R80.30

Re: Log query R80.10

Dror_Aharony — Mon, 30 Mar 2020 09:45:05 GMT

Log = single line of traffic.

Unique IP of either src/dst (usually).

try OR instead of AND (implicit AND) & let me know if this works out for you.

src:(X OR Y OR Z) NOT action:Drop.

src:X OR src:Y OR src:Z NOT action:Drop.

Re: Log query R80.10

resu — Mon, 30 Mar 2020 15:24:23 GMT

Apologies, didn't see other post. Thanks very much, this is it.