cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
resu
Ivory

Log query R80.10

I would like to run a query (something like NOT action:drop) on a list of unique IP addresses. I've looked through documentation and tried IP's with a space between, with "AND" (no quote marks) between. Neither worked. 
Any advice is appreciated.

4 Replies

Re: Log query R80.10

When you use queries with more than one criteria value, an AND is implied automatically, so there is no need to add it. Enter OR or other boolean operators if needed.

http://downloads.checkpoint.com/dc/download.htm?ID=65843

 

0 Kudos
Employee+
Employee+

Re: Log query R80.10

Hi resu,

Can you please share the exact queries that fail to find your desired results and exact R80.10 JHF-version?

 

resu
Ivory

Re: Log query R80.10

Version: R80.10
Build: SmartConsole 991140013

I would like to query a list of unique IP addresses. So two (possible) queries might look like this (separated by a space, since the AND is implicit):

Query 1:

IP1 IP2 IP3

Query 2:

IP2 IP2 IP3 NOT action:drop


Employee+
Employee+

Re: Log query R80.10

if both these queries fail (even without the NOT), only free-text IPs, then it's already fixed in the latest JHF.

for R80.10 only, you need to write either a src or dst. as a complete IP free-text wasn't supported.

 

Also, I think what you're looking for is an OR, not an AND here. (as you'll probably never have 3 unique IPs in the same log).

example: (src:X OR dst:X) OR (src:Y OR dst:Y)

then you can add: AND action:Drop.

 

Best to install the latest JHF anyway.

 

0 Kudos