Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Westlund
Collaborator

Unable to filter out Network Access Rule Number in logs

I'm trying to migrate a customer into using an inline policy. To do this, I've added the inline rules, and kept the Application layer there as well to catch what I missed. Now I need to remove the Application layer. To do that, I click on a rule, look at the logs for the rule, and filter on the column Access Rule Number in order to see if I missed any inline rules.

accept-log1.jpg

The problem is that for drops, which are the most important, the Access Rule Number column doesn't show the Network Rule, but the Application Rule.

drop-log1.jpg

I know this info (the Network rule) is there because if I drill down into the log, I see it in the Matched Rules tab.

drop-log-match-rules.JPG

But, there are millions of logs so rather than look into each one, I'd like a way to filter them out like I filter the accepts by Access Rule Number in the first screenshot. I've looked at the columns available in the profiles and don't see anything that would give me the Network Rule the traffic is using when it gets dropped on the Application Rule.  If I don't add an inline drop for the relevant rules, like 144 above, then users can get out to blocked sites.  If I keep the Application layer in place, then the Inline rules are not making the policy more efficient.  Any ideas how I can find the rules that I need to add the block rule on inline?

0 Kudos
2 Replies
Dror_Aharony
Employee Alumnus
Employee Alumnus

Hi Daniel (Nickel),

You can easily filter-out the FW layer rules by using either the NOT <rule_name> or the NOT rule:<no.>

using the rule_name is better, as it’s more specific, assuming you have unique names to your rules.

‘Current Rule Box’ (of relevant APPI rule) NOT <rule_name_in_free_text>

example: ‘Current Rule Box’ NOT "FW Accept rule 1"

This way, you can just open 1 log for each such rule. Check the matching FW rule name in Matched-Rules tab & easily filter all these rules’ logs out & continue to next rule.

Daniel_Westlund
Collaborator

Great call on this.  I couldn't get it to work with rule name, but it worked on rule number for me.  Thanks for the help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events