Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gerard_van_Lee1
Participant

viewing LOG - filter on NAT rule #

Hi,

I'm using the Logs & Monitor of Domain Management Server ( R80.10 ) on a VS ( R77.30 ).

I'm looking for the field name of "Xlate (NAT) Source IP"  to use in the query in Logs & Monitor.

(Already tried filtering using the "Copy Rule UID" of the NAT rule and using it with fieldname rule_uid. )

The drop down list of "other fields"

I hope there's a complete list of field names somewhere. 

Thanks in advance.

Kind regards,

Gerard van Leeuwen

16 Replies
Joshua_Hatter
Employee
Employee

While on the logs page, you can right click the grey columns header and then select 'Edit Profile'. From there you can search for various columns to add, search for Xlate and you should find what you are looking for. Trying to add screenshots but having trouble. Smiley Sad

0 Kudos
Gerard_van_Lee1
Participant

I already did add the columns Xlate*. That works well.

But I like to use it as a filter.

0 Kudos
Joshua_Hatter
Employee
Employee

Typically you can click on the column headers and add filter from there. The option is grayed out for me so I think it is a bad sign. I've asked some other resources, maybe Tomer Sole‌ can have a suggestion.

0 Kudos
XBensemhoun
Employee
Employee

Where could we see indexed fields Joshua Hatter ?

Information Security enthusiast, CISSP, CCSP
0 Kudos
Joshua_Hatter
Employee
Employee

Outside the API my management expertise is limited. My best guess is anything in the "Add a search field:" section once you click in the filter bar. Hoping Tomer or someone else can add some feedback. Russell Seifert

Russell_Seifert
Employee
Employee

Hi,

xlatesrc = Xlate (NAT) Source IP
xlatedst = Xlate (NAT) Destination IP
xlatesport = Xlate (NAT) Source Port
xlatedport = Xlate (NAT) Destination Port

Example in filter:

xlatesport:33028

xlatedst:10.1.0.0

0 Kudos
XBensemhoun
Employee
Employee

Only available starting R80* ?

(on R77.30 SmartLog)

Information Security enthusiast, CISSP, CCSP
0 Kudos
Russell_Seifert
Employee
Employee

Correct. The NAT fields were not indexed to be searchable on R77.30 and lower due to performance reasons.

0 Kudos
Gerard_van_Lee1
Participant

I'm sorry Russell. xlatesrc:172.20.0.4 does not work and I'm 100% sure there's such traffic.

I'm aiming the filter for NAT rule number.

The gateways are R77.30 now. Ok I have to wait for this option until those are updated.

venkata_marutur
Contributor

Hello All,

I am running R80.10 SMS and R77.30 Gateways (Both running latest Jumbo's). I am also having same issue: Added xlate src IP field to my columns by editing the profile but searching xlatesrc: public IP does not work. But, just entering the public IP in the search without any filters does seem to work at times but not all times.

So, my GW's must be on R80+ for this xlate based indexing to work or is it just the SMS needs to be on R80+ ?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

This is a management/logging feature, the version of gateway is not that relevant.

0 Kudos
venkata_marutur
Contributor

So, any thoughts on why the issue still exists in R80+ SMS?

Hope this helps other users as well.

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

Sounds like an indexing issue, in which case it's probably worth opening a ticket with the TAC to investigate.

0 Kudos
Raj_Khatri
Advisor

Has anyone figured out how to filter SmartLog for NAT Rule Number?  When filtering for Access Rule Number it uses "rule:" in the query syntax.  However for NAT Rule Number it uses just the rule number in the query syntax which returns no results.

You are able to filter from Smartview Tracker though....   This is on R80.10 management.

Raj_Khatri
Advisor

So after working with TAC, it appears that the NAT Rule Numbers are not indexed.  The only workaround is to open an individual log file and use the following query - nat_rulenum: 123

An RFE has been submitted for this request.

biskit
Advisor

This still seems to be a problem on R81.10.  I can't figure out a way to apply a filter on the NAT IP. 

I hide tons of traffic behind my LAN interface IP 192.168.1.1.   And of course behind the public interface IP for web access.

If I try  xlatesrc:192.168.1.1  I get zero hits.  Same if I use the public hide IP.

If I filter on just   192.168.1.1  then I get millions of hits for all sorts besides just the NAT.  So it's useless.

There must be a way to filter logs on the NAT fields? 🙄

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events