Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
evlad
Participant
Jump to solution

Cann't query and find IPv6 adresses in Log on R80.40

Hi everybody!
The point is: I cannot find expected IPv6 addresses when I query the Log on the Internet FW. (May be I don't use the right syntax for IPv6 querying?)
I'm sure that IPv6 support is enabled. I know that some IPv6 clients successfully gets access from web to our published Sites.
For example, I get access through the Firewall from my own devices:

2a02:6680:1130:ea41:8cf7:8421:bf19:dc1a 
2a10:8003:5c3d:0:b62e:99ff:fecf:5f48

As You can see, both IP have "2a" prefix. I try to find in the LOG all possible IPv6 addresses begins with 2a.
When I'm looking for src:2a00::0/8 in my Query I get nothing, when I'm looking for 2a00::0/8 the FW returns smth very strange -
You can see it at screenshot attached. I cannot understand how the records returned by the query relates with requested 2a00::0/8 address range?

0 Kudos
1 Solution

Accepted Solutions
Tobias_Moritz
Advisor

I've tried it in an IPv6 enabled (and using) environment here and it works just fine.

When using src:2a00::/8 (or like in your example the longer syntax src:2a00::0/8), I get only logs with packets from that sources.

Version: SMS R80.40 JHF T120 and Smart Console R80.40 Build 994000424

HTTPSi_ExtendedLogging.png

That you get unwanted results when omitting the field name (and quering just for 2a00::0/8) is quite normal, because this is some kind of full text search. Not sure how it works exactly.

View solution in original post

0 Kudos
2 Replies
Tobias_Moritz
Advisor

I've tried it in an IPv6 enabled (and using) environment here and it works just fine.

When using src:2a00::/8 (or like in your example the longer syntax src:2a00::0/8), I get only logs with packets from that sources.

Version: SMS R80.40 JHF T120 and Smart Console R80.40 Build 994000424

HTTPSi_ExtendedLogging.png

That you get unwanted results when omitting the field name (and quering just for 2a00::0/8) is quite normal, because this is some kind of full text search. Not sure how it works exactly.

0 Kudos
evlad
Participant

Hi! You absolutely right Tobias about omitting the field name. And I've sign Your answer as solution. Thank You!

But now I see my main mistake: I am trying to find something in the log that cannot be there. The fact is that although the firewall supports IPv6, all our server resources are published in IPv4. Clients simply cannot contact us with IPv6 addresses, because IPv6 and IPv4 are incompatible. They are required to do some sort of NAT64 conversion of their original address to an IPv4 address. I don’t know where and how, most likely on the ISP .
This is particular problem for customer support for clients who encounter errors on our site. Clients tell us their IP, but we cannot find them in the log, because their IPv6 address has been changed to IPv4.
But this is another (and more common) issue

Regards,
Evgeni

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events