Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nflnetwork29
Advisor

possible to filter logs by geo location policy

can i create log filter that only shows traffic blocked "dropped" because of Geo-location inbound enforcement?

Log server is R81.10 

0 Kudos
15 Replies
CE_SE
Employee Alumnus
Employee Alumnus

You can simply use the search field for the specific country your looking for if you're tracking that specific rule. 

 

 

 

 

 

0 Kudos
the_rock
Legend
Legend

You can do something like this in log search:

src_country: "Israel"

You can apply same logic to dst country

dst_country: "China"

0 Kudos
nflnetwork29
Advisor

hmmm not working for me 

0 Kudos
the_rock
Legend
Legend

Not sure what to tell you then...I just did 3 filters on customer's environment and did below:

src_country: "Canada"

dst_country: "Canada"

dst_country: "China"

All 3 worked fine...can you attach a screenshot?

0 Kudos
CE_SE
Employee Alumnus
Employee Alumnus

I agree using the above search method is successful. 

 

the_rock
Legend
Legend

Well, works the same way, with or without the quotes : - )

0 Kudos
Amir_Senn
Employee
Employee

If you're using the new Geo Policy (In Access Control policy) I suggest you filter by rule name.

If you're not using the new Geo Policy I suggest to move to the new. It's better and future features would be available for it.

Here's how:

1) Go to Access Control policy

2) Add a new rule and in the source/destination you can click on the "+" , Import -> Updateable Objects... (see attached picture).

3) In the object, search for "GEO Locations", and further select the countries you wish to use in the rule. You can use multiple countries per rule.

4) Define action and in the track put the desired log level.

5) Install policy.

Kind regards, Amir Senn
0 Kudos
Paul_Hagyard
Advisor

Hi,

Given that many people will be using updatable objects rather than the old geo-policy, being unable to search logs directly by country seems to be quite a limitation. The suggestion of adding additional rules to allow filter based on rule UID is not a great workaround for (most) environment where change control is required for a rule.

"I need to add a rule because the product does not permit viewing logs by country"... If it's possible to display the flag in the log view then surely it must be possible to extend this to a search field. This shouldn't need a RFE, it should be included already.

Paul

0 Kudos
the_rock
Legend
Legend

You dont need to add any rules to search by country, works fine by using src_country and dst_country filters as examples we gave in the post.

Andy

0 Kudos
Paul_Hagyard
Advisor

I'm using R81.20 JHF 26 SC/GW and it's not working. If I filter on src_country:"New Zealand" all I see is my Mobile Access logs - despite there being numerous firewall blade logs from New Zealand sources. I even have NZ as an updatable object in a rule.

Again, the log viewer can show a flag, I shouldn't need to import updatable objects to filter in the log viewer.

0 Kudos
the_rock
Legend
Legend

Thats very odd, because I mever had the issue even back in R81.10. I agree with your assesment that you should not need to import updatable object to do the filter. Are you able to send a screenshot of the filter?

Andy

0 Kudos
Paul_Hagyard
Advisor

Current logs on the firewall blade showing traffic from Australia:

Log_filter_by_country_1.png

Attempt to filter by country shows no logs:

Log_filter_by_country_2.png

I went for Aussie as it removes the chance of some issue with spaces in the country name. I've tried without the quotes, with single quotes... nada

If I remove the filter on blade and change to src_country:"New Zealand" then I can see my VPN RAS connections from yesterday:

Log_filter_by_country_3.png

0 Kudos
the_rock
Legend
Legend

I just found that one of our customers had this issue last year and it was solved by running cloudguard stop and cloudguard start on the mgmt server. Not saying it will work for you, but worth a try. If not, I would maybe reach out to TAC to see what they advise. Also, does not hurt to reboot the mgmt server either, as it does not cause any traffic issues.

Andy

0 Kudos
Paul_Hagyard
Advisor

That sounds like the service desk: "have you tried turning it off and on again?" 🙂   Does appear to work as often for infrastructure as endpoints...

No change restarting the CloudGuard controller or cpstop/cpstart. TAC request would require having a customer wanting me to spend more of their time on this!

Exporting to CSV from SmartView includes columns src_uo_name and dst_uo_name (source/destination updatable object name"), so if you have the updatable objects defined (and probably active in a rule) you could use SmartView - but hardly convenient. You seemingly can't filter on these columns (src_uo_name etc) in SmartConsole either.

0 Kudos
the_rock
Legend
Legend

Sorry mate, not sure what else to suggest. I had never had this problem myself, so if those things we discussed did not work, then only other logical options I see are either TAC case or see if someone else on here might have a better suggestions.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events