hmmm not working for me 

Not sure what to tell you then...I just did 3 filters on customer's environment and did below:

src_country: "Canada"

dst_country: "Canada"

dst_country: "China"

All 3 worked fine...can you attach a screenshot?

I agree using the above search method is successful. 

Well, works the same way, with or without the quotes : - )

Hi,

Given that many people will be using updatable objects rather than the old geo-policy, being unable to search logs directly by country seems to be quite a limitation. The suggestion of adding additional rules to allow filter based on rule UID is not a great workaround for (most) environment where change control is required for a rule.

"I need to add a rule because the product does not permit viewing logs by country"... If it's possible to display the flag in the log view then surely it must be possible to extend this to a search field. This shouldn't need a RFE, it should be included already.

Paul

You dont need to add any rules to search by country, works fine by using src_country and dst_country filters as examples we gave in the post.

Andy

I'm using R81.20 JHF 26 SC/GW and it's not working. If I filter on src_country:"New Zealand" all I see is my Mobile Access logs - despite there being numerous firewall blade logs from New Zealand sources. I even have NZ as an updatable object in a rule.

Again, the log viewer can show a flag, I shouldn't need to import updatable objects to filter in the log viewer.

Thats very odd, because I mever had the issue even back in R81.10. I agree with your assesment that you should not need to import updatable object to do the filter. Are you able to send a screenshot of the filter?

Andy

Current logs on the firewall blade showing traffic from Australia:

Attempt to filter by country shows no logs:

I went for Aussie as it removes the chance of some issue with spaces in the country name. I've tried without the quotes, with single quotes... nada

If I remove the filter on blade and change to src_country:"New Zealand" then I can see my VPN RAS connections from yesterday:

I just found that one of our customers had this issue last year and it was solved by running cloudguard stop and cloudguard start on the mgmt server. Not saying it will work for you, but worth a try. If not, I would maybe reach out to TAC to see what they advise. Also, does not hurt to reboot the mgmt server either, as it does not cause any traffic issues.

Andy

That sounds like the service desk: "have you tried turning it off and on again?" 🙂   Does appear to work as often for infrastructure as endpoints...

No change restarting the CloudGuard controller or cpstop/cpstart. TAC request would require having a customer wanting me to spend more of their time on this!

Exporting to CSV from SmartView includes columns src_uo_name and dst_uo_name (source/destination updatable object name"), so if you have the updatable objects defined (and probably active in a rule) you could use SmartView - but hardly convenient. You seemingly can't filter on these columns (src_uo_name etc) in SmartConsole either.

Sorry mate, not sure what else to suggest. I had never had this problem myself, so if those things we discussed did not work, then only other logical options I see are either TAC case or see if someone else on here might have a better suggestions.

Cheers,

Andy