TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Understanding Advanced Filter Options

The filter manager provides advanced filtering options. You can filter values for any field in the log.

To use advanced filter options:

Click the plus sign (+) next to the Filter By option.

Table 1 shows the advanced filter options and includes a description, and examples of each. Table 2 shows the operators supported on the IP address column fields.

Table 1: Advanced Filter Options

Filter Options	Description	Example
Filter String	The options available are: IP—Specifies the IP address. Name—Specifies the string name. The string name can include uppercase or lowercase letters (a-z) or (A-Z), numbers 0-9, underscores (_), single quotes (’), double quotes (“), hyphens, or (+) indicating that the preceding options can occur one or more times. Expression—Specifies the key operator value.	IP—1.2.3.4, 1.2.3.5 Name—Joseph Lagrange. Expression—dstip = 1.2.3.4 and srcip = 1.2.3.5.
Term Operator	The options available are: AND—Specifies that two filter strings must be combined. OR—Specifies that either of the two filters strings can be used.	AND—Firewall = Deny and srcip = 1.2.3.4. OR—Firewall = Deny or srcip = 1.2.3.4.
Key	The options available are: SrcIP—Specifies the source IP address. Note: You can type either src or srcip to indicate source address. DstIP—Specifies the destination IP address. SrcPort—Specifies the source port address. DstPort—Specifies the destination port address. LogSource—Specifies the source from which the logs are generated. Application—Specifies the type of application. AttackName—Specifies the attack name. AttackSeverity—Specifies the attack severity. DstIPV6—Specifies the destination IPv6. DstZone—Specifies the destination zone. EventCategory—Specifies the event category. EventName—Specifies the event name. LogID—Specifies the log ID. NatDstIP—Specifies theNAT destination IP. NatSrcIP—Specifies theNAT source IP. NatDstPort—Specifies the NAT destination port. NatSrcPort—Specifies the NAT source port. NestedApp—Specifies the nested application. PolicyName—Specifies the policy name. Reason—Specifies the reason. RuleName—Specifies the rule name. Service—Specifies the service. SrcIPV6—Specifies thesource IPv6 address. SrcZone—Specifies the source zone. UserName—Specifies the user name.	SrcIP—SrcIP equals 1.3.4.5,1.3.4.6,1.3.4.26 . In this example, multiple IP addresses or values are to be matched. A comma indicates the logical or operator. DstIP—DstIP equals 192.167.2.1 SrcPort—SrcPort equals 1.3.4.5,1.3.4.6,1.3.4.26 DstPort—DstPort equals 23,35,67 LogSource—logsource srx Application—application = aol,http,yahoo and srcip = 2.3.4.5 AttackName—AttackName equals 'No TCP flag! AttackSeverity—AttackSeverity equals INFO DstIPV6—DstIPV6 equals 2000::1 DstZone—DstZone equals Exploit EventCategory—EventCategory equals IPS EventName—EventName equals IDP_APPDDOS_APP_STATE_EVENT LogID—LogID equals 5392090 NatDstIP—NatDstIP equals 172.19.51.235 NatSrcIP—NatSrcIP equals 1.1.1.1 NatDstPort—NatDstPort equals 1025 NatSrcPort—NatSrcPort equals 56752 NestedApp—NestedApp equals INCONCLUSIVE PolicyName—PolicyName equals AppDDOS Reason—Reason equals policy deny RuleName—RuleName equals DDOS Service—Service equals HTTP SrcIPV6—HTTPSrcIPV6 equals 2000::2 SrcZone—SrcZone equals trust UserName—UserName equals matt
Operator	The options available are: = — Specifies that the key is equal to the value provided. !=—Specifies that the key is not equal to the value provided. >—Specifies that the key is greater than the value provided. <—Specifies that the key is less than the value provided. <=—Specifies that the key is less than or equal to the value provided. >=—Specifies that the key is greater than or equal to the value provided. startswith—Specifies that the key starts with the value provided. endswith—Specifies that the ends with the value provided. exists—Specifies that the key exists. notexists—Specifies that the key does not exist.	= —srcip = 1.2.3.4 !=—DstZone != 1.2.3.4 >—LogSource > 1.2.3.4 <—LogSource < 1.2.3.4 <=— LogSource <= 1.2.3.4 >=—LogSource >= 1.2.3.4 startswith—EventName startswith KMD endswith—EventName endswith PHASE exists—EventName exists notexists—EventName notexists
Value	The options available are: IP—Specifies the IP address. String—Specifies the event names, event categories, or any user-defined strings.	IP—10.204.49.43, 10.203.49.5 String—Joseph Lagrange.

Table 2: Operators Supported on the IP Address Column fields

Column Name	Usable Operators	Unusable Operators
Src IP	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
Dst IP	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
Src IPv6	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
Dst IPv6	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
NAT Src IP	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
NAT Dst IP	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
Log Source	equals, notequals, exists, notexists, =, !=	startswith, endswith, contains, <, <=, >, >=
Src Port	equals, notequals, exists, notexists, =, !=, <, <=, >, >=	startswith, endswith, contains
Dst Port	equals, notequals, exists, notexists, =, !=, <, <=, >, >=	startswith, endswith, contains
NAT Src Port	equals, notequals, exists, notexists, =, !=, <, <=, >, >=	startswith, endswith, contains
NAT Dst Port	equals, notequals, exists, notexists, =, !=, <, <=, >, >=	startswith, endswith, contains
Log ID	equals, notequals, exists, notexists, =, !=, <, <=, >, >=	startswith, endswith, contains

Note: While creating the filters, if you use invalid or unsupported operators (as described in the table), the result displayed will be ignore the invalid filter condition.

TechLibrary

Related Documentation

Understanding Advanced Filter Options

Related Documentation

Published: 2014-04-30