Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Advanced Filter Options

    The filter manager provides advanced filtering options. You can filter values for any field in the log.

    To use advanced filter options:

    • Click the plus sign (+) next to the Filter By option.

    Table 1 shows the advanced filter options and includes a description, and examples of each. Table 2 shows the operators supported on the IP address column fields.

    Table 1: Advanced Filter Options

    Filter Options

    Description

    Example

    Filter String

    The options available are:

    • IP—Specifies the IP address.
    • Name—Specifies the string name. The string name can include uppercase or lowercase letters (a-z) or (A-Z), numbers 0-9, underscores (_), single quotes (’), double quotes (“), hyphens, or (+) indicating that the preceding options can occur one or more times.
    • Expression—Specifies the key operator value.
    • IP—1.2.3.4, 1.2.3.5
    • Name—Joseph Lagrange.
    • Expression—dstip = 1.2.3.4 and srcip = 1.2.3.5.

    Term Operator

    The options available are:

    • AND—Specifies that two filter strings must be combined.
    • OR—Specifies that either of the two filters strings can be used.
    • AND—Firewall = Deny and srcip = 1.2.3.4.
    • OR—Firewall = Deny or srcip = 1.2.3.4.

    Key

    The options available are:

    • SrcIP—Specifies the source IP address.

      Note: You can type either src or srcip to indicate source address.

    • DstIP—Specifies the destination IP address.
    • SrcPort—Specifies the source port address.
    • DstPort—Specifies the destination port address.
    • LogSource—Specifies the source from which the logs are generated.
    • Application—Specifies the type of application.
    • AttackName—Specifies the attack name.
    • AttackSeverity—Specifies the attack severity.
    • DstIPV6—Specifies the destination IPv6.
    • DstZone—Specifies the destination zone.
    • EventCategory—Specifies the event category.
    • EventName—Specifies the event name.
    • LogID—Specifies the log ID.
    • NatDstIP—Specifies theNAT destination IP.
    • NatSrcIP—Specifies theNAT source IP.
    • NatDstPort—Specifies the NAT destination port.
    • NatSrcPort—Specifies the NAT source port.
    • NestedApp—Specifies the nested application.
    • PolicyName—Specifies the policy name.
    • Reason—Specifies the reason.
    • RuleName—Specifies the rule name.
    • Service—Specifies the service.
    • SrcIPV6—Specifies thesource IPv6 address.
    • SrcZone—Specifies the source zone.
    • UserName—Specifies the user name.
    • SrcIP—SrcIP equals 1.3.4.5,1.3.4.6,1.3.4.26 .

      In this example, multiple IP addresses or values are to be matched. A comma indicates the logical or operator.

    • DstIP—DstIP equals 192.167.2.1
    • SrcPort—SrcPort equals 1.3.4.5,1.3.4.6,1.3.4.26
    • DstPort—DstPort equals 23,35,67
    • LogSource—logsource srx
    • Application—application = aol,http,yahoo and srcip = 2.3.4.5
    • AttackName—AttackName equals 'No TCP flag!
    • AttackSeverity—AttackSeverity equals INFO
    • DstIPV6—DstIPV6 equals 2000::1
    • DstZone—DstZone equals Exploit
    • EventCategory—EventCategory equals IPS
    • EventName—EventName equals IDP_APPDDOS_APP_STATE_EVENT
    • LogID—LogID equals 5392090
    • NatDstIP—NatDstIP equals 172.19.51.235
    • NatSrcIP—NatSrcIP equals 1.1.1.1
    • NatDstPort—NatDstPort equals 1025
    • NatSrcPort—NatSrcPort equals 56752
    • NestedApp—NestedApp equals INCONCLUSIVE
    • PolicyName—PolicyName equals AppDDOS
    • Reason—Reason equals policy deny
    • RuleName—RuleName equals DDOS
    • Service—Service equals HTTP
    • SrcIPV6—HTTPSrcIPV6 equals 2000::2
    • SrcZone—SrcZone equals trust
    • UserName—UserName equals matt

    Operator

    The options available are:

    • = — Specifies that the key is equal to the value provided.
    • !=—Specifies that the key is not equal to the value provided.
    • >—Specifies that the key is greater than the value provided.
    • <—Specifies that the key is less than the value provided.
    • <=—Specifies that the key is less than or equal to the value provided.
    • >=—Specifies that the key is greater than or equal to the value provided.
    • startswith—Specifies that the key starts with the value provided.
    • endswith—Specifies that the ends with the value provided.
    • exists—Specifies that the key exists.
    • notexists—Specifies that the key does not exist.
    • = —srcip = 1.2.3.4
    • !=—DstZone != 1.2.3.4
    • >—LogSource > 1.2.3.4
    • <—LogSource < 1.2.3.4
    • <=— LogSource <= 1.2.3.4
    • >=—LogSource >= 1.2.3.4
    • startswith—EventName startswith KMD
    • endswith—EventName endswith PHASE
    • exists—EventName exists
    • notexists—EventName notexists

    Value

    The options available are:

    • IP—Specifies the IP address.
    • String—Specifies the event names, event categories, or any user-defined strings.
    • IP—10.204.49.43, 10.203.49.5
    • String—Joseph Lagrange.

    Table 2: Operators Supported on the IP Address Column fields

    Column Name

    Usable Operators

    Unusable Operators

    Src IP

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    Dst IP

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    Src IPv6

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    Dst IPv6

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    NAT Src IP

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    NAT Dst IP

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    Log Source

    equals, notequals, exists, notexists, =, !=

    startswith, endswith, contains, <, <=, >, >=

    Src Port

    equals, notequals, exists, notexists, =, !=, <, <=, >, >=

    startswith, endswith, contains

    Dst Port

    equals, notequals, exists, notexists, =, !=, <, <=, >, >=

    startswith, endswith, contains

    NAT Src Port

    equals, notequals, exists, notexists, =, !=, <, <=, >, >=

    startswith, endswith, contains

    NAT Dst Port

    equals, notequals, exists, notexists, =, !=, <, <=, >, >=

    startswith, endswith, contains

    Log ID

    equals, notequals, exists, notexists, =, !=, <, <=, >, >=

    startswith, endswith, contains

    Note: While creating the filters, if you use invalid or unsupported operators (as described in the table), the result displayed will be ignore the invalid filter condition.

    Published: 2014-04-30