Skip to main content
AlexRG
AlexRG
New Member
August 24, 2017
Solved

Event Handlers Not Working as Expected in 5.6.0

  • August 24, 2017
  • 3 replies
  • 10354 views

My filters are:

Level [Equal To] Notice

Destination IP [Not Equal To] serverIP_A

Text filter:

srcintf=port30 and service~RDP and action=start

 

The log:

itime=2017-08-24 13:12:44 sentbyte=0 rcvdbyte=0 srccountry=Reserved app=UDP_RDP date=2017-08-24 dstip=serverIP_B duration=0 vd=VD1 group=IT service=UDP_RDP proto=17 user=ME dstcountry=Reserved policytype=policy poluuid=45840192-88ea-51e7-b403-e3009408d646 devid=FG000000 dstport=3389 type=traffic dtime=2017-08-24 13:12:43 devname=FG00 time=13:12:43 sessionid=884716921 itime_t=1503594764 policyid=111 srcintf=port30 srcip=10.0.21.101 sentpkt=0 level=notice appcat=unscanned srcport=55887 logid=0000000015 subtype=forward trandisp=noop action=start dstintf=VLAN_6

 

I'm not getting any hits from that filter.

    Best answer by sgao_FTNT

    Hi Alex,

    Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

     

    3 replies

    sgao_FTNT
    Staff
    sgao_FTNTAnswer
    Staff
    August 24, 2017

    Hi Alex,

    Please check which type log and category you select, I tried in the lab with "Traffic" log and "Others" category, with similar filter setting, it works.

     

    AlexRG
    AlexRGAuthor
    New Member
    August 24, 2017

    Bah. Don't know how I missed that. Thanks!

     

    I'm was also having trouble with the keyword filter. I had a filter working fine in previous versions and it suddenly stopped.

     

    The settings are:

    [ul]
  • Type: Web Filter
  • Group by: Category
  • Level [Equal To] Notice
  • keyword~'some text' or keyword~'some other text' or keyword~'some more text'[/ul]

     

    I even just tried firing on msg="Search phrase detected" but got nothing.

    • sgao_FTNT
    Staff
    sgao_FTNT
    Staff
    August 24, 2017

    not sure how you configured for web filter handler. Here is my test example in lab, please attach a screenshot if still have issue, then I can check it in lab.

     

    AlexRG
    AlexRGAuthor
    New Member
    August 24, 2017

    Handler settings attached.

     

    The log:

     

    itime=2017-08-24 15:07:05 sentbyte=0 rcvdbyte=0 agent=Chrome/60.0.3112.101 date=2017-08-24 dstip=13.107.21.200 vd=VD1 group=IT service=HTTP proto=6 eventtype=content hostname=www.bing.com dstintf=port12 msg=Search phrase detected devid=FG000000 dstport=80 type=utm dtime=2017-08-24 15:07:04 profile=PROD_WEB direction=outgoing referralurl=http://www.bing.com/ devname=FG sessionid=885360102 itime_t=1503601625 user=ME srcintf=port32 reqtype=referral srcip=10.0.21.101 keyword=who fixed the event handler level=notice url=/search?q=who+fixed+the+event+handler&qs=n&form=QBLH&sp=-1&pq=who+fixed+the+event+handler&sc=0-25&sk=&cvid=90841C2E9796453D8C64907C4D3770C0 srcport=54561 logid=0314012293 subtype=webfilter time=15:07:04 action=passthrough policyid=4

     

    sgao_FTNT
    Staff
    sgao_FTNT
    Staff
    August 24, 2017

    Alex,

    The issue is caused by field "catdesc" is not present in the log, which is defined in handler <Group By>, change Group By to URL, then it works.

    Shawn

    AlexRG
    AlexRGAuthor
    New Member
    August 24, 2017

    Yep. That was it. Thanks again!

    Terms & ConditionsAccessibility statement