filter on subnet in event handler

dieter · ‎01-15-2018

Something like

srcip==192.168.0.0/16

doesn't seem to be working in a generic text filter.

Is it at all possible any way ?

kylezhang_FTNT · ‎01-15-2018

For generic text filter, please try this:

srcip ~ 192\.168\.[0-9]+\.[0-9]+

View solution in original post

kylezhang_FTNT · ‎01-15-2018

For generic text filter, please try this:

srcip ~ 192\.168\.[0-9]+\.[0-9]+

dieter · ‎01-16-2018

Thanks

Didn't realize this uses regexp syntax. Manuals really don't mention anything...

chall_FTNT · ‎01-16-2018

Good point. We have just made a note to update the section on Generic Text Filter to mention that it uses regex syntax.

Chris Hall
Fortinet Technical Support

rwpatterson · ‎01-16-2018

kylezhang wrote:
For generic text filter, please try this:

srcip ~ 192\.168\.[0-9]+\.[0-9]+

I would actually use

srcip ~ 192\.168\.[0-9]{1-3}\.[0-9]{1-3}

The difference is the original would accept one or more characters in the last two octets where the latter will accept between one and three in each. Just a bit more control but less chance for false positives.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com