Dear All,
In fortianalyzer I created a simple custom report. I should filter this report by several source ip, but the filter section doesn't enable to use the same "log field" more than once.
How can I create filter to use a bunch of ip addresses?
thank you very much
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello!
To filter for multiple source IP addresses, you can use the Fortianalyzer filter and select the "Address" filter type. This way you can add multiple IP addresses and filter for them at the same time.
Follow these steps to create the filter:
Open the report in Fortianalyzer.
Click on "Filter".
Select "Address" as the filter type.
Click the "Add" button.
Enter the IP addresses you want to filter by.
Click "Apply" to apply the filter.
You can also create a custom filter that provides the same functionality. Here is an example of a custom filter to filter by multiple IP addresses:
makefile
Copy code
srcip=192.168.1.1-192.168.1.10
This filter will search for all protocols with a source IP address between 192.168.1.1 and 192.168.1.10.
Hope this helps!
Created on 04-17-2023 11:35 PM Edited on 04-17-2023 11:38 PM
Thank you for reply!
Your suggestion doesn't seem to work, the report shows all ips that come from my dataset. (I tried separate ips with commas and space also)
I created a custom report in fortianalyzer, then edit report > settings > filter section. In this filter section I would like to give more srcip-s.
Other problem is that the ips is not in a continous range, they are individual /32 addresses.
I tried to give a '('ip1','ip2'..)' list in dataset also, but it also doesn't work. :(
dataset query:
SELECT srcip, dstip, dstport
FROM $log
WHERE $filter AND srcip in ('ip1,'ip2','ip3','ip4)
GROUP BY srcip, dstip, dstport
ORDER BY srcip, dstip
LIMIT 10000
Do you think it is good?
Thank you
Any suggestion please
The sql query work at last. That was my fault: in chart there was a top10 limitation. (Also change srcip to ipstr(srcip) in the where clause)
The original question is still remain: how can I filter more individual ip addresses in the filter section of report setting ?
thank you
hey,
try syntaxt ->
...
WHERE
$filter AND ipstr(`srcip`) IN ('192.168.0.96','192.168.0.5')
-----------------------------------------------------------
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.