Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Skytech1
New Contributor III

Handlers with generic filters on FAZ to exclude network

Hi community!

 

I've been using the FAZ handlers and they've been a great help. I am trying to exclude the notifications for a specific network, so according to documentation it has to be inserted with Regex in Generic 

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/157132/using-the-generic...

 

For example this one works fine without adding the following sintax: and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]") 

 

Screenshot 2024-02-09 at 15.07.29.png

 

I was trying to exlude network any notification from a host within this network: 10.39.14.0/24 

Bolded text is what comes in the handler, the rest is added by me

 

(catdesc=='Malicious Websites' or catdesc=='Phishing' or catdesc=='Spam URLs' or catdesc=='Newly Observed Domain' or catdesc=='Newly Registered Domain' or catdesc~'Dynamic DNS' or catdesc=='Proxy Avoidance') and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")

 

However after the change I stopped receiving the notifications...is it possible to do it??

 

Thanks

 

Andres

1 Solution
smkml
Staff
Staff

Hi @Skytech1 ,

 

Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"

 

You may refer this KB:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...

 

View solution in original post

9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Hello Andres,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Andres,

 

Did you already have a look at this document?:

https://docs.fortinet.com/document/fortianalyzer/7.2.0/administration-guide/910266/adding-exclusion-...

 

Could you please tell me if it is helping?

 

Regards,

Anthony-Fortinet Community Team.
Skytech1
New Contributor III

Hi Anthony,

 

Thanks for the follow up!, yeap, that helps as long as you insert a specific IP Address, example 10.39.14.7, tried before and it works, but if wanted to exclude a whole network 10.39.14.0/24 I understand that has to be managed on generic text filters with regex...because i've tried with exclusion pre-filters with 10.39.14.0/24 or 10.39.14.* but none of those work there.

 

Thanks,

 

Andres

ebilcari

Have you tried with Subnets?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Skytech1
New Contributor III

Hi @ebilcari 

 

Yeap...but it doesn't work with subnets, my understanding is that the log comes with the specific IP address, therefore the regex has to be with the IP

 

Thanks!

 

Anthony_E
Community Manager
Community Manager

Hello Skytech,

 

Oh ok.

I will try to find an expert to reply to your question :)! It will be more accurate!

 

Regards,

Anthony-Fortinet Community Team.
smkml
Staff
Staff

Hi @Skytech1 ,

 

Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"

 

You may refer this KB:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...

 

Skytech1
New Contributor III

Hy @smkml that did the trick!! thanks a lot!

vraev
Staff
Staff

Hi,

Just one example:

To meet the requirement to not to trigger the event handler when (dst ip == 10.1.13.33 or when hostname == proxy-safebrowsing.googleapis.com".)
the prefilter can be (dst ip != 10.1.13.33 and hostname != proxy-safebrowsing.googleapis.com"). This will look for logs other than the specified dstip and hostname.

V.R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors