Handlers with generic filters on FAZ to exclude network

Skytech1 · ‎02-09-2024

Hi community!

I've been using the FAZ handlers and they've been a great help. I am trying to exclude the notifications for a specific network, so according to documentation it has to be inserted with Regex in Generic

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/157132/using-the-generic...

For example this one works fine without adding the following sintax: and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")

I was trying to exlude network any notification from a host within this network: 10.39.14.0/24

Bolded text is what comes in the handler, the rest is added by me

(catdesc=='Malicious Websites' or catdesc=='Phishing' or catdesc=='Spam URLs' or catdesc=='Newly Observed Domain' or catdesc=='Newly Registered Domain' or catdesc~'Dynamic DNS' or catdesc=='Proxy Avoidance') and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")

However after the change I stopped receiving the notifications...is it possible to do it??

Thanks

Andres

smkml · ‎02-19-2024

Hi @Skytech1 ,

Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"

You may refer this KB:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...

View solution in original post

Anthony_E · ‎02-11-2024

Hello Andres,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎02-13-2024

Hello Andres,

Did you already have a look at this document?:

https://docs.fortinet.com/document/fortianalyzer/7.2.0/administration-guide/910266/adding-exclusion-...

Could you please tell me if it is helping?

Regards,

Anthony-Fortinet Community Team.

Skytech1 · ‎02-13-2024

Hi Anthony,

Thanks for the follow up!, yeap, that helps as long as you insert a specific IP Address, example 10.39.14.7, tried before and it works, but if wanted to exclude a whole network 10.39.14.0/24 I understand that has to be managed on generic text filters with regex...because i've tried with exclusion pre-filters with 10.39.14.0/24 or 10.39.14.* but none of those work there.

Thanks,

Andres

ebilcari · ‎02-19-2024

Have you tried with Subnets?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Skytech1 · ‎02-19-2024

Hi @ebilcari

Yeap...but it doesn't work with subnets, my understanding is that the log comes with the specific IP address, therefore the regex has to be with the IP

Thanks!

Anthony_E · ‎02-13-2024

Hello Skytech,

Oh ok.

I will try to find an expert to reply to your question :)! It will be more accurate!

Regards,

Anthony-Fortinet Community Team.

smkml · ‎02-19-2024

Hi @Skytech1 ,

Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"

You may refer this KB:

https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Exclude-or-include-a-source-or-destina...

Skytech1 · ‎02-21-2024

Hy @smkml that did the trick!! thanks a lot!

vraev · ‎02-20-2024

Hi,

Just one example:

To meet the requirement to not to trigger the event handler when (dst ip == 10.1.13.33 or when hostname == proxy-safebrowsing.googleapis.com".)
the prefilter can be (dst ip != 10.1.13.33 and hostname != proxy-safebrowsing.googleapis.com"). This will look for logs other than the specified dstip and hostname.

V.R.