Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
enoryq
New Contributor II

Created on ‎05-17-2023 12:58 PM Edited on ‎05-18-2023 07:01 AM

Using 'Address Group' as a filter for reporting

Hello all,

I am trying to generate my scheduled reports using the filter "Address Group" (addrgrp)
However, I am seeing unrealistic data on all charts that I use.

If I use "addrgrp" it provides me with data from everything, not specific to the group provided.


My question: Is it possible to generate reports using an Address Group UUID as the filter?

FortiGate: 2600F (HA)
Firmware version: v7.0.8 build 0418
Mode: NAT
Vfaz version: v7.2.1-build1215 220809 (GA)
Vfaz mode: Analyzer

Note that I am specifically looking to use the address group and not subnet(s).

Thank you for your time, and please let me know what info I've missed
Kind Regards

Labels:
475
0 Kudos
3 REPLIES 3
gfleming
Staff
Staff

Created on ‎05-18-2023 10:26 AM

I don't believe this is possible. An address group is a logical grouping of address objects on the FortiGate. Traffic and security logs generated by the FortiGate will only include IP and/or domain name of specific entries contained within the address group but will not make reference to the address group. Therefore I don't see how FAZ would be able to utilize the address group in filtering logs.

Cheers,
Graham
444
0 Kudos
enoryq
New Contributor II

Created on ‎05-18-2023 10:39 AM

Thank you for the response, that makes sense.

Do you know if there is a way to group subnets in the filter?
Or what the limitation would be to include multiple subnets in one 'Source IP' filter?

 

Note that I have been trying to run the reports on multiple Policy ID's instead (is there also a limit?) and what exactly is the difference between: policyid | policy_id | poluuid?
I see different results when running each one as a filter so I thought using the Address Group would fix this problem for me.. (Screenshot below for comparison) 

Policy ID options.png

Thank you in advance for your assistance,
Kind Regards 

442
0 Kudos
gfleming
Staff
Staff

Created on ‎05-18-2023 11:06 AM

I have no idea how you are getting policy_id as an option. I only have policyid.

 

Either way, let's try this from FortiView first and see if you get different results there.

 

Cna you go to FortiView->Traffic->Top Sources and put your filters in and compare there

Cheers,
Graham
434
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.