FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes how to use a POSIX expression to include or exclude a source or destination subnet with a generic text filter.
Scope
FortiAnalyzer.
Solution
A generic filter can be used to exclude or include subnets as a source and/or destination address. In generic filters, FortiAnalyzer supports POSIX Extended Regular Expression Syntax.
In this example, the goal is to exclude the following as source IP subnets: 10.0.0.0/8, 192.168.0.0/16, and range: 172.[20-21].[0-255].[0-255].
POSIX syntax can be used to represent the subnets and ranges as follows:
10.0.0.0/8 as 10\.[0-9]+\.[0-9]+\.[0-9]+.
192.168.0.0/16 as 192\.168\.[0-9]+\.[0-9]+.
172.[20-21].[0-255].[0-255] as 172\.2[0-1]\.[0-9]+\.[0-9]+.
In the above:
Slash '\' is needed to escape a period to include it as a valid character.
[0-9] means any single digits between 0 and 9, and the plus '+' allows more digits.
The syntax will also match octet '999' which would be wrong, but since it is already known that the logs include only valid IPs, it is not necessary to make the filter incredibly precise. The firewall already filters out these results when forming log messages.
2[0-1] - means: starting with 2 and the next digit is 0 or 1.
In this example, the generic text filter expression will be:
srcip!~"10\.[0-9]+\.[0-9]+\.[0-9]+" and srcip!~"192\.168\.[0-9]+\.[0-9]+"and srcip!~"172\.2[0-1]\.[0-9]+\.[0-9]+"
