- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
How to work with ipaddr.tab file???
hi,
Has anybody created a device specific IP address file (ipaddr.tab) to properly identify inbound versus outbound network traffic for reporting purposes.
I am trying to do that but it does not seems to be working.
Any inputs regarding this???
MJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
There are a few tricks to using the ipaddr file.
1) follow the information in the online help file to check the format.
2) If the format checks out but you don't see the caterory or department fileds in your reports, check to make sure that you have the DNS resolution box check for your reports.
3) You may have to copy and modify any canned reports to select the DNS option.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Here's a sample file I used to show when I taught enVision classes (attached).
Keep in mind that with complex networks, the concept of "inbound" or "outbound" can become a VERY relative term, so depending on where your event sources exist in your network this can produce some unexpected results.
This file is more commonly used nowadays to just populate the Department and Category fields found in certain enVision reporting tables.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi,
Attached is the ipaddr.tab file for one of my Checkpoint FW.I have defined here the outbound range for this particular FW.
After creating the ipaddr file for this FW, I am able to generate the Ad Hoc Reports like "Check Point FireWall-1 / FireWall-1 - Top 20 Denied Outbound by Address" and "Check Point FireWall-1 / FireWall-1 - Denied Outbound Traffic by Address" and "Check Point FireWall-1 / FireWall-1 - Denied Outbound Traffic by Port", which was not possible earlier.This report gives me the 'Local Address' in the range of '172.28.128.1 - 172.28.191.254'.
Now when I run the inbound reports like "Check Point FireWall-1 / FireWall-1 - Denied Inbound Traffic by Address", it still shows me the IP addresses in the range of '172.28.128.1 - 172.28.191.254' as 'Foreign Address'.
Now I am not able to understand why it is showing me the already defined outbound address range in these inbound reports?
Thanks
MJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You might want to consider addressing this with the support group. They have probably seen this issue & can give you the help you need.
nic-support@rsa.com or (781)515-7700
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I have already addressed this with the support group.
For your reference see Case #C0869688
Thanks
MJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
MJ,
Does this mean your problem was resolved? Or were you hoping you might get some additional help from this forum?
Best,
Debbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi Debbie,
Yes you are right. I was hoping to get some additional inputs from other users through this forum.
Also, I would like to tell you that the problem has not been resolved yet.
Thanks
MJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Thanks MJ. Please follow-up with Support to check the status. It may be a tough issue to resolve quickly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hey Matt:
Which enVision Tables are these?
