Discarding Specific type of traffic either on forwarder or indexer fails, I tried to discard it using blacklist on forwarder and nullqueue transform on indexer and both failed.
here is a log sample
Oct 3 11:34:03 1.1.1.1 CEF:0|FORCEPOINT|Firewall|6.5.1|70018|Connection_Allowed|0|app=SNMP (UDP) rt=Oct 03 2019 11:28:12 deviceFacility=Packet Filtering act=Allow deviceOutboundInterface=13 deviceInboundInterface=0 proto=17 dpt=161 spt=62032 dst=2.2.2.2 src=3.3.3.3 dvchost=4.4.4.4 dvc=4.4.4.4 deviceExternalId=company-name node 1 cs1Label=RuleID cs1=2097272.10
and the configuration
props.conf
[forcepoint]
Transform-Forcepoint=discardsnmp
transforms.conf
[discardsnmp]
REGEX = app=*SNMP*
DEST_KEY = queue
FORMAT = nullQueue
any one can find out what is the problem?
↧