Firemon SIQL


l domain{}
l devicegroup{}
l device{}
l policy{}
l rule{}
l natrule{}
l control{}
l assessment{}
l networkObj{}
l serviceObj{}
l userObj{}
l applicationObj{} 
l ticket{}
l review{}

# SRC+ DST Any
domain { id = 1 }  AND rule { (source.any = true) and (destination.any=true) }
# SRC + SVC Any
domain { id = 1 }  AND rule { (source.any= true) and (service.any=true) }
# DST + SVC Any
domain { id = 1 }  AND rule { (destination.any= true) and (service.any=true) }
# SRC + DST + SVC Any
domain { id = 1 }  AND rule { (source.any=true) and  (destination.any= true) and (service.any=true) }
# Last 30days Hit.Count=0
domain { id = 1 }  AND rule { usage(date('last 30 days')).count = 0 }
# 전체 정책
domain { id = 1 } and device {name=DIT_FG}
domain { id = 1 } and device {id=2}
# 사용 정책
domain { id = 1 } and device {id=1} and rule {usage(date('last 60 days')).count >0}
# 미사용 정책
domain { id = 1 } and device {id=1} and rule {usage(date('last 60 days')).count =0}
# Log Disable
domain { id = 1 }  AND rule { (disabled = true) }
# No Logging
domain { id = 1 }  AND rule { (log = false) }
# Disable or No Logging
domain { id = 1 }  AND rule { (disabled = true OR log = false) }
# No Comment
domain { id = 1 }  AND rule { comment is null } 
# Create rule last 30 days
domain { id = 1 } and rule{created ~ date('last 30 days')}
# Management IP로 검색
device{managementIp='192.168.222.222’}
# Action Filter
domain { id = 1 } and device{id=1} AND rule { action='ACCEPT' or action='AUTHENTICATE' or action='DROP' or action='ENCRYPT' or action='REJECT'  } 
# Action & Service.any
rule {action = 'ACCEPT' and service.any=true}
# Source Filter
rule { source is subset of ('7.7.7.4','7.7.7.5’)}
rule { source is subset of ('7.7.7.4','7.7.7.5') and usage (date('last 30 
days')).count >100}
domain { id = 1 } and  device{id=2} and rule {source EQUALS  '7.7.7.5' and source.zone='internal'}
# SRC + 정책 활성화/비활성화 + Action
rule{source is subset of ('7.7.7.4','7.7.7.5','7.7.7.6') and disabled=true and action='ACCEPT’}
# 기간 + Count
rule {usage(date(2017-08-01T00:00:00+09:00,2017-08-02T23:59:59+09:00)).count =0 }
rule {usage(date(2017-08-01T00:00:00+09:00,2017-08-02T23:59:59+09:00)).count >1 }
# 기간 + Created Policy
domain {id=1} and device{id=2} and  rule {created ~ date(2017-08-01T00:00:00+09:00,2017-08-02T23:59:59+09:00) }
# 기간 + last Changed Policy
rule {date('2017-08-01T00:00:00+09:00','2017-08-02T23:59:59+09:00') ~ lastchanged}

자주 사용하는 쿼리

전체 방화벽 중 비활성화 정책을 제외, 2 28일 부터 3 29일안에 신규 생성된 정책을 제외특정기간동안(30) Hitcount 0인 정책을 출력

and rule{ disabled= false or log= false and created !~ date(2017-02-28T00:00:00, 2017-03-29T23:59:59) and usage(date(2017-02-28T00:00:00, 2017-03-29T23:59:59)).count = 0 }

특정기간 동안(30, 90, 180일 등사용률이 없는 정책 조회

특정기간 동안(30, 90, 180일 등사용률이 있는 정책 조회

and rule {usage(date('last 30 days')).count=0}

 

and rule {usage(date('last 30 days')).count!=0}

특정기간 동안(30, 90, 180일 등생성된 정책 중 7일 이내 생성된 정책을 제외한 정책 사용률 조회

and rule{usage(date('last 30 days')).count>=1 and date('last 7 days') !~ 'Created'}

특정기간 동안(30, 90, 180일 등) Any허용 정책 중 미사용 된 정책을 제외하고 조회

and rule {source.any=true and destination.any=true and service.any=true and action='ACCEPT' and disabled='FALSE' and usage(date('last 30 days')).count!=0}

특정기간 동안(30, 90, 180일 등) Hit Count(사용률) 1개 이상인 정책 조회

and rule{usage(date('last 30 days')).count>=1}

2017 02 01 ~ 현재(혹은 2017 04 30)까지 미사용 된 정책

and rule{ disabled= false and created !~ date(2017-02-01T00:00:00, 2017-04-30T23:59:59) and usage(date(2017-02-01T00:00:00, 2017-04-30T23:59:59)).count = 0}

Last used 2017 02 01일 이전인 정책

and rule {  disabled= false and lastuseddate <= 2017-02-01T23:59:59+09:00 }

Policy Pri to DB 정책 중 한번도 사용되지 않은

and policy { name = 'From: PRI To: DB' }  AND rule { usage().count = 0 }

ANY 검색 쿼리

1. 출발지 허용정책, Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 

2. 목적지 허용정책 Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  } 

3. 서비스 허용정책, Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) )  } 

4. 출발지 + 목적지 허용정책, Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 

5. 출발지 + 서비스 허용정책, Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) )  }

6. 목적지 + 서비스 허용정책, Disable 제외

and rule { action='ACCEPT' AND disabled='FALSE' AND (destination.any = true OR (( destination intersects '0.0.0.0' )) )  AND (service.any = true OR (( service intersects 'ANY' )) )  } 

7. 출발지 + 목적지 + 서비스 허용정책, Disable 제외

and rule { (destination.any = true OR (( destination intersects '0.0.0.0' )) ) AND action='ACCEPT' AND disabled='FALSE' AND (service.any = true OR (( service intersects 'ANY' )) ) AND (source.any = true OR (( source intersects '0.0.0.0' )) )  } 

특정 포트 검색

1. ANY 포함

and rule { action='ACCEPT' AND (service.any = true OR (( service intersects 'udp/137' )) )  } 

2. ANY제외

and rule { action='ACCEPT' AND (service.any = false AND (( service intersects 'udp/137' )) }

호스트로 검색 - 그룹 포함 오브젝트 검색 / 대역 renge 제외

RULE { SOURCE IS SUPERSET OF '192.0.0.5' AND SOURCE.ANY = FALSE AND ( SOURCE.TYPE != 'NETWORK' OR SOURCE.TYPE != 'ADDRESS_RANGE') }

또는

RULE {SOURCE  IS SUPERSET OF '30.30.0.10' or SOURCE  IS SUPERSET OF '40.40.0.10' AND SOURCE.ANY = FALSE AND (SOURCE.TYPE !=  'NETWORK' OR SOURRCE.TYPE != 'ADDRESS_RANGE') }

특정 DEVICE를 여러 개 선택하여   검색

DEVICE { ID = 152 OR ID = 7 } AND RULE{ DESTINATION IS SUPERSET OF '192.168.10.55' AND DESTINATION.ANY = FALSE }

IP대역에 ANY를 제외하고 허용정책이면서 Disable이 안된 정책 검색

RULE {  action='ACCEPT' AND disabled='FALSE' AND (SOURCE IS SUPERSET OF '121.125.26.0/24' ) AND source.any = false }

특정 오브젝트/그룹을 사용하는 정책 검색

Rule { SOURCE.name ~ 'SOFT' }

양방향 정책 검색 기능 제공

Rule { SOURCE.ANY =FALSE and  DESTINATION.ANY=FALSE AND  SOURCE equals  DESTINATION }

하나의 정책에 IP가 10개 들어 있는 정책 검색 기능 또는 하나의 정책에 IP가 10개 이하가 들어 있는 정책 검색 기능

Rule { SOURCE.EXPANDEDOBJECTCOUNT = 10 } 또는 Rule { SOURCE.EXPANDEDOBJECTCOUNT != 10 }

출발지에 특정 IP가 있거나 목적지에 특정 IP가 있고 ANY를 제외한 허용 정책 검색

RULE { SOURCE IS SUPERSET OF '218.232.186.219' OR DESTINATION IS SUPERSET OF '114.202.129.73' AND source.any = false AND destination.any = false AND ACTION ='ACCEPT' }

 


저작자 표시 비영리 변경 금지
신고

'업무이야기 > Firemon' 카테고리의 다른 글

Firemon SIQL  (0) 2017.08.08


티스토리 툴바