Fortinet Firewall traffic filter / drop specific IP range and port.

[dinesht77]

Hi Team,

Assistance required in correcting this syntax. I need to filter / drop Fortinet traffic logs from the specific srcip range (10.x.x.x/24) and dstport 554. I tried with the below block parser matching for app TCP_554 and dest port 554, it is not working.

#filename: /opt/sc4s/local/config/app_parsers/rewriters/app-dest-rewrite-fortinet_fortios-d.conf

block parser app-dest-rewrite-fortinet_fortios-d_fmt_hec_default() {
channel { rewrite(r_set_dest_splunk_null_queue); }; };

application app-dest-rewrite-fortinet_fortios-d_fmt_hec_default[sc4s-lp-dest-format-d_hec_fmt] { filter { match('fortinet' value('fields.sc4s_vendor') type(string)) and match('fortios' value('fields.sc4s_product') type(string))

    and match('TCP_554' value('fields.app') type(string))
    and match('554.' value('fields.dstport') type(string) flags(prefix) );

};    
parser { app-dest-rewrite-fortinet_fortios-d_fmt_hec_default(); };   

};