Using a primary filter

If you want to reduce the number of results in the session table to focus on relevant sessions, you can use the primary filter of the Session Manager based on text queries.

To run a text query for the primary filter:

1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW → Monitor section.
2. Select the Session manager tab.
3. Enter your query in the Customize query field in the upper part of the Session Manager workspace.
4. Click the Run query button to the right of the query field.

The query is executed, and the results matching the query are displayed in the table of sessions.

For a list of parameters used in text queries for the primary filter and the corresponding columns in the session table, see the Session parameters in the table and in text queries for the primary filter article.

For information on using comparison operators, sorting, and logical operators, see the table below.

Comparison operators for primary filter text queries

Operator	Description
eq	Equal
neq	Not equal
gt	Greater than
geq	Greater than or equal
lt	Less than
leq	Less than or equal
in	In subnet The subnet is specified using the a.a.a.a/b pattern.
nin	Not in subnet The subnet is specified using the a.a.a.a/b pattern.
!	Negates the result of a logical operation. Goes before parentheses.
order by	Sorts sessions by the value of the specified parameter of a Kaspersky NGFW device or a group of devices within the specified limit on the number of sessions: Descending (default; applies if the sorting order is not explicitly specified) Ascending Applied applied only at the end of the filter together with the name of the parameter that you want to use for sorting. Boolean expressions are not allowed as the sorting parameter.

Boolean operators for primary filter text queries

Operation	Priority	Description
and	1	Logical AND (multiplication)
or	2	Logical OR (addition)

Special considerations involved in using operators in queries

• Boolean operators cannot be used for multiple alternative values of the same parameter.
• If you need to specify multiple values for the same parameter, you must use multiple parameter-value pairs.
• Parameter-value pairs are enclosed in parentheses. The number of pairs of parentheses is not limited. However, the number of opening and closing brackets must match.

  Examples:

  • (address eq 1.1.1.1) or (address eq 2.2.2.2) displays sessions with source or destination addresses equal to 1.1.1.1 OR 2.2.2.2.
  • (address eq 1.1.1.1) and (last-active-aging geq 300) displays sessions that have a source or destination address equal to 1.1.1.1 AND the last packet received at least 300 seconds ago.
  • (address eq 1.1.1.1) or (address in 10.10.10.0/24) displays sessions that have a source or destination address equal to 1.1.1.1 OR the last packet received at least 300 seconds ago.
• Comparison and logical operators are separated by spaces, except for the "!" operator, for example: (parameter1 = value) and (parameter2 = value).
• Any single quotes, double quotes, or backslashes in parameter values must be escaped with the "\" (backslash) character.

  Examples:

  • (ids-profile eq 'tele \"YOU\"') displays sessions with IDPS profile name matching the string: tele "YOU".
  • (ids-profile eq 'Rostelecom\\MTS \"YOU\"') displays sessions with IDPS profile name matching the string: Rostelecom\MTS "YOU".
• If a filter parameter value contains a space, the parameter value must be enclosed in single quotes, for example: (create-datetime geq '2015/08/31 08:30:00').

Examples of text queries

• (address eq 1.1.1.1) displays sessions with source or destination addresses equal to 1.1.1.1.
• (address eq 1.1.1.1) displays sessions with source or destination addresses NOT equal to 1.1.1.1.
• (last-active-aging geq 300) displays sessions for which the last packet was received at least 300 seconds ago.
• (last-active-aging leq 300) displays sessions for which the last packet was received up to 300 seconds ago.
• (address in 1.1.1.0/24) displays sessions with a source address or a destination address from the 1.1.1.0/24 network.
• (address nin 1.1.1.0/24) or !(address in 1.1.1.0/24) displays sessions with the source IP address or destination IP address NOT from the 1.1.1.0/24 network.
• (ids-profile eq tele4) displays sessions with IDPS profile name matching the string: tele4.
• (ids-profile eq tele4) order by last-active-aging ascending displays sessions with an IDPS profile name equal to tele4, and sorts the sessions in ascending order of the last-active-aging parameter before filtering.
• !(((address eq 1.1.1.1) or (port gt 1000)) and !(wc-profile eq test)) shows all sessions, except sessions for which the source or destination IP address is 1.1.1.1 OR source or destination port is greater than 1000 AND the Web Control profile name is NOT test.

Page top