Trusted Contributor.
Trusted Contributor.
362 views

source address showing up in wrong zone

Hi,

here is my filter condition

abc = company zone

--------------------------------------------------------

&

Source zone not in group("/all zones/cps")

Destination zone not in group("/all zones/cps")

Category Device group=/Firewall

------------------------------------------------------------

when i am using this filter i am getting events.

when i am inspecting the event i can see some source which should be in our company zone /abc  is showing up in other zone /Arcsight Systems

my question is why its not showing up in the right zone? IS it something wrong at connector? or something with the network modelling

NSN
Labels (1)
0 Likes
8 Replies
Highlighted
Absent Member.
Absent Member.

Re: source address showing up in wrong zone

Hi ​, I too have come across the same problem earlier. Try selecting the individual address values instead of selecting the entire folder. Then the issue got fixed. Give it a try.

Regards,

Sujan

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: source address showing up in wrong zone

Hi ​ thanks for your reply.

I didn't understand what exactly you are saying about individual values.

Can you please elaborate.Thanks

NSN
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: source address showing up in wrong zone

Dear ​, no issues, please wait let me share the screenshots with you sooner

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: source address showing up in wrong zone

Yes ​, as I told before I was doing it in the way you did it and the output was not what i wanted. So I individually selected the zone mappings. you can do it by the way i have shared the screenshots

1.JPG

by changing the operator from InGroup to In you can manually select the zones. It is done by,

3.png

By doing it I got the exact addresses populating in my output. Kindly try this.

Hope it helped

Regards,

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: source address showing up in wrong zone

Hi

Thank you so much for your reply and those screen shots are really helpful.

Here  we are searching for New Networks Which are not in out company list of networks.When we did that we are able to see some zones which should be in our company networks showing up as ArcSight Systems Zones.

After lot of effort,observation and comparison we are thinking something in the connector configuration is not looking right.

We even don't have multiple customers in our Network.In Connector they have given three networks

EX: /All Networks/ABC/ABC

       /All Networks/ABC/ABC Default

        /All Networks/Arc sight systems local/local

   

I am not 100% sure but i think this is the problem.So we trying to remove /All Networks/Arc sight systems local/local from connector.

I think this will give you even more clarity on what we are trying to do.

Thanks in Advance

NSN
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: source address showing up in wrong zone

cool ​, if that is the case, there should be an issue with the network modelling. that should be the case where these kind of address messup issues usually occurs.. redoing that like what you are doing now, would help in solving the problem..

Regards,

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: source address showing up in wrong zone

Thanks for your help

i don't know exactly what could have gone wrong in our network modelling but for now we are doing trial and error method   to find out what the problem is.

I will get back with more questions and hopefully one solution

NSN
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: source address showing up in wrong zone

​ sure! Any problem could be identified using the trial and error approach!

Regards,

Sujan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.