I tried to make a query where Destination IP matched 10.* or did not match 10.*. This
failed as there was only an = or != following Destination IP. For a microsegmentation
project I'm trying narrow the number of flows that get exported by, for example,
excluding all flows from a particular Security Group to the Internet.I'm just interested
flows internal to the company. Is there a way that I could filter based on IP range?
With some more experimenting this morning I found the answer:
For internal private traffic:
flow where Destination IP Address = 10.0.0.0/8 or Destination IP Address = 172.16.0.0/12 or Destination IP Address = 192.168.0.0/16
For Internet bound traffic it looks like:
flow where Destination IP Address != 10.0.0.0/8 and Destination IP Address != 172.16.0.0/12 and Destination IP Address != 192.168.0.0/16
This will result also in showing multicast traffic. But that could then be filtered in like fashion or kept as needed.
..and now I know.
With some more experimenting this morning I found the answer:
For internal private traffic:
flow where Destination IP Address = 10.0.0.0/8 or Destination IP Address = 172.16.0.0/12 or Destination IP Address = 192.168.0.0/16
For Internet bound traffic it looks like:
flow where Destination IP Address != 10.0.0.0/8 and Destination IP Address != 172.16.0.0/12 and Destination IP Address != 192.168.0.0/16
This will result also in showing multicast traffic. But that could then be filtered in like fashion or kept as needed.
..and now I know.
For Internet flows, would following query be more easier?
flow where Flow Type = 'Destination is Internet'
for RFC
flow where Flow Type = 'Switched' or Flow Type = 'Routed'