Fortinet black logo

Administration Guide

Assigning subnet filters to event handlers

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler through a data selector, enabling or preventing the selected subnets from triggering an event. Creating a subnet whitelist/blacklist in data selectors eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:
  1. Go to FortiSoC > Handlers > Data Selector List.
  2. Click Create New.

    The Add New Data Selector pane displays.

    You can also Clone or Edit an existing data selector to include or exclude subnets.

  3. In the Subnets field, select Specify.

    The Include Subnets and Exclude Subnets fields display.

  4. Select the subnets to include or exclude in event handlers as part of the data selector.
  5. Configure the other options for the data selector, and click OK. For more information, see Creating data selectors.

  6. Go to FortiSoC > Handlers > Event Handler List.
  7. Select an event handler to add the data selector to, and click Edit.

    The Edit Basic Event Handler pane displays.

    You can also create a custom event handler to add the data selector to.

  8. From the Data Selector dropdown, select the data selector configured to include or exclude the selected subnets.
  9. Configure the other options for the event handler, and click OK. For more information, see Creating a custom event handler.

  10. Add the data selector to other event handlers, as needed.
Note

If a conflict arises between the exclude and include lists, the exclude list will take priority.

Note

Subnet filters work when either SRCIP or DSTIP hit the subnet, meaning SRCIPs and DSTIPs share the same subnet filters.

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler through a data selector, enabling or preventing the selected subnets from triggering an event. Creating a subnet whitelist/blacklist in data selectors eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:
  1. Go to FortiSoC > Handlers > Data Selector List.
  2. Click Create New.

    The Add New Data Selector pane displays.

    You can also Clone or Edit an existing data selector to include or exclude subnets.

  3. In the Subnets field, select Specify.

    The Include Subnets and Exclude Subnets fields display.

  4. Select the subnets to include or exclude in event handlers as part of the data selector.
  5. Configure the other options for the data selector, and click OK. For more information, see Creating data selectors.

  6. Go to FortiSoC > Handlers > Event Handler List.
  7. Select an event handler to add the data selector to, and click Edit.

    The Edit Basic Event Handler pane displays.

    You can also create a custom event handler to add the data selector to.

  8. From the Data Selector dropdown, select the data selector configured to include or exclude the selected subnets.
  9. Configure the other options for the event handler, and click OK. For more information, see Creating a custom event handler.

  10. Add the data selector to other event handlers, as needed.
Note

If a conflict arises between the exclude and include lists, the exclude list will take priority.

Note

Subnet filters work when either SRCIP or DSTIP hit the subnet, meaning SRCIPs and DSTIPs share the same subnet filters.