topic Re: Create Server Class in Forwarder Management for Windows 10 workstations in Getting Data In

Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 19:19:01 GMT

I want to create a new server class in Forwarder Management just for workstations (Windows 10). Since they are located in a particular subnet X.X.X.32/24 or X.X.X.32 255.255.255.224. Can I use the whitelist to filter based on the subnet? Is it possible to filter by Machine Type using a filter for Windows 10 workstations?

Thank you

Re: Create Server Class in Forwarder Management for Windows 10 workstations

jnudell_2 — Mon, 24 Jun 2019 19:28:57 GMT

Hi @molinarf ,

You can filter to Windows hosts, but not specifically to Windows 10. However, you can also create a whitelist for the IP addresses you want to select as well. This is easiest done from the UI:
Click on Settings -> Forwarder Management -> Server Classes
Select your server class, and then click the Add Clients option
In the whitelist box, if you wanted to whitelist a /24 range (10.10.10.0/24 as an example) you would use the corresponding regex:

10.10.10.\d{1,3}

Because it is regex, you would have to use something that matches all the IPs in a given set, and it would NOT recognize CIDR notation (10.10.10.0/24 will not work).

Re: Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 19:44:31 GMT

Okay, I didn't realize it was to be in a regex format. Can you clarify the expression where you use \d{1,3}. Looks like to me it would be the network ip (i.e. 10.10.10.\d) but what is the {1,3}?

Thanks,

Re: Create Server Class in Forwarder Management for Windows 10 workstations

jnudell_2 — Mon, 24 Jun 2019 19:46:13 GMT

\d{1,3} means any digit 1 - 3 times. If you use \d, it means any digit ONLY 1 time. That would be equivalent to the list:
10.10.10.0
10.10.10.1
.
.
.
10.10.10.9
But NOT 10.10.10.10+ because now it's two digits.

Re: Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 20:00:50 GMT

So to clarify... just so I get it right, that means that for what I am trying to do I should write it

10.10.10.(3[2-9]|[4-5][0-9]|6[0-1])$

Sorry I keep asking for clarification.

Re: Create Server Class in Forwarder Management for Windows 10 workstations

jnudell_2 — Mon, 24 Jun 2019 20:50:44 GMT

No problem.
That would set your range to:
10.10.10.32 - 61
You don't need the $ at the end, but try it and see if it works.
If that's what you want, then yes. 🙂

Re: Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 21:41:43 GMT

So, I am getting closer. I eliminated the $. When I save and then go back to look at the parameters because it says that I haven't added any clients, I am greeted with this error:

In handler 'serverclients': Regex: missing terminating ] for character class. I have been searching for an answer on line, but I have yet to find one that applies. Any ideas?

Re: Create Server Class in Forwarder Management for Windows 10 workstations

jnudell_2 — Mon, 24 Jun 2019 21:54:47 GMT

One thing you can do is use the preview button to see which clients get captured by the whitelist. You can see match & unmatched clients.

If you're getting an error, I would simplify the regex until it works and then add your conditionals.

Example: Start with

10.10.10.(3[2-9])

And then hit preview, and see if you get any clients in 10.10.10.32 - 39.

Next add a |[45][0-9] and hit preview.

Until you get to your full whitelist range.

Re: Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 22:23:10 GMT

I tried that... Although I didn't get the error as I found the syntax issue (fat fingering). I kept trying and it says nothing matches even though there is one workstation with an IP that matches the whitelist filter. Quite frustrating. If you have any other ideas, let me know. Maybe I should Blacklist every other device's IP or ranges?

Re: Create Server Class in Forwarder Management for Windows 10 workstations

molinarf — Mon, 24 Jun 2019 23:00:41 GMT

I tested the regex that I had and that you verified as good. Even though it does not produce errors and I would eventually like to use this format to filter subnets, I had to go through the less fancy way and just put the hostnames of the workstations. Since there are a few varieties, I just did a portion of the name and then added an '*' at the end.It filters properly and I have the only workstation that I have using a UF. So I switched to this for the sake of expediency. It may not look sexy or fabulous that can give a lay person a headache, but it's functional with the hostnames. Of course, in the other server class for essentially windows servers, I had to blacklist the same hostnames.

Thanks jnudell_2 for your help and assistance on regex expression for IPs and the explanation.