Field Keywords

You can use predefined field names as keywords in filter criteria. The query result only shows log records that match the criteria in the specified field. If you do not use field names, the query result shows records that match the criteria in all fields.

This table shows the predefined field keywords. Some fields also support keyword aliases that you can type as alternatives to the primary keyword.

Keyword	Keyword Alias	Description
`severity`		Severity of the event
`app_risk`		Potential risk from the application, of the event
`protection`		Name of the protection
`protection_type`		Type of protection
`confidence_level`		Level of confidence that an event is malicious
`action`		Action taken by a security rule
`blade`	`product`	Software Blade
`destination`	`dst`	Traffic destination IP address, DNS name or Check Point network object name
`origin`	`orig`	Name of originating Security Gateway
`service`		Service that generated the log entry
`source`	`src`	Traffic source IP address, DNS name or Check Point network object name
`user`		User name

Syntax for a field name query:

<field name>:<values>

<field name> - One of the predefined field names
<values> - One or more filters

To search for rule number, use the Rule field name. For example:

rule:7.1

If you use the rule number as a filter, rules in all the Layers with that number are matched.

To search for a rule name, you must not use the Rule field. Use free text. For example:

"Block Credit Cards"

Best practice: Do a free text search for the rule name. Make sure rule names are unique and not reused in different Layers.

Examples:

source:192.168.2.1
action:(Reject OR Block)
You can use the OR Boolean operator in parentheses to include multiple criteria values.

Important - When you use fields with multiple values, you must:

Write the Boolean operator, for example OR.
Use parentheses.