Functions

You can add functions inside the curly brackets of a query. Most functions are stanza specific, meaning you can use them only when querying a specific stanza such as rules, devices, and policies.

Stanza Functions
Function Name Description
date( ) The date function returns date information on a query. It can take either a string argument or two dates as an argument, and return either a specific date or date range.
usage( )

The usage function returns a metric, either a count or a percentage, on a given network object. You can combine usage() with date() to return usage data on for a specified date range. See the Usage( ) Function Types topic for more information.
zone( )

The zone function returns an IP address tree for the address space defined by a zone. You can use set operations to run queries on zones.

For example:

rule{source INTERSECTS zone('myzone')}

The zone function accepts multiple predefined and custom zone names, and also an optional argument, "External", that negates the IP address range defined by the zones.

Predefined zone names:

  • zone('All') - builds the entire IP address range.
  • zone('Any) or zone ('*') - builds the IP address tree from all the zones defined in the domain.
  • zone('External') - the negation of the IP address tree of all the zones in the domain.

Custom zone names: 

  • zone('MyZoneA') - maps the IP address tree of all the interfaces in the custom zone.
  • zone('MyZoneA', 'MyZoneB', 'MyZoneC') - maps the IP address tree of all the interfaces in each custom zones.
  • zone('MyZoneA', true) - the negation of the IP address tree defined by the custom zone.

 
crossesZone( )

The crossesZone( ) function checks whether if a rule allows traffic from the specified source zone to the specified destination zone and returns a boolean. The crossesZone() function takes two arguments, the source zone name, and the destination zone name.

If the query returns TRUE, the source of the rule originates from the specified source zone and the destination terminates inside the specified destination zone.

entersZone( ) The entersZone( ) function checks whether a rule allows traffic to enter the specified zone and returns a boolean. If the query returns TRUE, the destination of the rule is in the specified zone.
exitsZone( ) The exitsZone( ) function checks whether a rule allows traffic to exit a specified zone and returns a boolean. If the query returns TRUE, the source of the rule is in the specified zone.
routes( )

The routes( ) function takes two arguments - a source network or list of source networks, and a destination network or list of destination networks - and returns TRUE if they intersect. You can use a wildcard ('*') to represent any network. To represent a list of networks, put the networks in a comma-separated list enclosed in a parentheses. The source and destination arguments can accept network functions like DNS or zones.

 

For example:

policy{routes('192.168.1.0/24','192.168.2.0/24')

policy{routes(('192.168.1.0/24','192.168.2.0/24'), '*') }

policy{routes(zone('internal'), '*') }

policy{routes(dns('securepassage.com'), '*') }