On This Page
Tufin Query Language
Tufin Query Language (TQL) is an SQL-like query language that lets you filter displayed information and is incorporated into a number of TOS Aurora screens including the Rule Viewer, USP Viewer, USP Alerts Manager, USP Exceptions Viewer, and Device Viewer. On some screens the query field is displayed before any data is displayed.
To filter the display, enter the text into the search field followed by Enter or . As you type, auto-complete will prompt you with fields, operators or predefined field values. The filter details are appended to the URL when the query is displayed and this can be saved for future use. To restore the original unfiltered display, clear the search field followed by Enter or .
A query consists of a field name, operator and value, for example:
permissivenessLevel = 'HIGH'
timeLastHit before last year
Build more complex queries using the AND and OR operators, for example:
comment exists and timeLastModified after last year and permissivenessLevel in ('LOW', 'MEDIUM') or action = 'ALLOW'
The AND and OR operators have the same precedence, and are parsed from left to right. Use parentheses to override the default precedence of the operators to build the exact query you want. For example:
(comment contains 'test' and action = 'ALLOW') or (timeLastModified before last month and tags exists)
Using TQL (Tufin Query Language)
Supported Operators
Operator | Description |
---|---|
= |
Field exactly matches the value specified For IP addresses, the search must be an exact match. If the IP address does not include a subnet, all subnets will be returned. If the IP address is included in a group, the search will also return the group. For further information, see IP Address Equals Search. |
contains |
For fields that contain strings:
For protocols and port numbers:
Contains is not supported for IPv6 addresses. For IP addresses in IPv4 format, results are returned for rules with source or destinations with subnets, groups, or ranges that include the IP specified in the query. It will not return a textual match, and must contain a complete IP address. For further information, see IP Address Contains Search |
in |
Field matches (does not match) at least one of the specified elements Example: service.name in ('ftp' , 'ssh') |
exists |
Field contains (does not contain) data, Examples: |
Before |
For timestamp type fields only (YYYY-MM-DD).
Examples: |
And |
Combines multiple operators, parsed from left to right. Example:
See additional examples above. |
Field Types and Values
Field Type | Values |
---|---|
Strings |
Must be surrounded by single quotes. Example: 'sometext'. |
Time stamps |
Operators Before, After, =, together with:
Example: |
boolean | true, false (without quote character) |
IP addresses |
Strings in IP format Example: source.ip = '1.1.1.1'
|
Sorting
You can sort the display on selected single fields, using the 'order by' operator. Example: order by device.name.
IP Addresses
IPv4 Address Formats
IPv4 addresses must always be a complete IP address or a range, and can include a subnet; you cannot search based on a partial IP address.
Example of valid IPv4 searches:
source.ip = '1.1.1.1'
source.ip = '1.1.1.1/32'
source.ip = '1.1.1.1/24'
source.ip = '1.1.1.0/24'
source.ip = '1.1.1.1/255.0.0.0'
source.ip = '1.1.1.1/255.255.255.255'
The following IP address formats are not valid:
source.ip = '1.1.1'
source.ip = '1.1.1.x'
source.ip = '1.1.1.1/'
IPv6 Address Formats
IPv6 address can be in any format that resolves to an IPv6 address. The following examples resolve to the same address and produce the same search results:
source.ip = '2001:DB8:ABCD:12::'
source.ip = '2001:0DB8:ABCD:0012:0000:0000:0000:0000'
IP Address Equals Search
-
For IPv6 addresses, an Equals search will return any address which resolves to the same address.
-
For IPv4 address, a search with Equals will return an exact match. If the search is for an IP address only, without a subnet, then it will be return any subnets. If the search includes a subnet, it will return only IPs with the same subnetting. If the IP address is included in a group, the search will also return the group.
Example of search without subnet:
source.ip = '1.1.1.1'
would return the following:
1.1.1.1
1.1.1.1/32
1.1.1.1/24
1.1.1.1/255.0.0.0
1.1.1.1/255.255.255.255
groups which include 1.1.1.1Examples of search with subnet:
source.ip = '1.1.1.0'
source.ip = '1.1.0.0/16'
IP Address Contains Search
-
Searches with Contains are not supported for IPv6 addresses.
-
For IPv4 addresses, a search with Contains will return results with subnets, ranges, or groups that contain the IP.
Example:
source.ip contains '1.1.1.1'
would return all of the following:
1.1.1.1/32
1.1.1.1/24
1.1.1.0/24
1.1.1.1/255.0.0.0
1.1.1.1/255.255.255.255
1.1.1.1-1.1.1.8
group which includes 1.1.1.1
ANY -
An IPv4 search with for a range of addresses will return a range that includes all the values in the range. The maximum and minimum values in the range must be complete IP addresses, without a subnet.
Example:
source.ip contains '1.1.1.1-1.1.1.8'
would return all of the following:
1.1.1.1-1.1.1.9
1.1.1.0/24
ANY
Search for Partial IP Addresses
In the Rule Viewer, you can use a text search to find a partial IP Address, this finds any field containing the string, including the source and destination IP address, including IPv6 permutations. This is a text search, not a traffic search; it treats the IP address as a text field.
Example:
text contains '1.1.1'
would return a source or destination field with any of the following:
1.1.1.2
2.1.1.1
1.1.1.1/255.255.255.255
Field Names
The field names that can be used in the query are specific to the screen. All names are case sensitive and you can list all the available fields for a screen by pressing Ctrl + Space and select as required.
See list of TQL fields for: