“”

As a part of our Firewall Rules Management Series, we look at Below are Splunk Dashboard Panels than can be used for Firewall Rules Analysis. For a more holistic outlook on managing your firewalls, check out this free resource by Advoqt, a White Paper on Firewall Rules Management.

This search shows the ports used by each source IP. It shows the sum of received and transmitted bytes, hits counts, and the number of unique hosts using an specific port.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port client_outbound_bytes client_inbound_bytes bytes
| lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner
| search MEGA_app_name=”*” MEGA_App_Owner=”*”
| iplocation dest_ip
| search Country=*
| stats
sum(client_inbound_bytes) as RXBytes
sum(client_outbound_bytes) as TXBytes
sum(bytes) as Bytes
count as hits dc(src_ip) as hostcount
by dest_port
| sort Bytes desc
| fieldformat Bytes=tostring(Bytes, “commas”)
| fieldformat RXBytes=tostring(RXBytes, “commas”)
| fieldformat TXBytes=tostring(TXBytes, “commas”)
| fieldformat hits=tostring(hits, “commas”)

For this search we are using the IP location to extract the location where these applications are connecting to, based on destination ports.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port
| fields src_ip dest_ip dest_port
| lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner
| search MEGA_app_name=”*” MEGA_App_Owner=”*”
| iplocation dest_ip
| search Country=*
| geostats latfield=lat longfield=lon count by dest_port

This search is showing the total number of bytes and hit counts by country in descending order.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port bytes
| lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner
| search MEGA_app_name=”*” MEGA_App_Owner=”*”
| iplocation dest_ip
| search Country=*
| stats
sum(bytes) as Bytes
count as hits
by Country
| sort hits desc
| fieldformat Bytes=tostring(Bytes, “commas”)
| fieldformat hits=tostring(hits, “commas”)

________________

Our White Paper on Firewall Rules Management is a comprehensive overview of different techniques that will save you time and lower risk. Click here to access your free copy.

Get in touch with us to maximize the ROI of your security investments.

 

Share This Article

Click below to share on social media