fbpx

As a part of our Firewall Rules Management Series, we look at Splunk Dashboard Panels than can be used for Firewall Rules Analysis. For a more holistic outlook on managing your firewalls, check out this free resource by Advoqt, a White Paper on Firewall Rules Management.

In this search we have detailed information about the traffic on the firewall, based on source and destination IP. It shows the country where the servers are connecting to, destination ports, the total hit counts by source and destination IP, the policy_name which shows the name of the firewall been used to navigate the internet, and the rule_uid which determined the specific rule that is allowing internet access on the firewall.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port client_outbound_bytes client_inbound_bytes bytes policy_name rule_uid action | lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner name
| search MEGA_app_name=”*” MEGA_App_Owner=”*”
| stats
sum(client_inbound_bytes) as RXBytes
sum(client_outbound_bytes) as TXBytes
count as hits by policy_name rule_uid src_ip name dest_ip dest_port
| sort hits desc
| iplocation dest_ip
| search Country=*
| table policy_name rule_uid src_ip name dest_ip dest_port Country RXBytes TXBytes hits
| fieldformat RXBytes=tostring(RXBytes, “commas”)
| fieldformat TXBytes=tostring(TXBytes, “commas”)
| fieldformat hits=tostring(hits, “commas”)

This search displays the number of bytes and hit counts based on action, rule_id, and rule_uid, which determined the current rule that is allowing internet access on the firewall.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port bytes policy_name rule_uid rule_id action
| lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner
| search MEGA_app_name=”*” MEGA_App_Owner=”*”
| iplocation dest_ip
| search Country=*
| stats sum(bytes) as Bytes count as hits by policy_name rule_uid rule_id action
| sort hits desc
| fieldformat Bytes=tostring(Bytes, “commas”)
| fieldformat hits=tostring(hits, “commas”)

In this search we are correlating information obtained from the firewall with MEGA application to get the name of the application, application owner, level of risk of the application when connecting directly to the internet and the Business policy compliance based on Source IP.

Search
index=firewall rule_uid=”*” policy_name=FWNAV* src_ip=”*” dest_ip=”*” action=allowed dest_port=”*” dest_zone=External
| fields src_ip dest_ip dest_port client_outbound_bytes client_inbound_bytes bytes policy_name rule_uid action | iplocation dest_ip
| search Country=*
| stats
sum(bytes) as Bytes
count as hits
by src_ip
| lookup fwrsk_ip_name src_ip OUTPUT MEGA_app_name MEGA_App_Owner MEGA_BIA_RISK MEGA_GLBA | search MEGA_app_name=”*” MEGA_App_Owner=”*”
| sort hits desc
| stats
sum(Bytes) as Bytes
sum(hits) as traffic
by MEGA_App_Owner MEGA_app_name MEGA_BIA_RISK MEGA_GLBA
| sort traffic desc
| fieldformat Bytes=tostring(Bytes, “commas”)
| fieldformat hits=tostring(hits, “commas”)

________________

Our White Paper on Firewall Rules Management is a comprehensive overview of different techniques that will save you time and lower risk. Click here to access your free copy.

Get in touch with us to maximize the ROI of your security investments.

Share This Article

Click below to share on social media