Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting valuable data that might not be captured in other locations due to the firewall’s unique position as the gatekeeper to network traffic. Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols. Basic firewalls operate on layers 3 and 4 of the OSI model. Many modern firewalls can combine with other device functions and produce additional data, such as proxy and network intrusion detection data.
Firewall data can provide visibility into which traffic is blocked and which traffic has passed through. Logs provide a detailed record of traffic between network segments, including source and destination IP addresses, ports and protocols, all of which are critical when investigating security incidents.
When your Splunk deployment is ingesting firewall data, you can use it to accomplish security and compliance and IT Ops use cases.
- Reconstructing a website defacement
- Monitoring for network traffic volume outliers
- Complying with General Data Protection Regulation
- Managing firewall rules
- Detecting the use of randomization in cyber attacks
- Detecting network and port scanning
- Detecting TOR traffic
- Monitoring employee network traffic
Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with firewall data.
- Palo Alto Networks Add-on for Splunk
- Splunk Add-on for Check Point OPSEC LEA
- Splunk Add-on for Cisco FireSIGHT
- Splunk Add-on for Cisco ASA
- Splunk Add-on for Fortigate
- Splunk Add-on for Imperva SecureSphere WAF
- Splunk Add-on for Juniper
Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.