Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting valuable data that might not be captured in other locations due to the firewall’s unique position as the gatekeeper to network traffic. Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols. Basic firewalls operate on layers 3 and 4 of the OSI model. Many modern firewalls can combine with other device functions and produce additional data, such as proxy and network intrusion detection data.
Firewall data can provide visibility into which traffic is blocked and which traffic has passed through. Logs provide a detailed record of traffic between network segments, including source and destination IP addresses, ports and protocols, all of which are critical when investigating security incidents.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion:
Common data sources
Use cases for the Splunk platform
- Running common General Data Protection Regulation compliance searches
- Monitoring NIST SP 800-53 rev5 control families
- Detecting TOR traffic
- Detecting network and port scanning
- Managing firewall rules
- Monitoring for network traffic volume outliers
- Reconstructing a website defacement
- Detecting the use of randomization in cyberattacks