Network firewall data
Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting valuable data that might not be captured in other locations due to the firewall’s unique position as the gatekeeper to network traffic. Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols. Basic firewalls operate on layers 3 and 4 of the OSI model, and their primary focus is on securing network-level traffic based on IP addresses, protocols, and ports. Many modern firewalls can combine with other device functions and produce additional data, such as proxy data and network intrusion detection data.
Network firewall data refers to the information generated, collected, or processed by a firewall—a security device or software solution that monitors, filters, and controls incoming and outgoing network traffic based on predefined security rules. Firewalls (for example, Cisco ASA, Palo Alto, Fortinet, Check Point) generate data that can be exported as syslogs, SNMP traps, or through REST APIs. This data provides insights into network activity, security events, traffic flows, and policy enforcement, helping administrators protect networks from unauthorized access, malware, and other cyber threats. It supports regulatory compliance by maintaining detailed logs of security events.
Network firewall data is typically accessed through dashboards, command-line interfaces (CLI), or APIs. It can be integrated with SIEM tools like Splunk Enterprise Security for centralized monitoring and analysis. Firewall logs must be securely stored and accessed to prevent tampering or unauthorized access, as they may contain sensitive information about the network.
Network firewall data typically includes:
- Traffic logs: Records of all network traffic passing through the firewall
- Access control logs: Data about how access control policies are applied
- Intrusion detection and prevention (IDS/IPS) data: Alerts and logs about suspicious or malicious activities detected by IDS/IPS features
- Firewall rules and policy data: Information about the configuration and enforcement of firewall rules
- NAT (network address translation) logs: Data about how private IP addresses are translated to public IPs for communication
- Threat intelligence data: Data sourced from external feeds to enhance firewall protection
- DDoS protection logs: Data about Distributed Denial-of-Service (DDoS) attacks and mitigation actions
- VPN (virtual private network) data: Logs and metrics related to VPN sessions managed by the firewall
- Geo-location and geo-blocking data: Data about traffic filtered based on geographic origin
- Bandwidth and traffic utilization data: Data about network traffic volume and resource usage
- Session logs: Data about active and terminated network sessions passing through the firewall
- Performance metrics: Data about the operational performance of the firewall
- Administrative logs: Data about changes made to the firewall configuration or policies
- Compliance and reporting data: Data used for regulatory compliance and audit purposes
Common data sources
- Splunk Add-on for Palo Alto Networks
- Palo Alto Networks Firewall
- Panorama
- Splunk Add-on for Check Point Log Exporter
- Check Point Firewall
- Cisco Security Cloud
- Splunk Add-on for Cisco FireSIGHT
- Cisco Firepower
- Splunk Add-on for Cisco ASA
- Splunk Add-on for Imperva SecureSphere WAF
- Splunk Add-on for Juniper
- Juniper SRXSplunk Add-on for Fortigate
- FortiGate
- Atlas ITSI Content Pack for Fortinet FortiGate
- Atlas ITSI Content Pack for Pfsense