Skip to main content
 
 
 
Splunk Lantern

Blocked traffic to host

 

Host applications often receive and process information from external systems to provide a service or value to those systems. When a firewall is placed between the external system and the receiving host, firewall rules must be configured correctly to allow network traffic to flow.

Erroneous configuration changes on the firewall can cause network traffic into the host to suddenly become blocked. This usually has catastrophic effects on service functionality. You want to determine if traffic bound for a host is being dropped at the firewall and, if so, when the traffic blocking began. 

Required data

Firewall data

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.

tag=network tag=communicate dest_ip="<IP address>" action IN (allowed blocked)
| timechart count BY action

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=network tag=communicate 

Search for logs with the network or communicate tags.

dest_ip="<IP address>"

Search for a specific IP. 

actin IN (allowed blocked)

Look for events where action is  blocked or allowed.

| timechart count BY action

Show the number of actions over time. 

Next steps

The search shows a timechart. Select the line chart visualization to see two plots, one for the allowed actions and one for the blocked actions for the given destination IP address.

Finally, you might be interested in other processes associated with the Managing firewall rules use case.