Blocked traffic to host
Host applications often receive and process information from external systems to provide a service or value to those systems. When a firewall is placed between the external system and the receiving host, firewall rules must be configured correctly to allow network traffic to flow.
Erroneous configuration changes on the firewall can cause network traffic into the host to suddenly become blocked. This usually has catastrophic effects on service functionality. You want to determine if traffic bound for a host is being dropped at the firewall and, if so, when the traffic blocking began.
Required data
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.
tag=network tag=communicate dest_ip="<IP address>" action IN (allowed blocked) | timechart count BY action
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
tag=network tag=communicate |
Search for logs with the network or communicate tags. |
|
dest_ip="<IP address>" |
Search for a specific IP. |
|
actin IN (allowed blocked) |
Look for events where action is blocked or allowed. |
|
| timechart count BY action |
Show the number of actions over time. |
Next steps
The search shows a timechart. Select the line chart visualization to see two plots, one for the allowed actions and one for the blocked actions for the given destination IP address.
Finally, you might be interested in other processes associated with the Managing firewall rules use case.