Rarely used firewall rules
A fundamental task of firewall administration is the configuration and management of firewall rules, which ultimately results in allowed or blocked traffic flow.
You want to understand which firewall rules in your organization are utilized or hit most often and which are rarely used so that you can tune them better. You also want to identify these rarely used rules as a valuable resource for understanding network traffic patterns and identifying outlier traffic.
Required data
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.
tag=network tag=communicate rule=* | rare 5 rule useother=true
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
tag=network tag=communicate |
Search for logs with the network or communicate tags. |
|
rule=* |
Search all rules. |
|
| rare 5 rule useother=true |
Display the five least common rules with all remaining rules grouped into a single series. You can change useother=true to useother=false if you aren't interested in the other rules. |
Next steps
The search results show the rule name and the count of which rules are infrequently used. The results may be used to determine if a rule should be retired.
| rule | count | percent |
|---|---|---|
|
Block remote SMB |
4 |
0.007369 |
|
Allow IGMP traffic |
6 |
0.011053 |
|
Allow ping, pong, and tracert |
7 |
0.012895 |
|
Block all other IP traffic and log |
8 |
0.014737 |
|
54 |
10 |
0.018422 |
|
OTHER |
54249 |
99.935524 |
Finally, you might be interested in other processes associated with the Managing firewall rules use case.