Skip to main content
 
Splunk Lantern

Blocked traffic from host

 

Host applications often leverage external resources to assist with processing. For example, an application might depend on a third party API to function properly.

While outbound traffic is often more free-flowing than inbound, erroneous configuration changes on the firewall can cause network traffic from the host to suddenly become blocked. This usually has catastrophic effects on service functionality. You want to determine if outbound traffic from a host is being dropped at the firewall and, if so, when the traffic blocking began. 

Required data

Firewall data

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.  

This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.

tag=network tag=communicate src_ip="<IP address>" action IN (allowed blocked)
| timechart count BY dst

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=network tag=communicate 

Search for logs with the network or communicate tags.

src_ip="<IP address>" 

Search for events with the IP address of the host you are investigating as the source.

action IN (allowed blocked)

Look for events where action is  blocked or allowed.

| timechart count BY action

Graph the result count for the allowed actions and blocked actions.

Next steps

The search shows a timechart. Select the line chart visualization to see two plots, one for the allowed actions and one for the blocked actions for the given source IP address. 

Finally, you might be interested in other processes associated with the Managing firewall rules use case.