Skip to main content
Splunk Lantern

Rarely used firewall rules

A fundamental task of firewall administration is the configuration and management of firewall rules, which ultimately results in allowed or blocked traffic flow.

You want to understand which firewall rules in your organization are utilized or hit most often and which are rarely used so that you can tune them better. You also want to identify these rarely used rules as a valuable resource for understanding network traffic patterns and identifying outlier traffic.

Required data

Firewall data

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.  

This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.

tag=network tag=communicate rule=*
| rare 5 rule useother=true

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=network tag=communicate 

Search for logs with the network or communicate tags.

rule=*

Search all rules.

| rare 5 rule useother=true

Display the five least common rules with all remaining rules grouped into a single series.

You can change useother=true to useother=false if you aren't interested in the other rules. 

Next steps

The search results show the rule name and the count of which rules are infrequently used. The results may be used to determine if a rule should be retired. 

rule count percent

Block remote SMB

4

0.007369

Allow IGMP traffic

6

0.011053

Allow ping, pong, and tracert

7

0.012895

Block all other IP traffic and log

8

0.014737

54

10

0.018422

OTHER

54249

99.935524

Finally, you might be interested in other processes associated with the Managing firewall rules use case.