Skip to main content
Splunk Lantern

Unauthorized connection through firewall


Any communication through the firewall not explicitly granted by policy could indicate either a misconfiguration or even malicious actions, putting your security and compliance at risk. You want to find these connections so they can be reported and investigated.

Required data

Firewall data. This sample search uses Palo Alto Networks. You can replace this source with any other firewall data used in your organization, such as Cisco ASA, Cisco Pix, or Cisco FSWM.


  1. Identify all relevant IT assets from a data mapping exercise conducted by the data privacy officer’s team. These are all IT assets that are relevant to the full audit trail of data processing activities. This includes not only data stores and repositories that house sensitive personal data (PD) and personally identifiable information (PII), but also any technologies that are involved in the processing, storage, transmission, receipt, rendering, encrypt/decrypt, relaying, and handling of such data in any capacity.
  2. Ensure that those assets are configured properly to report logging activity to an appropriate central repository.
  3. Use your data mapping results to build a lookup that associates systems to their system category. At a minimum, the lookup must contain the host field mapped to a GDPR (or other compliance) category.
  4. Run the following search. You can adjust this query based on the specifics of your environment.
sourcetype="pan*traffic" action=allowed
|lookup <name of lookup you created in step 3> host AS src_ip 
|search category=*

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation


Search only Palo Alto Networks data.

Replace the specified source type with firewall data sources that are applicable to your environment.


Search only for allowed connections.

|lookup <name of lookup you created in step 3> host AS src_ip

Look up the host in the categorization lookup you created and output the category field into the event when the host field in the lookup and src_ip match.

|search category=*

Filter for events that have a value in the category field.

Next steps

A default allow firewall rule should never be used. If the connection should be allowed, go document it and then add a specific allow rule.

Additionally, you should monitor the mapped IT assets changes in logging status, adjust for known outages, and prioritize incident response for any failures to report by hosts that are not scheduled for downtime.

GDPR Relevance: In addition to the general security benefits, this detection will help the data privacy officer of an organization in their GDPR requirements to detect if any new applications or service providers have been connected to push or pull personal data without the proper documentation. Under Article 30, organizations are required to maintain a record of processing activities, including the name and contact details of the controller, the purposes of the processing, description of the categories of data subjects and personal data processed. Additionally, they must maintain a record of categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international. Detecting any new connected applications or service providers which might not be allow-listed or documented, can indicate a potential state of non-compliance, and the data privacy officer will be required to follow up and document. This situation may not impact organizations who employ fewer than 250 persons and therefore may not have critical categories of personal data for processing.

Finally, you might be interested in other processes associated with the Complying with General Data Protection Regulation use case.