Firewall data

Firewall data is a type of network traffic data that is captured from the firewalls on a network. Firewalls are used for access control and network segmentation. Basic firewalls operate on layers 3 and 4 of the OSI model. Many modern firewalls can combine with other device functions and produce additional data, such as proxy and network intrusion detection data. 

Data visibility 

Firewalls are most commonly used to provide segmentation and access controls. Therefore, a firewall typically only provides visibility into data that attempts to cross a border and interact with the firewall. Data that does not cross the firewall would not be captured. 

Data application

When your Splunk deployment is ingesting netflow data, you can use the data to achieve objectives related to the following use cases:

• Reconstructing a website defacement
• Monitoring for network traffic volume outliers
• Complying with General Data Protection Regulation

High-value fields

In the Common Information Model, firewall data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.

src_ip

IP address and port information for the host which originated the traffic. 

dest_ip

IP address and port information of the host to which the traffic is destined. 

action

Information about the firewall’s disposition of the traffic, typically classified as allowed or blocked.  

protocol

Protocol that the traffic used. At the most basic level, TCP or UDP is identified, though some firewalls can provide more detailed information. 

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.