Firewall data is a type of network traffic data that is captured from the firewalls on a network. Firewalls are used for access control and network segmentation. Basic firewalls operate on layers 3 and 4 of the OSI model. Many modern firewalls can combine with other device functions and produce additional data, such as proxy and network intrusion detection data.
Data visibility
Firewalls are most commonly used to provide segmentation and access controls. Therefore, a firewall typically only provides visibility into data that attempts to cross a border and interact with the firewall. Data that does not cross the firewall would not be captured.
High-value fields
In the Common Information Model, firewall data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
src_ip
The IP address and port information for the host which originated the traffic.
dest_ip
The IP address and port information of the host to which the traffic is destined.
action
Information about the firewall’s disposition of the traffic, typically classified as allowed or blocked.
protocol
The protocol that the traffic used. At the most basic level, TCP or UDP is identified, though some firewalls can provide more detailed information.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
|
Data Source |
Sourcetype |
Recommend Add-Ons |
|---|---|---|
|
Check Point |
sourcetype=”opsec” |
|
|
Cisco |
sourcetype=”cisco:sourcefire” |
|
|
Fortinet |
sourcetype="fortinet" |
|
|
Imperva |
sourcetype=”imperva:waf” |
|
|
Juniper |
sourcetype="juniper:junos:firewall" sourcetype="netscreen:firewall |
Comments
0 comments
Article is closed for comments.