A fundamental task of firewall administration is the configuration and management of firewall rules, which ultimately results in allowed or blocked traffic flow. You might need to see your least often used firewall rules when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
You want to understand which firewall rules in your organization are utilized or hit most often and which are rarely used so that you can tune them better. You also want to identify these rarely used rules as a valuable resource for understanding network traffic patterns and identifying outlier traffic.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.
- Run the following search:
tag=network tag=communicate rule=*
| rare 5 rule useother=true
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
tag=network tag=communicate |
Search for logs with the network or communicate tags. |
|
rule=* |
Search all rules. |
|
| rare 5 rule useother=true |
Display the five least common rules with all remaining rules grouped into a single series. Tip: You can change useother=true to useother=false if you aren't interested in the other rules. |
Result
The search results show the rule name and the count of which rules are infrequently used. The results may be used to determine if a rule should be retired.
|
rule |
count |
percent |
|
Block remote SMB |
4 |
0.007369 |
|
Allow IGMP traffic |
6 |
0.011053 |
|
Allow ping, pong, and tracert |
7 |
0.012895 |
|
Block all other IP traffic and log |
8 |
0.014737 |
|
54 |
10 |
0.018422 |
|
OTHER |
54249 |
99.935524 |
Comments
0 comments
Please sign in to leave a comment.