Host applications often leverage external resources to assist with processing. For example, an application might depend on a third party API to function properly. You might need to see if a firewall is blocking traffic from a specific host when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
While outbound traffic is often more free-flowing than inbound, erroneous configuration changes on the firewall can cause network traffic from the host to suddenly become blocked. This usually has catastrophic effects on service functionality. You want to determine if outbound traffic from a host is being dropped at the firewall and, if so, when the traffic blocking began.
NOTE: To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization.
- Run the following search:
tag=network tag=communicate src_ip="<IP address>" action IN (allowed blocked)
| timechart count BY dst
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
tag=network tag=communicate |
Search for logs with the network or communicate tags. |
src_ip="<IP address>" |
Search for events with the IP address of the host you are investigating as the source. |
action IN (allowed blocked) |
Look for events where action is blocked or allowed. |
| timechart count BY action |
Graph the result count for the allowed actions and blocked actions. |
Result
The search shows a timechart. Select the line chart visualization to see two plots, one for the allowed actions and one for the blocked actions for the given source IP address.
Comments
0 comments
Please sign in to leave a comment.