Blocked traffic from host
Host applications often leverage external resources to assist with processing. For example, an application might depend on a third party API to function properly.
While outbound traffic is often more free-flowing than inbound, erroneous configuration changes on the firewall can cause network traffic from the host to suddenly become blocked. This usually has catastrophic effects on service functionality. You want to determine if outbound traffic from a host is being dropped at the firewall and, if so, when the traffic blocking began.
Required data
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
This sample search uses the Palo Alto Networks Add-on. You can replace this source with any other firewall data used in your organization. You might need to adjust this query based on the specifics of your environment.
tag=network tag=communicate src_ip="<IP address>" action IN (allowed blocked) | timechart count BY dst
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Search for logs with the network or communicate tags. |
|
|
Search for events with the IP address of the host you are investigating as the source. |
|
|
Look for events where action is blocked or allowed. |
|
|
Graph the result count for the allowed actions and blocked actions. |
Next steps
The search shows a timechart. Select the line chart visualization to see two plots, one for the allowed actions and one for the blocked actions for the given source IP address.
Finally, you might be interested in other processes associated with the Managing firewall rules use case.