topic Re: Query to find perimeter fw details in Splunk Search

How to write query to find perimeter fw details?

AL3Z — Thu, 15 Jun 2023 18:06:30 GMT

Hi,

I am trying to build a query on perimeter firewall how we can find the ips hitting to the fw.

Thanks

Re: Query to find perimeter fw details

ITWhisperer — Wed, 14 Jun 2023 08:04:29 GMT

What events relating to this do you have in Splunk?

Re: Query to find perimeter fw details

AL3Z — Thu, 15 Jun 2023 11:55:46 GMT

I' m trying to find the traffic for (we have a list of subnets we need to place it in lookup table )mf vlan subnet > mf firewall > perimeter fw > internet
here I would like to know the device names whether the traffic is allowed or denied if it is denied where it is denied is at the mf firewall or perimeter firewall.
how we can build the query for this use case ..

event:

{"TimeReceived":"2023-06-15T11:50:35.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-15T11:50:34.000000Z","SourceAddress":"10.241.0.56","DestinationAddress":"142.250.145.83","NATSource":"","NATDestination":"","Rule":"mobile-user-to-any-destination","SourceUser":null,"DestinationUser":null,"Application":"traceroute","FromZone":"serv-conn-vpn","ToZone":"l3-corp-inside","SessionID":1090981,"RepeatCount":1,"SourcePort":64638,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":144,"BytesSent":74,"BytesReceived":70,"PacketsTotal":2,"SessionStartTime":"2023-06-15T11:50:26.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":1,"PacketsReceived":1,"SessionEndReason":"aged-out","DeviceName":"PALUERFW1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

Thanks

Re: Query to find perimeter fw details

ITWhisperer — Thu, 15 Jun 2023 12:19:24 GMT

Which part or parts of the event tells you whether it was allowed or denied and where it was denied?

Re: Query to find perimeter fw details

AL3Z — Thu, 15 Jun 2023 15:41:37 GMT

Under the Action field we can see Allow/ deny.

Re: Query to find perimeter fw details

ITWhisperer — Thu, 15 Jun 2023 16:46:06 GMT

And which part tells you where the action was?

Re: Query to find perimeter fw details

AL3Z — Thu, 15 Jun 2023 17:11:46 GMT

Let me share the another event
{"TimeReceived":"2023-06-15T17:02:58.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-15T17:02:56.000000Z","SourceAddress":"10.384.31.97","DestinationAddress":"147.728.76.106","NATSource":"","NATDestination":"","Rule":"mobile-user-to-any-destination","SourceUser":"us\\john vassos","DestinationUser":null,"Application":"ldap","FromZone":"serv-conn-vpn","ToZone":"l3-corp-inside","SessionID":1363671,"RepeatCount":1,"SourcePort":70834,"DestinationPort":385,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"udp","Action":"allow","Bytes":487,"BytesSent":271,"BytesReceived":216,"PacketsTotal":2,"SessionStartTime":"2023-06-15T16:32:54.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":1,"PacketsReceived":1,"SessionEndReason":"aged-out","DeviceName":"PALUWF91","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

I have a bunch of subnets using these ips how we can build the query to find the hitting ips to the internet (url) passing through the perimeter f/w which ips are getting blocked/allowed is my usecase

Re: Query to find perimeter fw details

ITWhisperer — Thu, 15 Jun 2023 17:28:10 GMT

So, is the SourceAddress your firewall, or the DestinationAddress, or could be either depending on the direction of traffic? Can you identify which fw it is from one of these addresses? Is that what your lookup table is for?

Having identified the firewall, possibly the direction and the action (and presumably the time), what do you want to do next?

Re: Query to find perimeter fw details

AL3Z — Thu, 15 Jun 2023 17:48:30 GMT

Source is MF VLAN subnet( 30 subnets) hitting to ->MF firewall- hitting to ->perimeter f/w ->internet
To find the traffic flow where it is getting deny at the manufactuing f/w or perimeter f/w.

Thanks

Re: Query to find perimeter fw details

ITWhisperer — Thu, 15 Jun 2023 18:25:55 GMT

So, for this flow you would get up to two log entries? One for VLAN to MF firewall, and one for MF Firewall to perimeter firewall?

If the first is deny, obviously, there wouldn't be a second?

Do you have lookups for both VLAN subnets and for MF Firewalls?

Re: Query to find perimeter fw details

AL3Z — Thu, 15 Jun 2023 18:46:42 GMT

Then we go with the mf vlan subnets hitting to the perimeter firewall in this usecase. I have the vlan subnets lookup.

Thanks 👍

Re: Query to find perimeter fw details

ITWhisperer — Fri, 16 Jun 2023 06:40:15 GMT

Can you use FromZone and ToZone to identify the events you want?

Re: Query to find perimeter fw details

AL3Z — Fri, 16 Jun 2023 08:12:09 GMT

yes, how we can edit this search index=firewall FromZone=mf-vlan |table FromZone,dvc_name,ToZone,Action

how we can add the list of mf-vlan subnets to this search and check which of these subnets are getting allow/deny .

Re: Query to find perimeter fw details

ITWhisperer — Fri, 16 Jun 2023 08:46:29 GMT

Add SourceAddress to the table and do a lookup on your vlan subnet csv - the csv needs to be defined with CIDR on the subnet field

Re: Query to find perimeter fw details

AL3Z — Fri, 16 Jun 2023 11:00:27 GMT

@ITWhisperer
If MF firewall is allowed then would like to know whether perimeter is allowing or denying
Thanks

Re: Query to find perimeter fw details

ITWhisperer — Fri, 16 Jun 2023 11:05:54 GMT

Do you have log examples of mf Firewall to perimeter Firewall?

Is there a way to correlate entries e.g. do they have the same SessionId, or is the ParentSessionId in the mf f/w to perimeter f/w the same as the SessionId in the vpn to mf f/w?

Re: Query to find perimeter fw details

AL3Z — Fri, 16 Jun 2023 11:50:53 GMT

These are few events realated to mf and perimeter

{"TimeReceived":"2023-06-16T11:37:31.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:37:11.000000Z","SourceAddress":"11.13.92.54","DestinationAddress":"56.082.943.911","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":41222,"RepeatCount":1,"SourcePort":50545,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":10254,"BytesSent":4529,"BytesReceived":5725,"PacketsTotal":25,"SessionStartTime":"2023-06-16T11:36:49.000000Z","SessionDuration":19,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":13,"PacketsReceived":12,"SessionEndReason":"tcp-fin","DeviceName":"PALGRTG1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:31.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:37:11.000000Z","SourceAddress":"19.138.12.49","DestinationAddress":"92.182.143.211","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":297581,"RepeatCount":1,"SourcePort":55338,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":13420,"BytesSent":7635,"BytesReceived":5785,"PacketsTotal":28,"SessionStartTime":"2023-06-16T11:36:49.000000Z","SessionDuration":19,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":15,"PacketsReceived":13,"SessionEndReason":"tcp-fin","DeviceName":"PALGRTG1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:02.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:43.000000Z","SourceAddress":"10.39.40.7","DestinationAddress":"167.228.7.206","NATSource":"","NATDestination":"","Rule":"Rule 56-APPID","SourceUser":null,"DestinationUser":null,"Application":"ldap","FromZone":"mf-vlan","ToZone":"outside","SessionID":569136,"RepeatCount":1,"SourcePort":57857,"DestinationPort":389,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":6315,"BytesSent":2898,"BytesReceived":3417,"PacketsTotal":16,"SessionStartTime":"2023-06-16T11:36:29.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"12.0.0.0-19.255.255.255","DestinationLocation":"US","PacketsSent":8,"PacketsReceived":8,"SessionEndReason":"tcp-rst-from-server","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:06.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:56.000000Z","SourceAddress":"19.48.133.47","DestinationAddress":"39131.127.126","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":892284,"RepeatCount":1,"SourcePort":59970,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":8868,"BytesSent":1985,"BytesReceived":6883,"PacketsTotal":27,"SessionStartTime":"2023-06-16T11:36:41.000000Z","SessionDuration":1,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":11,"PacketsReceived":16,"SessionEndReason":"tcp-fin","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:02.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:43.000000Z","SourceAddress":"19.89.40.9","DestinationAddress":"20.179.173.2","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":149859,"RepeatCount":1,"SourcePort":64406,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":12216,"BytesSent":6718,"BytesReceived":5498,"PacketsTotal":22,"SessionStartTime":"2023-06-16T11:36:28.000000Z","SessionDuration":1,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":13,"PacketsReceived":9,"SessionEndReason":"tcp-fin","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

Re: Query to find perimeter fw details

ITWhisperer — Fri, 16 Jun 2023 13:09:34 GMT

What does DeviceName represent with respect to SourceAddress/DestinationAddress?

You could start with this:

| stats count by DeviceName, SourceAddress, DestinationAddress, FromZone, ToZone

to see if it gives you the insights you are looking for.

Re: Query to find perimeter fw details

AL3Z — Fri, 16 Jun 2023 13:21:09 GMT

For example, If MF firewall is allowed then would like to know whether perimeter is allowing or denying

Thanks

Re: Query to find perimeter fw details

ITWhisperer — Fri, 16 Jun 2023 13:26:46 GMT

There is no obvious correlation between the events, apart from time, but that is not reliable. The source address in the second set do not seem to align with the destination address in the first set; the parent fields are unused; and, I presume, the device id relates to the sender of the fw device?