All Apps and Add-ons

incorrect public IP displayed with sourcetype=quantum

Explorer

The Public IP that is displayed across the top of the Home Network Overview dashboard does not function properly for sourcetype = quantum. The search is coded as follows:

index=homemonitor sourcetype=quantum | where 'notsrcprivateip' | top 1 srcip AS my_ip

The Quantum firewalls do not provide the desired data that way in the syslogs. The proper way to extract the public IP is to find a BLOCKED event, and then take the DST field (destination IP). For blocked events, the firewall reports the blocked (incoming) IP address in the SRC field, and the public IP of the firewall itself in the DST field.

In ACCEPTED events, the SRC field is the local IP address and the DST field is the incoming IP address of the accepted connection.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I'm aware of this issue and have a fix lined up for the next version of the app. The plan is to use a simple script to get the public IP and display it. I'm planning to release the next version shortly.

0 Karma