Archive
Highlighted

how to get actual IP from firewall logs when both real IP and NATTED IPs are shown in netscreen firewall ?

New Member

Hi All,

We have netscreen ISG 2000 firewall in our network and it has been integrated with Splunk and we are receiving logs as well. Recently I was told to get the following from the logs.
1. Source IP(Public IP)
2. Destination IP(NATTED IP)
3. Actual Destination IP (real IP with out network)
4. Policy ID
5. Port Number

I wrote the below SPL

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policyid AND dstport AND "ip=192.168.." | stats count by src dst dstport zone policyid | sort 30 - count | rename src as SOURCEOUTSEIDE, dst as DESTINATIONINSIDE, dstport as DESTINATIONPORT, zone as ZONE, policyid as POLICYID,count as COUNT

I was able to get everything except for the real Destination IP which shows in the logs. Below is the logs which is forwarded from the firewall to splunk.

Nov 21 07:56:35 10.0.9.12 RYDFWJISG2k-2: NetScreen deviceid=RYDFWJISG2k-2 [Root]system-notification-00257(traffic): starttime="2016-11-21 07:55:28" duration=0 policyid=371 service=https proto=6 src zone=ISP2-Untrust dst zone=DMZ2 action=Permit sent=0 rcvd=0 src=5.41.198.127 dst=87.101.204.3 srcport=1925 dstport=443 src-xlated ip=5.41.198.127 port=1925 dst-xlated ip=192.168.4.201 port=443 sessionid=968548 reason=Creation

I am looking for this IP which says dst-xlated ip=192.168.4.201.

So in the SPL i wrote to search by dst-xlated as given above but I dont get the orginal IP but only the public IP from our side and client side. statisitical logs are give below.

SOURCE_OUTSEIDE DESTINATION_INSIDE  DESTINATION_PORT    ZONE    POLICY_ID   COUNT

1 87.101.155.38 87.101.204.1 443 ISP2-Untrust 374 9903
2 149.202.30.95 87.101.204.3 443 ISP2-Untrust 371 1953

How do I get the real IP which client is trying to access at our end.

Awaiting a reply. Thank you in advance.

Regards
Pradeep

Tags (1)
0 Karma
Highlighted

Re: how to get actual IP from firewall logs when both real IP and NATTED IPs are shown in netscreen firewall ?

Legend

How are the fields extracted? My guess is the dst-xlated values is the second index in a mvfield called ip. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | eval dst_ip=mvindex(ip, 1) | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

*OR* if that does not return the correct value, you will have to regex the field value. Try this

index=netscreen sourcetype="netscreen:firewall" "src zone=ISP2-Untrust" AND "dst-xlated" AND policy_id AND dst_port | rex field=_raw "dst-xlated\sip=(?<dst_ip>[^\s]+)" | stats count by src dst_ip dst  dst_port zone policy_id | sort 30 - count | rename src as SOURCE_OUTSIDE, dst as DESTINATION_INSIDE, dst_port as DESTINATION_PORT, zone as ZONE, policy_id as POLICY_ID,count as COUNT

View solution in original post

0 Karma
Highlighted

Re: how to get actual IP from firewall logs when both real IP and NATTED IPs are shown in netscreen firewall ?

New Member

Hi Sundar,

Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.

Regards
Pradeep

0 Karma
Highlighted

Re: how to get actual IP from firewall logs when both real IP and NATTED IPs are shown in netscreen firewall ?

New Member

Hi Sundar,

Thank you very much for your reply. The first SPL did not work but the 2nd one did. Thank you for your help.

Regards
Pradeep

0 Karma