Knowledge Management

How can I use the Network_Traffic datamodel to find what has NOT egressed/logged for a firewall ACL/rule?

kimsey4701
Engager

Good afternoon,

Background: I found a configuration issue in one of our firewalls which I'm trying to remediate where an admin created a very broad access rule that has permitted traffic over a wide array of TCP/UDP ports. I started working to identify valid traffic which has used the rule, but a co-worker mentioned an easy win would be creating an ACL to block any ports which had not already been allowed through this very promiscuous rule.

My problem is I know how to use the data model to identify TCP/UDP traffic which has been logged egressing through the rule, but how could I modify the search provided below so that I can get a result that displays which ports have NOT been logged? (Also bonus points if you can help me view numbers returned as ranges rather than individual numbers aka "5000-42000")

Here is my current search:

 

| tstats ,values(All_Traffic.dest_port) AS dest_port values(All_Traffic.dest_ip) AS dest_ip dc(All_Traffic.dest_ip) AS num_dest_ip dc(All_Traffic.dest_port) AS num_dest_port
FROM datamodel=Network_Traffic
WHERE index="firewall" AND sourcetype="traffic" AND fw_rule="horrible_rule"
BY All_Traffic.dest_port
| rename All_Traffic.* AS *

 

Thank you in advance for any help that you may be able to provide!

Labels (1)
0 Karma
1 Solution

chris_barrett
Communicator

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

View solution in original post

0 Karma

chris_barrett
Communicator

In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy.


My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.

0 Karma

kimsey4701
Engager

Chris,

That's what I'm trying to accomplish as I was able to define what is using the rule so I can start putting defined rules in front of it. In this case I was hoping that someone could help me easily know what had not used the open rule so I can immediately put a rule in front of it to block any ports that haven't traversed it.

I'll just close out my question and do things the slow way with exports to Excel.

Thanks,

Kimsey

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...