Security

How can I validate the logging of successful connections to Edge Firewall

AJeepDude
New Member

Our firewall team has told us that they have turned on logging for successful connection for edge firewall. How can you validate this is true in Splunk?

The edge firewalls are a combination of Cisco ASA's and Checkpoints

Thank You

0 Karma

xavierashe
Contributor

I would just keep it simple. Look for your own username in the raw log.

index=firewalls "AJeepDude"

Once you find the right event, look at it in verbose mode and make sure the user=AJeepDude. If you care about CIM, then check the tags.

0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

here's a nice search to validate your Check Point FW event data is successfully indexing FW event logs:

index=_internal host= source="splunk_ta_checkpoint-opseclea_modinput.log" "Successfully indexed events:" |rex field=_raw "Successfully indexed events:\s(?.*)" |timechart span=600s sum(EVENT_COUNT) by connection

0 Karma