Splunk Search
Highlighted

How to build an external static lookup table for Firewall ACL auditing to match on dst_port and determine if the port matches an existing ACL rule?

Explorer

Hello Splunk Answers,

I am looking to build a static lookup table for Firewall ACL lookup. Essentially, I would like the lookup to match on dstport and determine if the port matches an existing acl rule name. I have an any-any rule that I'm trying to clean-up and the idea is to have Splunk tell me if the dstport matches an existing acl rule entry. If no rule match is made, then the connection is permitted via an any-any rule.

I'm looking to match on dstport. In this example, traffic connections on 80, 53 would match rulename like in the example below.
fields:
dstport, rulename
80, permitweb
53, permit
dns

The idea is, if traffic connections do not match on a specific entry, then state something like this:
dstport, rulename
8748, any_any

I appreciate the assistance.
-ktang

0 Karma
Highlighted

Re: How to build an external static lookup table for Firewall ACL auditing to match on dst_port and determine if the port matches an existing ACL rule?

Builder

Do you already have the lookup working for the matching ones? If yes, just use a | fillnull -value "any_any" rule_name

View solution in original post

Highlighted

Re: How to build an external static lookup table for Firewall ACL auditing to match on dst_port and determine if the port matches an existing ACL rule?

Explorer

That worked! thanks musskopf

0 Karma