I' m trying to find the  traffic for (we have a list of subnets  we need to place it in lookup table )mf vlan subnet > mf firewall > perimeter fw > internet 
here I would like to know the device names whether the traffic is allowed or denied  if it is denied where it is denied is at the mf firewall or perimeter firewall.
how we can build the query for this use case ..

event:

{"TimeReceived":"2023-06-15T11:50:35.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-15T11:50:34.000000Z","SourceAddress":"10.241.0.56","DestinationAddress":"142.250.145.83","NATSource":"","NATDestination":"","Rule":"mobile-user-to-any-destination","SourceUser":null,"DestinationUser":null,"Application":"traceroute","FromZone":"serv-conn-vpn","ToZone":"l3-corp-inside","SessionID":1090981,"RepeatCount":1,"SourcePort":64638,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":144,"BytesSent":74,"BytesReceived":70,"PacketsTotal":2,"SessionStartTime":"2023-06-15T11:50:26.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":1,"PacketsReceived":1,"SessionEndReason":"aged-out","DeviceName":"PALUERFW1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

Thanks

Which part  or parts of the event tells you whether it was allowed or denied and where it was denied?

Under the Action field we can see Allow/ deny.

And which part tells you where the action was?

Let me share the another event 
{"TimeReceived":"2023-06-15T17:02:58.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-15T17:02:56.000000Z","SourceAddress":"10.384.31.97","DestinationAddress":"147.728.76.106","NATSource":"","NATDestination":"","Rule":"mobile-user-to-any-destination","SourceUser":"us\\john vassos","DestinationUser":null,"Application":"ldap","FromZone":"serv-conn-vpn","ToZone":"l3-corp-inside","SessionID":1363671,"RepeatCount":1,"SourcePort":70834,"DestinationPort":385,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"udp","Action":"allow","Bytes":487,"BytesSent":271,"BytesReceived":216,"PacketsTotal":2,"SessionStartTime":"2023-06-15T16:32:54.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":1,"PacketsReceived":1,"SessionEndReason":"aged-out","DeviceName":"PALUWF91","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

I have a bunch of subnets using these ips how we can build the query to find the hitting ips to the  internet (url) passing through the perimeter f/w which ips are getting blocked/allowed is my usecase

So, is the SourceAddress your firewall, or the DestinationAddress, or could be either depending on the direction of traffic? Can you identify which fw it is from one of these addresses? Is that what your lookup table is for?

Having identified the firewall, possibly the direction and the action (and presumably the time), what do you want to do next?

Source is MF VLAN subnet( 30 subnets)  hitting to ->MF firewall- hitting to ->perimeter f/w ->internet
To find the traffic flow  where it is getting deny at the manufactuing f/w or perimeter f/w.

Thanks

So, for this flow you would get up to two log entries? One for VLAN to MF firewall, and one for MF Firewall to perimeter firewall?

If the first is deny, obviously, there wouldn't be a second?

Do you have lookups for both VLAN subnets and for MF Firewalls?

@ITWhisperer 
If MF firewall is allowed then would like to know whether perimeter is allowing or denying
Thanks

Do you have log examples of mf Firewall to perimeter Firewall?

Is there a way to correlate entries e.g. do they have the same SessionId, or is the ParentSessionId in the mf  f/w to perimeter f/w the same as the SessionId in the vpn to mf f/w?

These are few events realated to mf  and perimeter 

{"TimeReceived":"2023-06-16T11:37:31.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:37:11.000000Z","SourceAddress":"11.13.92.54","DestinationAddress":"56.082.943.911","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":41222,"RepeatCount":1,"SourcePort":50545,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":10254,"BytesSent":4529,"BytesReceived":5725,"PacketsTotal":25,"SessionStartTime":"2023-06-16T11:36:49.000000Z","SessionDuration":19,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":13,"PacketsReceived":12,"SessionEndReason":"tcp-fin","DeviceName":"PALGRTG1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}


{"TimeReceived":"2023-06-16T11:37:31.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:37:11.000000Z","SourceAddress":"19.138.12.49","DestinationAddress":"92.182.143.211","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":297581,"RepeatCount":1,"SourcePort":55338,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":13420,"BytesSent":7635,"BytesReceived":5785,"PacketsTotal":28,"SessionStartTime":"2023-06-16T11:36:49.000000Z","SessionDuration":19,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":15,"PacketsReceived":13,"SessionEndReason":"tcp-fin","DeviceName":"PALGRTG1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:02.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:43.000000Z","SourceAddress":"10.39.40.7","DestinationAddress":"167.228.7.206","NATSource":"","NATDestination":"","Rule":"Rule 56-APPID","SourceUser":null,"DestinationUser":null,"Application":"ldap","FromZone":"mf-vlan","ToZone":"outside","SessionID":569136,"RepeatCount":1,"SourcePort":57857,"DestinationPort":389,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":6315,"BytesSent":2898,"BytesReceived":3417,"PacketsTotal":16,"SessionStartTime":"2023-06-16T11:36:29.000000Z","SessionDuration":0,"URLCategory":"any","SourceLocation":"12.0.0.0-19.255.255.255","DestinationLocation":"US","PacketsSent":8,"PacketsReceived":8,"SessionEndReason":"tcp-rst-from-server","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:06.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:56.000000Z","SourceAddress":"19.48.133.47","DestinationAddress":"39131.127.126","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":892284,"RepeatCount":1,"SourcePort":59970,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":8868,"BytesSent":1985,"BytesReceived":6883,"PacketsTotal":27,"SessionStartTime":"2023-06-16T11:36:41.000000Z","SessionDuration":1,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":11,"PacketsReceived":16,"SessionEndReason":"tcp-fin","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

{"TimeReceived":"2023-06-16T11:37:02.000000Z","LogType":"TRAFFIC","Subtype":"end","TimeGenerated":"2023-06-16T11:36:43.000000Z","SourceAddress":"19.89.40.9","DestinationAddress":"20.179.173.2","NATSource":"","NATDestination":"","Rule":"Rule 57-APPID","SourceUser":null,"DestinationUser":null,"Application":"ssl","FromZone":"mf-vlan","ToZone":"outside","SessionID":149859,"RepeatCount":1,"SourcePort":64406,"DestinationPort":443,"NATSourcePort":0,"NATDestinationPort":0,"Protocol":"tcp","Action":"allow","Bytes":12216,"BytesSent":6718,"BytesReceived":5498,"PacketsTotal":22,"SessionStartTime":"2023-06-16T11:36:28.000000Z","SessionDuration":1,"URLCategory":"low-risk","SourceLocation":"10.0.0.0-10.255.255.255","DestinationLocation":"US","PacketsSent":13,"PacketsReceived":9,"SessionEndReason":"tcp-fin","DeviceName":"PALTAR1","ActionSource":"from-policy","ParentSessionID":0,"ParentStarttime":"1970-01-01T00:00:00.000000Z","Tunnel":"N/A","X-Forwarded-ForIP":null}

What does DeviceName represent with respect to SourceAddress/DestinationAddress?

You could start with this:

| stats count by DeviceName, SourceAddress, DestinationAddress, FromZone, ToZone

to see if it gives you the insights you are looking for.

For example, If MF firewall is allowed then would like to know whether perimeter is allowing or denying

Thanks

There is no obvious correlation between the events, apart from time, but that is not reliable. The source address in the second set do not seem to align with the destination address in the first set; the parent fields are unused; and, I presume, the device id relates to the sender of the fw device?

yes, device id relates to the sender of the fw device.

Then we go with the mf vlan subnets hitting to the perimeter firewall  in this usecase. I have the vlan subnets lookup.

Thanks 👍

Can you use FromZone and ToZone to identify the events you want?

yes, how we can edit this search index=firewall  FromZone=mf-vlan |table FromZone,dvc_name,ToZone,Action

how we can add the list of mf-vlan subnets to this search and check which of these subnets are getting allow/deny .

Add SourceAddress to the table and do a lookup on your vlan subnet csv - the csv needs to be defined with CIDR on the subnet field