Query that that tracks multiple traffic flows betw...

thebhattman · ‎07-27-2024

I was wondering if there was a query to track flows through multiple firewalls

For example I want to track the flow

source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip

I understand that accuracy is not going to be there when dealing with NATs/PAts and of course delays along the path. However, if there are no delays and no nats I am wondering if this would be possible and what that would look like

PickleRick · ‎07-27-2024

There is no single good answer for this question.

Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sessions from your firewalls, you can search that data.

Secondly, searches are very powerful but are in some aspects limited. Most importantly, SPL is not your normal imperative programming language so "dynamically" tracking such sessions across not-predefined set of hops would be impossible to implement.

You could however do a search matching sessions from one fw to another (or even to third and fourth). It might though - especially with bigger data sets - not be a very good solution performancewise.

It could be possible thought to make a dynamic dashboard (it would require some client-side JS programming though to do it "nicely") to trace such sessions dynamically.

It all depends on particular use case if the detailed goal is achievable and if it makes sense from the performance point of view.

Query that that tracks multiple traffic flows between firewalls

fields

join

table

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!