Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query that that tracks multiple traffic flows between firewalls

thebhattman
New Member
‎07-27-2024 09:15 AM

I was wondering if there was a query to track flows through multiple firewalls

For example I want to track the flow

source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip

I understand that accuracy is not going to be there when dealing with NATs/PAts and of course delays along the path.   However, if there are no delays and no nats I am wondering if this would be possible and what that would look like

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-27-2024 12:28 PM

There is no single good answer for this question.

Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sessions from your firewalls, you can search that data.

Secondly, searches are very powerful but are in some aspects limited. Most importantly, SPL is not your normal imperative programming language so "dynamically" tracking such sessions across not-predefined set of hops would be impossible to implement.

You could however do a search matching sessions from one fw to another (or even to third and fourth). It might though - especially with bigger data sets - not be a very good solution performancewise.

It could be possible thought to make a dynamic dashboard (it would require some client-side JS programming though to do it "nicely") to trace such sessions dynamically.

It all depends on particular use case if the detailed goal is achievable and if it makes sense from the performance point of view.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...