Splunk® App for PCI Compliance

Installation and Configuration Manual

Firewall Rule Activity

This report provides a six month view of firewall rule usage to help identify unneeded, outdated, or incorrect rules. This report ensures that all rules allow only authorized services and ports that match business justifications. Compliance managers might run this report more frequently to avoid unnecessary risks and avoid opening potential security holes.

Relevant data sources

Relevant data resources include firewalls that produce rule ID information.

How to configure this report

  1. Index the firewall activity data that includes a rule ID in Splunk platform.
  2. Map the data to the following Common Information Model fields: action, dvc, rule, transport, src, dest. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the data with "network" and "communicate".
  4. Set the category column for each asset in the Asset table to pci or cardholder.
  5. Set the pci_domain column for each asset in the Asset table to {dmz|trust|untrust|cardholder|wireless}.

CIM-compliant add-ons for these data sources automatically perform this step.

Report description

The data in the Firewall Rule Activity report is populated by the Network - Communication Rule Tracker - Lookup Gen, a lookup that runs against the communication_rule_tracker CSV file. This file is created by the Network - Communication Rule Tracker - Lookup Gen lookup. Review the lookup generating search to learn more about the search schedule and time range.

Useful searches for troubleshooting

Verify that... Search/Action Expected Result
Firewall data has been indexed in Splunk platform. tag=network tag=communicate
or `communicate` 		Returns data from your network device(s).
The data fields are normalized to the CIM. `communicate` | table _time,host,sourcetype,action,dvc,
rule,transport,src,src_port,dest,dest_port,vendor_product 		Each field contains the correct, expected data.
The communication rule tracker is populated. | inputlookup append=t communication_rule_tracker
or | `communication_rule_tracker` 		Returns data in communication_rule_tracker.

Additional Information

The communication rule tracker file is located at $SPLUNK_HOME/etc/apps/SA-NetworkProtection/lookups.

Last modified on 05 April, 2023
Reports in the Splunk App for PCI Compliance   Network Traffic Activity

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters