If you are looking to build or enhance the security of firewall rules in your environment, our Application Dependency mapping and Service Dependencies Report are a good starting point for determining your application connections. However, it can be cumbersome to boil down the large data sets to simple source and destination connection requirements that you can use for building your security rules. You can use the following Device42 Object Query Language (DOQL) query to help in these efforts.
The query is:
/* Generic Service Dependencies */
select
case spip.is_listening when TRUE then dev.device_pk else cdev.device_pk end "Receiving Device ID",
case spip.is_listening when TRUE then dev.name else cdev.name end "Receiving Device Name",
case spip.is_listening when TRUE then spip.ip else sprip.ip end "Receiving IP address",
case spip.is_listening when TRUE then srv.service_name else csrv.service_name end "Receiving Service",
sp.port "Receiving Port",
case spip.is_listening when TRUE then spip.protocol else spip.protocol end "Protocol",
coalesce(case spip.is_listening when TRUE then cdev.name else dev.name end , 'N/A') "Initiating Device",
case spip.is_listening when TRUE then sprip.ip else spip.ip end "Initiating IP address",
case spip.is_listening when TRUE then csrv.service_name else srv.service_name end "Initiating Service",
sprips.total_ports as "Total Accumulated Ports",
sprips.counted_port_times "Total Port Scans",
sprips.total_ports / sprips.counted_port_times as "Average Ports Per Scan",
sd.first_detected as "First Connection Found",
sd.last_updated as "Last Connection Found"
from view_serviceport_v1 sp
join view_serviceportip_v1 spip on spip.serviceport_fk = sp.serviceport_pk
join view_serviceportremoteip_v1 sprip on sprip.serviceportip_fk = spip.serviceportip_pk
join view_device_v1 dev on dev.device_pk = sp.device_fk
join view_serviceinstance_v1 sd on sd.serviceinstance_pk = spip.mapped_serviceinstance_fk
join view_service_v1 srv on srv.service_pk = sd.service_fk
left join (view_ipaddress_v1 lip join view_subnet_v1 lsn on lsn.subnet_pk = lip.subnet_fk)
on lip.ip_address = spip.ip and lip.device_fk = sp.device_fk
left join view_hardware_v1 hdw on hdw.hardware_pk = dev.hardware_fk
left join view_ipaddress_v1 ip on ip.ip_address = sprip.ip or ip.ip_hybrid = sprip.ip
left join view_subnet_v1 sn on sn.subnet_pk = ip.subnet_fk
left join view_device_v1 cdev on cdev.device_pk = ip.device_fk
left join view_hardware_v1 chdw on chdw.hardware_pk = cdev.hardware_fk
left join (view_serviceport_v1 csp
join view_serviceportip_v1 cspip on cspip.serviceport_fk = csp.serviceport_pk
join view_serviceinstance_v1 csd on csd.serviceinstance_pk = cspip.mapped_serviceinstance_fk
join view_service_v1 csrv on csrv.service_pk = csd.service_fk)
on csp.device_fk = cdev.device_pk and csp.port = sp.port and cspip.is_listening <> spip.is_listening
and ((cspip.is_listening = true and cspip.ip in ('0.0.0.0'::inet, '::'::inet, sprip.ip)) or (cspip.is_listening = false))
left join view_serviceportremoteipstats_v1 sprips on sprips.serviceportremoteip_fk = sprip.serviceportremoteip_pk and spip.is_listening = 't'
where ((spip.is_listening = 't') or (spip.is_listening = 'f')) and
coalesce(srv.service_type, 'tracked') <> 'ignored' and
(sprip.ip <> '127.0.0.1' and sprip.ip <> '::1' and sprip.ip <> '0.0.0.0') and
(csrv.service_type is null or csrv.service_type <> 'ignored') and
((coalesce(cspip.is_listening, False) = 'f' and spip.is_listening = 't') or
(spip.is_listening = 'f' and coalesce(cspip.is_listening, TRUE) = 't'))
To run the query please use the following URL:
https://D42_IP/admin/rackraj/tools/d42viewer/doql/
Replacing the D42_IP with your appliance IP or DNS
And use "," as column separator
The result will be a CSV file which will be downloaded to your workstation. You can then use Excel, or your preferred tool, to filter the initiating/receiving IP address by octet to filter for known networks to other remote networks.
Comments
0 comments
Article is closed for comments.