Select Devices and Interfaces

In this step, you can specify the Firewall Threat Defense devices and interfaces from which you want to send syslog events to Splunk. To send events from multiple interfaces, use security zones or interface groups.

Note

If you are using security zones or interface groups, only routed, management, switched, and loopback zones and groups are allowed.

Procedure

Step 1

Under Select devices, click the relevant options:

  • Use management interface: Click this button to configure the management interface of Firewall Threat Defense device to send the events to Splunk. When this option is chosen, all the devices in the current domain also receive the Splunk configuration.

  • Use security zones and interface groups to specify devices and interfaces: Click this button to configure the interfaces of corresponding devices in the selected security zones and interface groups to send their respective events to Splunk.

    • From the Security zones and interface groups drop-down list, choose the required zones and groups.

    • To create a security zone or interface group for the device’s interfaces, click Create in the Certificates drop-down list.

  • Manually select devices and interfaces: Click this button to send the events from the deployed device to Splunk. From the Interface drop-down list, choose the configured interface through which you want the events to be sent to Splunk. You can choose only security zones that include this device.

    Note

    • Virtual Tunnel Interface (VTI) and Dynamic Virtual Tunnel Interface (DVTI) are excluded from Splunk configuration.

    • To encrypt syslog events over TLS, use the management interface to add a certificate. Encryption is not supported for data interfaces configured for TLS.

    • Click the Send events from this device toggle button corresponding to the device and its selected interface.

    • To create a security zone or interface group for the device's interfaces, click Create.

Step 2

(Optional) To cancel the creation of the Splunk profile, click Cancel.

Step 3

(Optional) To go back to the previous step, click Back.

Step 4

To move to the next step in the Splunk configuration, click Next.