Users monitoring

"Real time" tab

This screen consists of 2 views:

  • A view listing the users authenticated on the firewall.
  • A view listing Connections, Vulnerabilities, Applications, Services and information regarding the selected user.

"Users" view

This view shows all the users authenticated on the firewall. Every row represents a user.

The "Users" view displays the following data:

Name

User name

IP address

IP address of the host to which the user has logged on.

Directory

Name of the LDAP directory used for authenticating the user.

Group

List of groups to which the user belongs.

Expiry date

Remaining authentication time for the user's session

Auth. method Method used for authenticating the user (e.g. SSL)
Multi-user Indicates whether the host to which the user has logged on is a multi-user host (e.g. a TSE server).
Administrator Specifies whether the user has administration privileges on the firewall.

Sponsor

Whenever the user logs on via the Sponsorship method, this column will indicate the name of the person who had validated the connection request.

SSL VPN Portal A green check in this checkbox means that the user is allowed to log on to the SSL VPN portal in order to access web servers.
SSL VPN Portal - Java applet A green check in this checkbox means that the user is allowed to log on to the SSL VPN portal in order to access application servers via a Java applet.
SSL VPN A green check in this checkbox means that the user is allowed to set up SSL VPN tunnels using the SN SSL VPN Client.
IPSec VPN A green check in this checkbox means that the user is allowed to set up one or several SSL VPN tunnels.

Right-click menu

Right-clicking on the name of the user opens the following pop-up menus:

  • Search for this value in logs,
  • Log off this user,
  • Show host details

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows reinitializing the filter by selecting the criteria selection.

Filter

Click on this button to:

  • Select filter criteria (Search criterion). For the "users" view, the criteria are the following:
  • By address range or IP address (grayed out if a user has been selected in the "users" view).
  • By directory (allows refining the filter when several LDAP directories have been defined on the firewall)
  • By authentication method
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Reset columns This button makes it possible to display only columns suggested by default when the host monitoring window is opened.

"FILTER" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Connections" view

This view shows all connections detected by the firewall for a selected user. Every row represents a connection. The "Connections" view displays the following data:

Date

Indicates the date and time of the object's connection.

Connection Connection ID
Parent connection Certain protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID.

Protocol

Communication protocol used for the connection.

User

User logged on to the host (if any).

Source

IP address of the host at the source of the connection

Source name Name of the object (if any) corresponding to the source host.

Source MAC address

MAC address of the object at the source of the connection

Source port

Number of the source port used for the connection

Source Port Name Name of the object corresponding to the source port

Destination

IP address of the host to which the connection was set up.

Destination Name Name of the object (if any) to which the connection was set up.

Destination Port

Number of the destination port used for the connection

Dest. Port Name Name of the object corresponding to the destination port

Source interf.

Name of the interface on the firewall on which the connection was set up.

Dest. interf.

Name of the destination interface used by the connection on the firewall.

Average throughput Average value of bandwidth used by the selected connection.

Sent

Number of bytes sent during the connection.

Received

Number of bytes received during the connection.

Duration

Connection time.

Last used Time elapsed since the last packet exchange for this connection.

Router

ID assigned by the firewall to the router used by the connection

Router name

Name of the router saved in the objects database used by the connection

Rule type Indicates whether it is a local, global or implicit rule.

Rule

ID name of the rule that allowed the connection

Status

This parameter indicates the status of the configuration corresponding, for example, to its initiation, establishment or closure.

Queue name Name of the QoS queue used by the connection.
Rule name If a name has been given to the filter rule through which the connection passes, this name will appear in the column.
IPS profile Displays the number of the inspection profile called up by the rule that filtered the connection.
Geolocation Displays the flag corresponding to the destination country.
Argument Additional information for certain protocols (e.g.: HTTP).
Operation Additional information for certain protocols (e.g.: HTTP).

Right-click menu

Right-clicking on the name of the source or destination host opens the following pop-up menus:

  • Go to the corresponding security rule

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.

Filter

Click on this button to:

  • Select filter criteria (Search criterion). For the "connections" view, the criteria are the following:
  • By address range or by IP address
  • By interface
  • By source interface
  • By destination interface
  • By destination port
  • By protocol
  • By user (grayed out if a host has been selected in the "hosts" view).
  • For a value of exchanged data higher than the value specified with the cursor.
  • According to the last use of the connection (only saved connections with a last used value lower than the specified value will be displayed).
  • By rule name
  • By IPS profile.
  • By geographic source or destination.
  • If the See all connections (closed or reinitialized connections, etc.) checkbox has been selected, all connections will be displayed in the table, regardless of their status.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Reset columns This button makes it possible to display only columns suggested by default when the host monitoring window is opened.

"FILTER ON" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Vulnerabilities" view

This tab describes the vulnerabilities detected on the host on which the selected user is connected.

The "Vulnerabilities" view displays the following data:

Identifier

Vulnerability ID

Name

Indicates the name of the vulnerability.

Family

Number of hosts affected.

Severity

Indicates the level of severity on the host(s) affected by the vulnerability. There are 4 levels of severity: "Low", "Moderate", "High", "Critical".

Exploit

Access may be local or remote (via the network). It allows exploiting the vulnerability.

Workaround

Indicates whether a workaround exists.

Level

The alarm level associated with the discovery of this vulnerability.

Port

The network port on which the host is vulnerable (e.g. 80 for a vulnerable web server).

Service

Indicates the name of the vulnerable program (e.g.: lighthttpd_1.4.28)

Assigned

Indicates the date on which the vulnerability was detected on the host

Details

Additional information about the vulnerability.

Right-click menu

Right-clicking on the name of the vulnerability opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Application" view

This tab describes the applications detected on the host on which the selected user is connected.

The "Application" view displays the following data:

Product name

Name of the application.

Family

Application family (e.g. Web client).

Details

Full name of the application including its version number.

Right-click menu

Right-clicking on the name of the product opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Services" view

This tab describes the services detected on the host on which the selected user is connected.

The "Services" view displays the following data:

Port

Indicates the port and protocol used by the service (e.g. 80/tcp).

Service name

Indicates the name of the service (e.g.: lighthttpd)

Service Indicates the name of the service including its version number (e.g. lighthhtpd_1.4.28).

Details

Additional information about the service detected.

Family Service family (e.g. Web server).

"Information" view

This tab describes the information relating to the host on which the selected user is connected.

The "Information" view displays the following data:

ID

Unique identifier of the software program or operating system detected.

Name

Name of the software program or operating system detected.

Family

Family to which the detected software belongs (e.g. Operating System).

Level

The alarm level associated with the discovery of this program.

Assigned

Date and time the program or operating system was detected.

Details

Name and version of the software program or operating system detected (e.g. Microsoft_Windows_Seven_SP1).

Right-click menu

Right-clicking on the name of the product opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.