Connections

"Real time" table

This view shows all connections detected by the firewall. Every row represents a connection. The "Connections" view displays the following data:

Date

Indicates the date and time of the object's connection.

Connection Connection ID
Parent connection Some protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID.

Protocol

Communication protocol used for the connection.

User

User logged on to the host (if any).

Source

IP address of the host at the source of the connection

Source name Name of the object (if any) corresponding to the source host.
Source IP address (multi-homing)

IP address presented by the host initiating an SCTP connection. Reminder: an appliance that communicates in SCTP may have several IP addresses (multi-homing).

Source MAC address

MAC address of the object at the source of the connection

Source port

Number of the source port used for the connection

Source Port Name Name of the object corresponding to the source port

Destination

IP address of the host to which the connection was set up.

Destination Name Name of the object (if any) to which the connection was set up.
Destination IP address (multi-homing)

IP address of the destination host of an SCTP connection. Reminder: an appliance that communicates in SCTP may have several IP addresses (multi-homing).

Destination Port

Number of the destination port used for the connection.

Dest. Port Name Name of the object corresponding to the destination port

Source interf.

Name of the interface on the firewall on which the connection was set up.

Dest. interf.

Name of the destination interface used by the connection on the firewall.

Average throughput Average value of bandwidth used by the selected connection.

Sent

Number of bytes sent during the connection.

Received

Number of bytes received during the connection.

Duration

Connection time.

Last used Time elapsed since the last packet exchange for this connection.

Router

ID assigned by the firewall to the router used by the connection

Router name

Name of the router saved in the objects database used by the connection

Rule type Indicates whether it is a local, global or implicit rule.

Rule

ID name of the rule that allowed the connection

Status

This parameter indicates the status of the configuration corresponding, for example, to its initiation, establishment or closure.

Queue name Name of the QoS queue used by the connection.
Rule name If a name has been given to the filter rule through which the connection passes, this name will appear in the column.
IPS profile Displays the number of the inspection profile called up by the rule that filtered the connection.
Geolocation Displays the flag corresponding to the destination country.
Reputation category

Indicates the external host's reputation category if it has been classified.

Example: Spam, phishing, etc.

Argument Additional information for certain protocols (e.g.: HTTP).
Operation Additional information for certain protocols (e.g.: HTTP).

Right-click menu

Right-clicking on the name or IP address of a source or destination host opens the following pop-up menus:

  • Search for this value in logs,
  • Show host details,
  • Reset the reputation score,
  • Add the host to the objects base and/or add it to a group.

 

Right-clicking on the name of the user opens the following pop-up menus:

  • Search for this value in logs,
  • Log off this user,
  • Show host details

 

Right-clicking on the name of the source or destination opens the following pop-up menus:

  • Search for this value in the "All logs" view,
  • Show host details,
  • Reset this object's reputation score,
  • Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
  • Add the host to the objects base and/or add it to a group.
  • Go to the corresponding security rule

 

Right-clicking on the name of the source or destination opens the following pop-up menus:

  • Go to the corresponding security rule,
  • Add the service to the objects base and/or add it to a group.

 

Right-clicking on the other columns will open the following pop-up menu:

  • Go to the corresponding security rule

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and predefined filters for certain views. Selecting the entry (New filter) allows the filter to be reinitialized by deleting the selected criteria.

Filter

Click on this button to:

  • Select filter criteria (Search criterion). For the "connections" view, the criteria are the following:
  • By address range or by IP address
  • By interface
  • By source interface
  • By destination interface
  • By destination port
  • By protocol
  • By user (grayed out if a host has been selected in the "hosts" view).
  • For a value of exchanged data higher than the value specified with the cursor.
  • According to the last use of the connection (only saved connections with a last used value lower than the specified value will be displayed).
  • By rule name
  • By IPS profile.
  • By geographic source or destination.
  • If only the Display all TCP/UDP connections (shut down, reset connections, etc.) checkbox is selected, the filter will display all connections regardless of their state as well as the associations in use.
  • If only the Display all SCTP associations (reset, currently in use, shutting down and shut down) checkbox is selected, the filter will display all SCTP associations regardless of their state as well as the connections in use.
  • Whenever both the Display all TCP/UDP connections (shut down, reset connections, etc.) and Display all SCTP associations (reset, currently in use, shutting down and shut down) checkboxes are selected, the filter will display all of the firewall's known connections and associations regardless of their state.
  • If neither the Display all TCP/UDP connections (shut down, reset connections, etc.) nor Display all SCTP associations (reset, currently in use, shutting down and shut down) checkbox is selected, the filter will display only connections and associations in use.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Reset columns This button makes it possible to reinitialize column width and display only columns suggested by default the first time the host monitoring window is opened.

"FILTER ON" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.