Activity Reports

These reports are displayed in the form of bar graphs or pie charts and offer four time scales: the last hour, day, week or month. These time ranges are calculated in relation to the firewall’s date and time settings.

Possible operations

Time scale

This field allows selecting the time scale: last hour, views by day,
last 7 days and last 30 days.

The last hour is calculated from the minute before the current minute.
The view by day covers the whole day, except for the current day in which data run up to the previous minute.
The last 7 and 30 days refer to the period that has ended the day before at midnight.

The button allows refreshing the display of data.

Display the

In the case of a view by day, this field offers a calendar allowing you to select the date.

The button allows you to access the print preview window for the report. A comment field can be added to the report that has been formatted for printing. The Print button sends the file to the browser’s print module, which allows choosing to print or to generate a PDF file.

The button allows downloading data in CSV format. The values are separated by commas and saved in a text file. This makes it possible to reopen the file in a spreadsheet program such as Microsoft Excel.

	Displays data in the form of a horizontal bar graph
	Displays data in the form of a vertical bar graph
	Displays data in the form of a pie chart

The analyzed period is then displayed.

Legend

A table made up of 6 columns summarizes the description of the data displayed. The information shown is as follows:

Numbering indicates the rank according to the value,
A letter and a color allow referencing the value when text is too long to be displayed in full (graphs in vertical bars or pie charts),
The full name of the data type is displayed,
The column displays the percentage that the data type represents for this list,
The column displays the quantity value,
This column contains a status button that displays or hides data. The category “Others” – representing data other than those in the Top 10 – is hidden by default. The status Hidden/Shown is kept in the preferences of the application.

Depending on the reports, extra columns can be added to the legend table offering certain information or interactions in relation to the values displayed (e.g.: action of an alarm).

Interactions

Left-clicking on a value in a report will open a menu offering several interactions. These may be for example, providing additional information on the value, modifying a parameter of the configuration profile or launching a search in the Logs section.

All items in a diagram allow the action Search for this value in logs: this search is conducted in the Logs section on all logs by keeping the monitored period with the value of the element selected in the report as a search criterion. This action is offered for all values except for certain specific searches listed below.

If it is an IP address, the possible actions will be:

Add the host to the object base: through a dialogue window, the host can be added to the Object base and added to a group created earlier. The aim of this is to apply a particular filter policy to the object (quarantine zone).

* Please refer to the Technical Note “Collaborative security” on how to create a policy with a remediation zone.

A domain name allows the following additional actions:

URL access: this action displays the URL in a new tab.
Display the URL Category: this action displays in a window the category to which the domain belongs.
Add the URL to a group: this action will display a window that allows adding the URL directly to an existing URL group.

The following are the particular interactions of the various reports:

WEB: Top web searches report

Execute this search via Google: this action launches a Google keyword search in a new tab.

SECURITY: Top most frequent alarms report

Set action to (Allow/Block): this modification will be made to the profile relating to the traffic that raised the alarm.
Set level to (Major/ Minor / Ignore): this modification will be made to the profile relating to the traffic that raised the alarm.
Open help: this link redirects to the help page of the alarm raised or the vulnerability detected.
Search for this value in logs: this search is conducted in the Logs section, on all logs and by keeping the monitored period.

VULNERABILITIES

Top most vulnerable hosts report

Click to display the remaining vulnerabilities of this host: the remaining vulnerabilities for this host at this exact moment will be displayed. Indeed, a vulnerability that may have been reported at a given moment may have been resolved by the time it is read in the reports. You can also confirm the current status of vulnerabilities in Realtime Monitor.
Search for this host in the vulnerabilities log: this search is conducted in the Logs section, on all logs and by keeping the monitored period.

Top client vulnerabilities and Top server vulnerabilities report

View hosts having this vulnerability: hosts concerned at this exact moment and their version of the application or the vulnerable service are displayed. Indeed, a vulnerability that may have been reported at a given moment may have been resolved by the time it is read in the reports. You can also confirm the current status of vulnerabilities in Realtime Monitor.
Open help: this link redirects to the help page of the alarm raised or the vulnerability detected.
Search for this value in logs: this search is conducted in the Logs section, in the Vulnerabilities view and by keeping the monitored period.

Reports

WEB

The activity analyzed in the Web category is the combined activity for all queried sites, meaning those belonging to the company’s internal networks or those hosted on the internet. These reports relate to HTTP and HTTPS traffic.

For reports relating to Sites, possible interactions with the elements and the legend are the querying of a URL’s category and direct access to the URL. As for the Top Web searches, it allows relaunching the search via Google.

Top most visited web sites,

These values are evaluated by the number of hits sent to the HTTP server, for the download of files needed for displaying web pages.

Top most visited web domains

Through a mechanism that aggregates the number of web servers queried, the previous report is built according to web domains, which makes it possible to avoid dividing them..

Top most consulted web categories

For this report, the URL filtering module has to be enabled. Keep in mind that the sites queries include those belonging to the internal network (category Private IP Addresses).

Top web sites by exchanged volume

This report is based on the volumes of data exchanged, both sent and received.

Top web domains by exchanged volume

Through a mechanism that aggregates the number of Websites queried, the previous report is built according to web domains, which makes it possible to avoid dividing them..

Top web categories by exchanged volume

Traffic is scanned against rules on which a URL filter has been applied (Security inspection). It relates to volumes of data exchanged, both sent and received.

Top users by volume exchanged,

Authentication has to be configured (refer to the section Authentication in this Guide). It relates to volumes of data exchanged, both sent and received.

This report contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top most blocked websites

This report relates to sites that have been blocked by the ASQ engine or by URL filtering if it has been enabled (Security inspection).

Top most blocked web domains

Through a mechanism that aggregates the number of Websites queried, the previous report is built according to web domains, which makes it possible to avoid dividing them..

Top most blocked web categories

The URL filtering inspection is required in order to obtain these categories. This report relates to sites that have been blocked by the ASQ engine or by URL filtering if it has been enabled (Security inspection).

SECURITY

The Alarms reports are based on the Applications and protections alarms (Application protection menu) and System events (Notifications menu).

For reports relating to alarms, you can modify the action, change the alert level and access help for the selected alarm. These changes can be made to the profile concerned with the traffic that generated the alarm.

Top most frequent alarms,

This report displays the alarms that are raised most frequently when the firewall scans traffic.

Top hosts generating alarms,

Hosts that generate the most alarms are identified by their DNS names (fqdn) or IP addresses if they do not have DNS names.

This report contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top administrator sessions

This report lists the largest number of sessions on the firewall’s administration interface, regardless of privileges. This number of sessions is counted in relation to the login of the Administrator account and in relation to the IP address of the connected host. As such, the same IP address may be listed several times if different accounts have been used to log on to the firewall from the same host.

Top countries generating alarms

This report sets out the countries that generate the greatest number of alarms, regardless of whether they are the source or destination of network traffic.

Top hosts showing highest reputation scores

This report sets out the hosts on the internal network that have the highest reputation scores, regardless of whether they are the source or destination of network traffic. This report requires the activation of host reputation management.

It contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Detection rate by analytics engine (Sandboxing, Antivirus, AntiSpam)

This report shows the distribution of file analyses, between sandboxing, antivirus and antispam scans.

VIRUSES

The Antivirus inspection is required for these analyses.

Top web viruses

This report lists the viruses detected on web traffic (HTTP and HTTPS if the SSL inspection has been enabled). An interaction on the graph allows going to a description of the virus online (http://www.securelist.com).

Top mail viruses

This report lists the viruses detected on mail traffic (POP3, SMTP, POP3S and SMTPS if the SSL inspection has been enabled). An interaction on the graph allows going to a description of the virus online (http://www.securelist.com).

Top senders of e-mail viruses

Viruses by e-mail detected on the mail traffic of internal networks (SMTP and SMTPS if the SSL inspection has been enabled) are listed by sender. Senders are identified by their authenticated user logins. Authentication has to be configured (refer to the section Authentication in this Guide).

This report contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

VULNERABILITIES

Vulnerabilities can be listed by host. The Vulnerability management module has to be enabled.

By default, these reports concern vulnerabilities that have been detected on internal networks as the object network_internals is defined by default in the list of network elements being monitored (see the Vulnerability management module in the administration interface). The analysis therefore covers hosts belonging to internal networks, identified by a DNS name (fqdn) or the IP address if there is no DNS name.

For further detail on profiles and vulnerability families, please refer to the section Vulnerability management in this guide.

Top most vulnerable hosts

This report shows the list of the most vulnerable hosts in the network with regard to the number of vulnerabilities detected without taking into account their severity.

It contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top Client vulnerabilities

This report shows all vulnerabilities detected with a Client target, with a level of severity of either “3” (High) or “4” (Critical). These include vulnerabilities that have both Client and Server targets.

Top Server vulnerabilities

This report shows all vulnerabilities detected with a Server target, with a level of severity of either “2” (Moderate), “3” (High) or “4” (Critical). These include vulnerabilities that have both Client and Server targets.

Top most vulnerable applications

This report shows the top 10 most detected vulnerabilities on the network by product regardless of severity.

NETWORK

The activity analyzed in the NETWORK category relates to all traffic passing through the firewall, meaning all protocols. Volumes are calculated on data exchanged, both sent and received.

Top hosts by volume exchanged

This data volume concerns all hosts, whether they belong to internal or external networks.

This report contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top protocols by volume exchanged

This report sets out the protocols used most often on all data volumes exchanged by all hosts, whether they belong to internal or external networks.

Top users by volume exchanged

The data volume concerns authenticated users. Authentication has to be configured (refer to the section Authentication in this Guide).

This report contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top client applications by volume exchanged

This report sets out the client applications used most often on all volumes exchanged by all hosts during the specified period.

Top server applications by volume exchanged

This report sets out the server applications used most often on all volumes exchanged by all hosts during the specified period.

Top most used protocols by connection

The protocols concern only the protocols from the Application layer of the OSI model. This report sets out the protocols used most often on all connections during the specified period.

Top most frequently detected client applications

This report sets out the applications on the client side most frequently detected by the intrusion prevention engine during the specified period.

Top most frequently detected server applications

This report sets out the applications on the server side most frequently detected by the intrusion prevention engine during the specified period.

Top countries identified as network traffic source

This report sets out the countries most frequently identified as the source of network traffic going through the firewall.

Top countries identified as network traffic destination

This report sets out the countries most frequently identified as the destination of network traffic going through the firewall.

SPAM

The Antispam module has to be enabled. These data are counted by recipient of spam received, by analyzing SMTP, POP3, SMTPS and POP3S traffic if the SSL scan has been enabled.

Top most spammed users

This report counts spam regardless of the level of trust (level 1-Low, 2-Medium and 3-High). The user is identified by the user name of his e-mail address (without the “@” character and the domain name).

It contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Ratio of spam e-mails received

This report is a ratio. Of all e-mails received and analyzed by the Antispam module, three percentages are returned. The proportion of spam, regardless of the level of trust (level 1-Low, 2-Medium and 3-High), the proportion of e-mails scanned but with a failure and the proportion of e-mails that are not considered spam.

Industrial networks

Activity scanned in the INDUSTRIAL NETWORK category covers all traffic from industrial protocols passing through the firewall. Volumes are calculated on data exchanged, both sent and received.

Top Modbus servers by exchanged volume

This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol MODBUS.

Top UMAS servers by exchanged volume

This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol UMAS.

Top S7 servers by exchanged volume

This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol S7.

Top OPC UA servers by exchanged volume

This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol OPC UA.

Top EtherNet/IP servers per exchanged volume

This report sets out the most frequently used servers over all volumes exchanged for the Ethernet/IP industrial protocol.

Sandboxing

The Sandboxing option must be enabled. Data will be taken into account by analyzing HTTP, SMTP, POP3, FTP and HTTPS, SMTPS, POP3S if the SSL scan has been enabled.

Top malicious files detected after sandboxing

This report sets out the malicious files most frequently detected by sandboxing.

Top malicious files detected and blocked by sandboxing request

This report sets out the malicious files most frequently blocked by sandboxing.

Top most frequently analyzed file types

This report sets out the types of files most frequently submitted for sandboxing.

Top hosts that have submitted files for sandboxing

This report shows the hosts on the network that have warranted the highest number of sandboxing analyses. It contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.

Top protocols that use sandboxing

This report shows the network protocols (HTTP, SSL, SMTP, FTP) that have warranted the highest number of sandboxing analyses.

Top users who have submitted files for sandboxing

This report shows the users that have warranted the highest number of sandboxing analyses. It contains private data and therefore the Full access to logs (private data) privilege is required in order to view it.