Hosts
"Real time" tab
This screen consists of 2 views:
- A view listing the hosts
- A view listing Connections, Vulnerabilities, Applications, Services, Information and Reputation history relating to the selected host.
"Hosts" view
This view shows all hosts detected by the firewall. Every row represents a host.
The "Hosts" view displays the following data:
Name |
Name of the sending host (if declared in objects) or IP address of the host (if not declared). |
IP address |
IP address of the host. |
MAC Address |
MAC address of the host. |
Interface |
Interface to which the user belongs. |
Reputation | Host's reputation score. This column will only contain data when host reputation management has been enabled and the selected host is a monitored host. |
Packets | Number of packets exchanged by the selected host. |
Bytes in |
Number of bytes that have passed through the firewall from the sending host ever since the firewall started running. |
Bytes out |
Number of bytes that have passed through the firewall towards the sending host ever since the firewall started running. |
Incoming throughput |
Actual throughput of traffic sent by the source host and passing through the firewall. |
Outgoing throughput |
Actual throughput of traffic sent to the destination host and passing through the firewall. |
Protected | Indicates whether the interface on which the host was detected is a protected interface. |
Continent | if the See all hosts (show hosts behind unprotected interfaces) checkbox has been selected in the filter, the source continent of the external host will be displayed. |
Country | if the See all hosts (show hosts behind unprotected interfaces) checkbox has been selected in the filter, the source country of the external host will be displayed. |
Reputation category | Indicates the external host's reputation category if it has been classified. EXAMPLE |
Right-click menu
Right-clicking on the name or IP address of a host opens the following pop-up menus:
- Search for this value in logs,
- Check usage of this host,
- Show host details,
- Reset this object's reputation score,
- Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
- Add the host to the objects base and/or add it to a group.
Possible actions
Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.
This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.
(Filter drop-down menu) |
Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection. |
Filter | Click on this button to:
|
Reset | This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter. |
Refresh | This button refreshes data shown on the screen. |
Export results | This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported. |
reset columns | This button makes it possible to reinitialize column width and display only columns suggested by default the first time the host monitoring window is opened. |
"FILTER ON" panel
You can add a criterion by dragging and dropping the value from the results field into the panel.
"Connections" view
This view shows all connections detected by the firewall. Every row represents a connection. The "Connections" view displays the following data:
Date |
Indicates the date and time of the object's connection. |
Connection | Connection ID |
Parent connection | Certain protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID. |
Protocol |
Communication protocol used for the connection. |
User |
User logged on to the host (if any). |
Source |
IP address of the host at the source of the connection |
Source name | Name of the object (if any) corresponding to the source host. |
Source MAC address |
MAC address of the object at the source of the connection |
Source port |
Number of the source port used for the connection |
Source Port Name | Name of the object corresponding to the source port |
Destination |
IP address of the host to which the connection was set up. |
Destination Name | Name of the object (if any) to which the connection was set up. |
Destination Port |
Number of the destination port used for the connection |
Dest. Port Name | Name of the object corresponding to the destination port |
Source interf. |
Name of the interface on the firewall on which the connection was set up. |
Dest. interf. |
Name of the destination interface used by the connection on the firewall. |
Average throughput | Average value of bandwidth used by the selected connection. |
Sent |
Number of bytes sent during the connection. |
Received |
Number of bytes received during the connection. |
Duration |
Connection time. |
Last used | Time elapsed since the last packet exchange for this connection. |
Router |
ID assigned by the firewall to the router used by the connection |
Router name |
Name of the router saved in the objects database and used by the connection |
Rule type | Indicates whether it is a local, global or implicit rule. |
Rule |
ID name of the rule that allowed the connection |
Status |
This parameter indicates the status of the configuration corresponding, for example, to its initiation, establishment or closure. |
Queue name | Name of the QoS queue used by the connection. |
Rule name | If a name has been given to the filter rule through which the connection passes, this name will appear in the column. |
IPS profile | Displays the number of the inspection profile called up by the rule that filtered the connection. |
Geolocation | Displays the flag corresponding to the destination country. |
Reputation category | Indicates the external host's reputation category if it has been classified. EXAMPLE |
Argument | Additional information for certain protocols (e.g.: HTTP). |
Operation | Additional information for certain protocols (e.g.: HTTP). |
Right-click menu
Right-clicking on a line in this view will open the following pop-up menu:
- Go to the corresponding security rule
Possible actions
Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.
This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.
(Filter drop-down menu) |
Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection. |
Filter | Click on this button to:
|
Reset | This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter. |
Refresh | This button refreshes data shown on the screen. |
Export results | This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported. |
Reset columns | This button makes it possible to display only columns suggested by default when the host monitoring window is opened. |
"FILTER ON" panel
You can add a criterion by dragging and dropping the value from the results field into the panel.
"Vulnerabilities" view
For a selected host, this tab will describe the vulnerabilities detected. Each vulnerability can then later be viewed in detail. Scrolling over a vulnerability will display a link to a page providing a description of the vulnerability.
The "Vulnerabilities" view displays the following data:
Identifier |
Vulnerability ID |
Name |
Indicates the name of the vulnerability. |
Family |
Number of hosts affected. |
Severity |
Indicates the severity level of the vulnerability. There are 4 levels of severity: "Low", "Moderate", "High", "Critical". |
Exploit |
Access may be local or remote (via the network). It allows exploiting the vulnerability. |
Workaround |
Indicates whether a workaround exists. |
Level |
The alarm level associated with the discovery of this vulnerability. |
Port |
The network port on which the host is vulnerable (e.g. 80 for a vulnerable web server). |
Service |
Indicates the name of the vulnerable program (e.g.: lighthttpd_1.4.28) |
Assigned |
Indicates the date on which the vulnerability was detected on the host |
Details |
Additional information about the vulnerability. |
Right-click menu
Right-clicking on the name of the vulnerability opens the following pop-up menus:
- Search for this value in logs,
- Add the host to the objects base and/or add it to a group.
"Application" view
For a selected host, this tab will describe the applications detected.
The "Application" view displays the following data:
Product name |
Name of the application. |
Family |
Application family (e.g. Web client). |
Details |
Full name of the application including its version number. |
Right-click menu
Right-clicking on the name of the product opens the following pop-up menus:
- Search for this value in logs,
- Add the host to the objects base and/or add it to a group.
"Services" view
For a selected host, this tab will describe the services detected.
The "Services" view displays the following data:
Port |
Indicates the port and protocol used by the service (e.g. 80/tcp). |
Service name |
Indicates the name of the service (e.g.: lighthttpd) |
Service | Indicates the name of the service including its version number (e.g. lighthhtpd_1.4.28). |
Details |
Additional information about the service detected. |
Family | Service family (e.g. Web server). |
"Information" view
This tab provides information relating to a given host.
The "Information" view displays the following data:
ID |
Unique identifier of the software program or operating system detected. |
Name |
Name of the software program or operating system detected. |
Family |
Family to which the detected software belongs (e.g. Operating System). |
Level |
The alarm level associated with the discovery of this program. |
Assigned |
Date and time the program or operating system was detected. |
Details |
Name and version of the software program or operating system detected (e.g. Microsoft_Windows_Seven_SP1). |
Right-click menu
Right-clicking on the name opens the following pop-up menus:
- Search for this value in logs,
- Add the host to the objects base and/or add it to a group.
"Reputation history" view
This view shows in the form of graphs how the reputation of the selected host has evolved and the impact of the various criteria involved in the calculation of this score (alarms, sandboxing results and antivirus analysis).
Possible operations
Time scale |
This field allows selecting the time scale: last hour, views by day, last 7 days and last 30 days.
The button allows the displayed data to be refreshed. |
Display the | In the case of a view by day, this field offers a calendar allowing you to select the date. |
Interactive features
Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph.
Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip.
“History” tab
This view shows in the form of graphs how the reputation of the selected host has evolved (average reputation and maximum reputation).
Possible operations
Time scale |
This field allows selecting the time scale: last hour, views by day, last 7 days and last 30 days.
The button allows the displayed data to be refreshed. |
Display the | In the case of a view by day, this field offers a calendar allowing you to select the date. |
This button makes it possible to display the curve in fullscreen mode in order to print it (Print button). |
Interactive features
Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph.
Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip.