Hosts

"Real time" tab

This screen consists of 2 views:

  • A view listing the hosts
  • A view listing Connections, Vulnerabilities, Applications, Services, Information and Reputation history relating to the selected host.

"Hosts" view

This view shows all hosts detected by the firewall. Every row represents a host.

The "Hosts" view displays the following data:

Name

Name of the sending host (if declared in objects) or IP address of the host (if not declared).

IP address

 IP address of the host.

MAC Address

 MAC address of the host.

Interface

 Interface to which the user belongs.
Reputation Host's reputation score.
This column will only contain data when host reputation management has been enabled and the selected host is a monitored host.
Packets Number of packets exchanged by the selected host.

Bytes in

 Number of bytes that have passed through the firewall from the sending host ever since the firewall started running.

Bytes out

 Number of bytes that have passed through the firewall towards the sending host ever since the firewall started running.

Incoming throughput

 Actual throughput of traffic sent by the source host and passing through the firewall.

Outgoing throughput

 Actual throughput of traffic sent to the destination host and passing through the firewall.
Protected Indicates whether the interface on which the host was detected is a protected interface.
Continent if the See all hosts (show hosts behind unprotected interfaces) checkbox has been selected in the filter, the source continent of the external host will be displayed.
Country if the See all hosts (show hosts behind unprotected interfaces) checkbox has been selected in the filter, the source country of the external host will be displayed.
Reputation category Indicates the external host's reputation category if it has been classified.

EXAMPLE
Spam, phishing, etc.

Right-click menu

Right-clicking on the name or IP address of a host opens the following pop-up menus:

  • Search for this value in logs,
  • Check usage of this host,
  • Show host details,
  • Reset this object's reputation score,
  • Blacklist this object (for 1 minute, 5 minutes, 30 minutes or 3 hours),
  • Add the host to the objects base and/or add it to a group.

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.
Filter Click on this button to:
  • Select filter criteria (Search criterion). For the "hosts" view, the criteria are the following:
  • By address range or by IP address
  • By interface
  • If the reputation score is higher than the value specified with the cursor.
  • if the See all hosts (show hosts behind unprotected interfaces) checkbox has been selected, all hosts detected will be displayed in the table.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
reset columns This button makes it possible to reinitialize column width and display only columns suggested by default the first time the host monitoring window is opened.

"FILTER ON" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Connections" view

This view shows all connections detected by the firewall. Every row represents a connection. The "Connections" view displays the following data:

Date

 Indicates the date and time of the object's connection.
Connection Connection ID
Parent connection Certain protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID.

Protocol

Communication protocol used for the connection.

User

 User logged on to the host (if any).

Source

 IP address of the host at the source of the connection
Source name Name of the object (if any) corresponding to the source host.

Source MAC address

 MAC address of the object at the source of the connection

Source port

 Number of the source port used for the connection
Source Port Name Name of the object corresponding to the source port

Destination

 IP address of the host to which the connection was set up.
Destination Name Name of the object (if any) to which the connection was set up.

Destination Port

 Number of the destination port used for the connection
Dest. Port Name Name of the object corresponding to the destination port

Source interf.

 Name of the interface on the firewall on which the connection was set up.

Dest. interf.

 Name of the destination interface used by the connection on the firewall.
Average throughput Average value of bandwidth used by the selected connection.

Sent

 Number of bytes sent during the connection.

Received

 Number of bytes received during the connection.

Duration

 Connection time.
Last used Time elapsed since the last packet exchange for this connection.

Router

 ID assigned by the firewall to the router used by the connection

Router name

 Name of the router saved in the objects database and used by the connection
Rule type Indicates whether it is a local, global or implicit rule.

Rule

 ID name of the rule that allowed the connection

Status

 This parameter indicates the status of the configuration corresponding, for example, to its initiation, establishment or closure.
Queue name Name of the QoS queue used by the connection.
Rule name If a name has been given to the filter rule through which the connection passes, this name will appear in the column.
IPS profile Displays the number of the inspection profile called up by the rule that filtered the connection.
Geolocation Displays the flag corresponding to the destination country.
Reputation category Indicates the external host's reputation category if it has been classified.

EXAMPLE
Spam, phishing, etc.
Argument Additional information for certain protocols (e.g.: HTTP).
Operation Additional information for certain protocols (e.g.: HTTP).

Right-click menu

Right-clicking on a line in this view will open the following pop-up menu:

  • Go to the corresponding security rule

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.
Filter Click on this button to:
  • Select filter criteria (Search criterion). For the "connections" view, the criteria are the following:
  • By address range or IP address (grayed out if a host has been selected in the "hosts" view).
  • By interface
  • By source interface
  • By destination interface
  • By destination port
  • By protocol
  • By user
  • For a value of exchanged data higher than the value specified with the cursor.
  • According to the last use of the connection (only saved connections with a last used value lower than the specified value will be displayed).
  • By filter rule name
  • By IPS profile.
  • By geographic source or destination.
  • If the See all connections (closed or reinitialized connections, etc.) checkbox has been selected, all connections will be displayed in the table, regardless of their status.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Reset columns This button makes it possible to display only columns suggested by default when the host monitoring window is opened.

"FILTER ON" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Vulnerabilities" view

For a selected host, this tab will describe the vulnerabilities detected. Each vulnerability can then later be viewed in detail. Scrolling over a vulnerability will display a link to a page providing a description of the vulnerability.

The "Vulnerabilities" view displays the following data:

Identifier

 Vulnerability ID

Name

 Indicates the name of the vulnerability.

Family

 Number of hosts affected.

Severity

 Indicates the severity level of the vulnerability. There are 4 levels of severity: "Low", "Moderate", "High", "Critical".

Exploit

 Access may be local or remote (via the network). It allows exploiting the vulnerability.

Workaround

 Indicates whether a workaround exists.

Level

 The alarm level associated with the discovery of this vulnerability.

Port

 The network port on which the host is vulnerable (e.g. 80 for a vulnerable web server).

Service

 Indicates the name of the vulnerable program (e.g.: lighthttpd_1.4.28)

Assigned

 Indicates the date on which the vulnerability was detected on the host

Details

 Additional information about the vulnerability.

Right-click menu

Right-clicking on the name of the vulnerability opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Application" view

For a selected host, this tab will describe the applications detected.

The "Application" view displays the following data:

Product name

 Name of the application.

Family

 Application family (e.g. Web client).

Details

 Full name of the application including its version number.

Right-click menu

Right-clicking on the name of the product opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Services" view

For a selected host, this tab will describe the services detected.

The "Services" view displays the following data:

Port

 Indicates the port and protocol used by the service (e.g. 80/tcp).

Service name

 Indicates the name of the service (e.g.: lighthttpd)
Service Indicates the name of the service including its version number (e.g. lighthhtpd_1.4.28).

Details

 Additional information about the service detected.
Family Service family (e.g. Web server).

"Information" view

This tab provides information relating to a given host.

The "Information" view displays the following data:

ID

 Unique identifier of the software program or operating system detected.

Name

 Name of the software program or operating system detected.

Family

 Family to which the detected software belongs (e.g. Operating System).

Level

 The alarm level associated with the discovery of this program.

Assigned

 Date and time the program or operating system was detected.

Details

 Name and version of the software program or operating system detected (e.g. Microsoft_Windows_Seven_SP1).

Right-click menu

Right-clicking on the name opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Reputation history" view

This view shows in the form of graphs how the reputation of the selected host has evolved and the impact of the various criteria involved in the calculation of this score (alarms, sandboxing results and antivirus analysis).

Possible operations

Time scale

This field allows selecting the time scale: last hour, views by day,
last 7 days and last 30 days.
  • The last hour is calculated from the minute before the current minute.
  • The view by day covers the whole day, except for the current day in which data run up to the previous minute.
  • The last 7 and 30 days refer to the period that has ended the day before at midnight.

The button allows the displayed data to be refreshed.
Display the In the case of a view by day, this field offers a calendar allowing you to select the date.

Interactive features

Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph.

Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip.

“History” tab

This view shows in the form of graphs how the reputation of the selected host has evolved (average reputation and maximum reputation).

Possible operations

Time scale

This field allows selecting the time scale: last hour, views by day,
last 7 days and last 30 days.
  • The last hour is calculated from the minute before the current minute.
  • The view by day covers the whole day, except for the current day in which data run up to the previous minute.
  • The last 7 and 30 days refer to the period that has ended the day before at midnight.

The button allows the displayed data to be refreshed.
Display the In the case of a view by day, this field offers a calendar allowing you to select the date.
Print This button makes it possible to display the curve in fullscreen mode in order to print it (Print button).

Interactive features

Left-clicking on an indicator listed in the legend allows hiding/showing the corresponding data on the graph.

Scrolling over a curve with a mouse will display the value of the indicator and corresponding time in a tooltip.