Users

"Real time" tab

This screen consists of 2 views:

  • A view listing the users authenticated on the firewall.
  • A view listing Connections, Vulnerabilities, Applications, Services and information regarding the selected user.

"Users" view

This view shows all the users authenticated on the firewall. Every row represents a user.

The "Users" view displays the following data:

Name User name
IP address IP address of the host to which the user has logged on.
Directory Name of the LDAP directory used for authenticating the user.
Group List of groups to which the user belongs.
Expiry date Remaining authentication time for the user's session
Auth. method Method used for authenticating the user (e.g. SSL)
One-time password A green check means that the user used a TOTP.
Multi-user Indicates whether the host to which the user has logged on is a multi-user host (e.g. a TSE server).
Administrator Specifies whether the user has administration privileges on the firewall.
Sponsor Whenever the user logs on via the Sponsorship method, this column will indicate the name of the person who had validated the connection request.
SSL VPN Portal A green check in this checkbox means that the user is allowed to log on to the SSL VPN portal in order to access web servers.
SSL VPN Portal (Java applet) A green check in this checkbox means that the user is allowed to log on to the SSL VPN portal in order to access application servers via a Java applet.
SSL VPN A green check in this checkbox means that the user is allowed to set up SSL VPN tunnels using the SN SSL VPN Client.
IPsec VPN A green check in this checkbox means that the user is allowed to set up one or several IPsec VPN tunnels.

Right-click menu

Right-clicking on the name of the user opens the following pop-up menus:

  • Search for this value in logs,
  • Log off this user,
  • Show host details

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu) Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and predefined filters for certain views. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.
Filter Click on this button to:
  • Select filter criteria (Search criterion). For the "users" view, the criteria are the following:
  • By address range or IP address (grayed out if a user has been selected in the "users" view).
  • By directory (allows refining the filter when several LDAP directories have been defined on the firewall)
  • By authentication method
  • By one-time password by selecting TOTP code used or No TOTP code used.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Configure authentication This link makes it possible to go directly to the authentication parameters (Configuration > Users > Authentication module).
Reset columns This button makes it possible to reinitialize column width and display only columns suggested by default the first time the host monitoring window is opened.

"FILTER" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Connections" view

This view shows all connections detected by the firewall for a selected user. Every row represents a connection. The "Connections" view displays the following data:

Date Indicates the date and time of the object's connection.
Connection Connection ID
Parent connection Some protocols may generate "child" connections (e.g. FTP) and in this case, this column will list the parent connection ID.
Protocol Communication protocol used for the connection.
User User logged on to the host (if any).
Source IP address of the host at the source of the connection
Source name Name of the object (if any) corresponding to the source host.
Source MAC address MAC address of the object at the source of the connection
Source port Number of the source port used for the connection
Source Port Name Name of the object corresponding to the source port
Destination IP address of the host to which the connection was set up.
Destination Name Name of the object (if any) to which the connection was set up.
Destination Port Number of the destination port used for the connection.
Dest. Port Name Name of the object corresponding to the destination port
Source interf. Name of the interface on the firewall on which the connection was set up.
Dest. interf. Name of the destination interface used by the connection on the firewall.
Average throughput Average value of bandwidth used by the selected connection.
Sent Number of bytes sent during the connection.
Received Number of bytes received during the connection.
Duration Connection time.
Last used Time elapsed since the last packet exchange for this connection.
Router ID assigned by the firewall to the router used by the connection
Router name Name of the router saved in the objects database used by the connection
Rule type Indicates whether it is a local, global or implicit rule.
Rule ID name of the rule that allowed the connection
Status This parameter indicates the status of the configuration corresponding, for example, to its initiation, establishment or closure.
Queue name Name of the QoS queue used by the connection.
Rule name If a name has been given to the filter rule through which the connection passes, this name will appear in the column.
IPS profile Displays the number of the inspection profile called up by the rule that filtered the connection.
Geolocation Displays the flag corresponding to the destination country.
Reputation category Indicates the external host's reputation category if it has been classified.

EXAMPLE
Spam, phishing, etc.
Argument Additional information for certain protocols (e.g.: HTTP).
Operation Additional information for certain protocols (e.g.: HTTP).

Right-click menu

Right-clicking on the name of the source or destination host opens the following pop-up menus:

  • Go to the corresponding security rule

Possible actions

Several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu) Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and predefined filters for certain views. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.
Filter Click on this button to:
  • Select filter criteria (Search criterion). For the "connections" view, the criteria are the following:
  • By address range or by IP address
  • By interface
  • By source interface
  • By destination interface
  • By destination port
  • By protocol
  • By user (grayed out if a host has been selected in the "hosts" view).
  • For a value of exchanged data higher than the value specified with the cursor.
  • According to the last use of the connection (only saved connections with a last used value lower than the specified value will be displayed).
  • By rule name
  • By IPS profile.
  • By geographic source or destination.
  • If the See all connections (closed or reinitialized connections, etc.) checkbox has been selected, all connections will be displayed in the table, regardless of their status.
  • Save as a customized filter the criteria defined in the Filter panel described in the next section (Save current filter). You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.
  • Delete current filter.
Reset This button cancels the action of the filter currently in use. If it is a saved customized filter, this action will not delete the filter.
Refresh This button refreshes data shown on the screen.
Export results This button makes it possible to download a file in CSV containing information from the table. Once a filter is applied, all results matching this filter will be exported.
Reset columns This button makes it possible to display only columns suggested by default when the host monitoring window is opened.

"FILTER ON" panel

You can add a criterion by dragging and dropping the value from the results field into the panel.

"Vulnerabilities" view

This tab describes the vulnerabilities detected on the host on which the selected user is connected.

The "Vulnerabilities" view displays the following data:

ID Vulnerability ID
Name Indicates the name of the vulnerability.
Family Number of hosts affected.
Severity Indicates the level of severity on the host(s) affected by the vulnerability. There are 4 levels of severity: "Low", "Moderate", "High", "Critical".
Exploit Access may be local or remote (via the network). It allows exploiting the vulnerability.
Solution Indicates whether a workaround exists.
Level The alarm level associated with the discovery of this vulnerability.
Port The network port on which the host is vulnerable (e.g. 80 for a vulnerable web server).
Service Indicates the name of the vulnerable program (e.g.: lighthttpd_1.4.28)
Assigned Indicates the date on which the vulnerability was detected on the host
Details Additional information about the vulnerability.

Right-click menu

Right-clicking on the name of the vulnerability opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Application" view

This tab describes the applications detected on the host on which the selected user is connected.

The "Application" view displays the following data:

Product name Name of the application.
Family Application family (e.g. Web client).
Details Full name of the application including its version number.

Right-click menu

Right-clicking on the name of the product opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

"Services" view

This tab describes the services detected on the host on which the selected user is connected.

The "Services" view displays the following data:

Port Indicates the port and protocol used by the service (e.g. 80/tcp).
Service name Indicates the name of the service (e.g.: lighthttpd)
Service Indicates the name of the service including its version number (e.g. lighthhtpd_1.4.28).
Details Additional information about the service detected.
Family Service family (e.g. Web server).

"Information" view

This tab describes the information relating to the host on which the selected user is connected.

The "Information" view displays the following data:

ID Unique identifier of the software program or operating system detected.
Name Name of the software program or operating system detected.
Family Family to which the detected software belongs (e.g. Operating System).
Level The alarm level associated with the discovery of this program.
Assigned Date and time the program or operating system was detected.
Details Name and version of the software program or operating system detected (e.g. Microsoft_Windows_Seven_SP1).

Right-click menu

Right-clicking on the name of the product opens the following pop-up menus:

  • Search for this value in logs,
  • Add the host to the objects base and/or add it to a group.

“History” tab

In this tab, you will see history graphs showing the various authentication methods by type:

  • Total,
  • Captive portal,
  • Console,
  • IPsec,
  • SSL VPN,
  • TOTP,
  • Web administration interface.

Possible operations

Time scale

In this field, the time scale can be selected: last hour, views by day,
last 7 days and last 30 days.
  • The last hour is calculated from the minute before the current minute.
  • The view by day covers the whole day, except for the current day in which data runs up to the previous minute.
  • The last 7 and 30 days refer to the period that ended the day before at midnight.

The button allows the displayed data to be refreshed.
Display the In a view by day, this field offers a calendar allowing you to select the date.

Interactive features

  • Clicking on an indicator listed in the legend shows/hides the corresponding data on the graph,
  • When you scroll over a curve, the value of the indicator and corresponding time appear in a tooltip.
  • Clicking on the button to the right of each graph will prepare graph data for printing. Comments can be added before you confirm printing (Print button).