ACTIVITY REPORTS

The Reports module offers static reports based on logs saved on the firewall. These reports belong to several categories: Web, Security, Virus, Spam, Vulnerability, Network, Industrial network, Sandboxing, SD-WAN and web services.

Most reports present the Top 10 most frequently occurring values (e.g., Top 10 most frequently blocked websites), while the remaining values are grouped under “Others”. SD-WAN reports are based on metrics and operational statuses obtained when monitoring routers and their gateways.

NOTE
Reports from each category are displayed only if they were enabled in the Configuration module > Logs - Syslog - IPFIX > Report configuration). If no reports are enabled in the configuration, the Reports module will not appear.

Private data

For the purpose of compliance with the European GDPR (General Data Protection Regulation), personal data (user name, source IP address, source name, source MAC address) is no longer displayed in logs and reports and have been replaced with the term "Anonymized".

To view such data, the administrator must then enable the "Logs: full access" privilege by clicking on "Logs: limited access" (upper banner of the web administration interface), then by entering an authorization code obtained from the administrator's supervisor (see the section Administrators > Ticket management). This code is valid for a limited period defined at the moment of its creation.

To release this privilege, the administrator must click on "Logs: full access" in the upper banner of the web administration interface, then click on "Release" in the dialog box that appears.

After a privilege is obtained or released, data must be refreshed.

Please note that every time a "Logs: full access" privilege is obtained or released, it will generate an entry in logs.

NOTE
For SN160(W), SN-XS-Series-170, SN210(W), SN-S-Series-220, SN310, SN-S-Series-320, SNi10 and SNi20 models, you can benefit from full functionality by using an external storage medium such as:

SD card for SN160(W), SN210(W), SN310 and SNi20 models,
MicroSD card for SN-XS-Series-170, SN-S-Series-220, SN-S-Series-320 and SNi10 models.

The characteristics of these media are specified in the LOGS - AUDIT LOGS section of this guide.

Collaborative security

For more collaborative security, based on vulnerability reports generated by Vulnerability Manager, it is now possible in just one click to increase the level of protection on a host that has been identified as vulnerable. Therefore, when critical vulnerabilities are detected, a new option will allow you to add affected hosts to a pre-set group and assign a strengthened protection profile or specific filter rules to them (quarantine zones, restricted access, etc.).

For further information, please refer to the Technical Note Collaborative security.

Possible actions on reports

Time scale	Changes the time scale in the report. Several choices are possible: last hour, views by day, last 7 days and last 30 days. Note: The last hour is calculated from the minute before the current minute. The view by day covers the whole day, except for the current day in which data runs up to the previous minute. The last 7 and 30 days refer to the period that ended the day before at midnight.
Data refresh	Refreshes displayed data.
Display the	This field can only be accessed if the selected time scale is Views by day. Select the desired date from the calendar.
Print the report	Opens the print preview window for the report. A comment field can be added to the report that has been formatted for printing. The Print button sends the file to the browser’s print module, which allows you to choose whether to print the fie or generate a PDF file.
Download the data in CSV format	Allows data to be downloaded in CSV format.
Display the horizontal histogram	Displays data in the form of a horizontal bar graph.
Display the vertical histogram	Displays data in the form of a vertical bar graph.
Display the pie chart	Displays data in the form of a pie chart.
Show/hide legend	Shows or hides the report’s legend. Le legend consists of: A color for each value in the report, Numbering that specifies the rank of the values in the report, The name of values, The amount of values, The percentage that the value represents in this report. Depending on the report, additional information or interactive features can be added to the legend (e.g., action of an alarm).

Left-clicking on a value in a report will open a menu offering several interactive features. These may be for example, providing additional information on the value, modifying a parameter of the configuration profile or launching a search in the firewall's logs. Some interactive features can only be accessed in some values of some reports.

Available reports

Web reports

The activity analyzed in the Web category is the combined activity for all queried sites, meaning those belonging to the company’s internal networks or those hosted on the internet. These reports relate to HTTP and HTTPS traffic.

For reports relating to Sites, possible interactions with the elements and the legend are the querying of a URL’s category and direct access to the URL. As for the Top Web searches, it allows relaunching the search via Google.

Visited Web sites	Top most visited web sites. These values are evaluated by the number of hits sent to the HTTP server, for the download of files needed for displaying web pages.
Visited Web domains	Top most visited web domains. Through a mechanism that aggregates the number of Websites queried, the previous report is built according to web domains, which makes it possible to avoid dividing them.
Web category consulted	Top most consulted web categories. For this report, the URL filtering module has to be enabled. Keep in mind that the sites queries include those belonging to the internal network (category Private IP Addresses).
Web sites volume	Top web sites by exchanged volume. This report is based on the volumes of data exchanged, both sent and received.
Web domains volume	Top web domains by exchanged volume. Through a mechanism that aggregates the number of Websites queried, the previous report is built according to web domains, which makes it possible to avoid dividing them.
Web category volume	Top web categories by exchanged volume. Traffic is scanned against rules on which a URL filter has been applied (Security inspection). It relates to volumes of data exchanged, both sent and received.
Users volume	Top users by volume exchanged. Authentication must be configured (refer to the section on Authentication in this Guide). It relates to volumes of data exchanged, both sent and received. This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.
Blocked Web sites	Top most blocked websites. This report relates to sites that have been blocked by the ASQ engine or by URL filtering if it has been enabled (Security inspection).
Blocked Web domains	Top most blocked web domains. Through a mechanism that aggregates the number of Websites queried, the previous report is built according to web domains, which makes it possible to avoid dividing them.
Blocked Web categories	Top most blocked web categories. The URL filtering inspection is required in order to obtain these categories. This report relates to sites that have been blocked by the ASQ engine or by URL filtering if it has been enabled (Security inspection).
Web searches	Top web searches. These values relate to requests sent over the search engines Google, Bing and Yahoo. This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.

Security reports

Alarm reports are based on the alarms in the Configuration module > Application protection > Applications and protections and system events in the Configuration module > Notifications > System events.

For reports relating to alarms, you can modify the action, change the alert level and access help for the selected alarm. These changes can be made to the profile concerned with the traffic that generated the alarm.

Alarms	Top most frequent alarms. This report displays the alarms that are most frequently raised when the firewall analyzes traffic.
Alarms per host	Top hosts generating alarms. Hosts that generate the most alarms are identified by their DNS names (fqdn) or IP addresses if they do not have DNS names. This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.
Sessions of Administrators	This report lists the largest number of sessions on the firewall’s administration interface, regardless of privileges. This number of sessions is counted in relation to the login of the Administrator account and in relation to the IP address of the connected host. As such, the same IP address may be listed several times if different accounts have been used to log on to the firewall from the same host.
Alarms by country	Top countries generating alarms. This report sets out the countries that generate the greatest number of alarms, regardless of whether they are the source or destination of network traffic.
Host reputation	Top hosts showing highest reputation scores. This report sets out the hosts on the internal network that have the highest reputation scores, regardless of whether they are the source or destination of network traffic. This report requires the activation of host reputation management. It contains personal data, so the Full access to logs (sensitive data) privilege is required in order to view it.
Detection rate by analytics engine (Sandboxing, Antivirus, AntiSpam)	This report shows the distribution of file analyses, between sandboxing, antivirus and antispam scans.

Virus reports

The Antivirus inspection is required for these analyses.

Web virus

Top web viruses.

This report lists the viruses detected on web traffic (HTTP and HTTPS if the SSL inspection has been enabled). An interactive feature on the graph makes it possible to go to a description of the virus online (http://www.securelist.com).

Email virus

Top mail viruses.

This report lists the viruses detected on mail traffic (POP3, SMTP, POP3S and SMTPS if the SSL inspection has been enabled). An interactive feature makes it possible to go to a description of the virus online (http://www.securelist.com).

Senders of email viruses

Top senders of e-mail viruses.

Viruses via e-mail detected in the mail traffic of internal networks (SMTP and SMTPS if the SSL inspection has been enabled) are listed by sender. Senders are identified by their authenticated user logins. Authentication must therefore be configured (refer to the section on Authentication in this Guide).

This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.

Spam reports

The Antispam module has to be enabled. This data is counted by recipient of spam received, by analyzing SMTP, POP3, SMTPS and POP3S traffic if the SSL scan has been enabled.

Spammed users

Top most spammed users.

This report counts spam regardless of the level of trust (level 1-Low, 2-Medium and 3-High). The user is identified by the user name of his e-mail address (without the “@” character and the domain name).

It contains personal data, so the Full access to logs (sensitive data) privilege is required in order to view it.

Spam ratio

Ratio of spam e-mails received.

This report is a ratio. Of all e-mails received and analyzed by the Antispam module, three percentages are returned. The proportion of spam, regardless of the level of trust (level 1-Low, 2-Medium and 3-High), the proportion of e-mails scanned but with a failure and the proportion of e-mails that are not considered spam.

Vulnerability reports

Vulnerabilities can be listed by host. The Vulnerability management module has to be enabled.

By default, these reports concern vulnerabilities that have been detected on internal networks as the object network_internals is defined by default in the list of network elements being monitored. The analysis therefore covers hosts belonging to internal networks, identified by a DNS name (fqdn) or the IP address if there is no DNS name. Do note that a vulnerability that may have been reported at a given moment may have been resolved by the time it is read in the report.

For more information on profiles and attack families, refer to Vulnerability management.

Vulnerable hosts	Top most vulnerable hosts. This report shows the list of the most vulnerable hosts in the network with regard to the number of vulnerabilities detected without taking into account their severity. This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.
Client vulnerabilities	Top Client vulnerabilities. This report shows all vulnerabilities detected with a Client target, with a level of severity of either “3” (High) or “4” (Critical). These include vulnerabilities that have both Client and Server targets.
Server vulnerabilities	Top Server vulnerabilities. This report shows all vulnerabilities detected with a Server target, with a level of severity of either “2” (Moderate), “3” (High) or “4” (Critical). These include vulnerabilities that have both Client and Server targets.
Vulnerable applications	Top most vulnerable applications. This report shows the top 10 most detected vulnerabilities on the network by product regardless of severity.

Network reports

The activity analyzed in the Network category relates to all traffic passing through the firewall, meaning all protocols. Volumes are calculated on data exchanged, both sent and received.

Hosts per volume	Top hosts by volume exchanged. This data volume concerns all hosts, whether they belong to internal or external networks. This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.
Protocols per volume	Top protocols by volume exchanged. This report sets out the protocols used most often on all data volumes exchanged by all hosts, whether they belong to internal or external networks.
Users volume	Top users by volume exchanged. The data volume concerns authenticated users. Authentication must be configured (refer to the section on Authentication in this Guide). This report contains sensitive data and therefore the Full access to logs (sensitive data) privilege is required in order to view it.
Protocols per connection	Top most used protocols by connection. The protocols concern only the protocols from the Application layer of the OSI model. This report sets out the protocols used most often on all connections during the specified period.
Source countries	Top countries identified as network traffic source. This report sets out the countries most frequently identified as the source of network traffic going through the firewall.
Destination countries	Top countries identified as network traffic destination. This report sets out the countries most frequently identified as the destination of network traffic going through the firewall.
Client applications detected	Top most frequently detected client applications. This report sets out the applications on the client side most frequently detected by the intrusion prevention engine during the specified period.
Server applications detected	Top most frequently detected server applications. This report sets out the applications on the server side most frequently detected by the intrusion prevention engine during the specified period.
Client applications per exchanged volume	Top client applications by volume exchanged. This report sets out the client applications used most often on all volumes exchanged by all hosts during the specified period.
Server applications per exchanged volume	Top server applications by volume exchanged. This report sets out the server applications used most often on all volumes exchanged by all hosts during the specified period.

Industrial network reports

Activity analyzed in the Industrial network category covers all traffic from industrial protocols passing through the firewall. Volumes are calculated on data exchanged, both sent and received.

MODBUS servers per volume	Top Modbus servers by exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol MODBUS.
UMAS servers per volume	Top UMAS servers by exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol UMAS.
S7 servers per volume	Top S7 servers by exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol S7.
OPC UA servers per volume	Top OPC UA servers by exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol OPC UA.
EtherNet/IP servers per volume	Top EtherNet/IP servers per exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the Ethernet/IP industrial protocol.
IEC 60870-5-104 servers per volume	Top IEC 60870-5-104 servers per exchanged volume. This report sets out the most frequently used servers over all volumes exchanged for the industrial protocol IEC 60870-5-104.

Sandboxing reports

The Sandboxing option must be enabled. Data will be taken into account by analyzing HTTP, SMTP, POP3, FTP and HTTPS, SMTPS and POP3S traffic if SSL analysis has been enabled.

Malicious files detected	Top malicious files detected after sandboxing. This report sets out the malicious files most frequently detected by sandboxing.
Malicious files blocked	Top malicious files detected and blocked by sandboxing request. This report sets out the malicious files most frequently blocked by sandboxing.
Most frequently analyzed file types	Top most frequently analyzed file types. This report sets out the types of files most frequently submitted for sandboxing.
Hosts that have submitted the most files for sandboxing	Top hosts that have submitted files for sandboxing. This report shows the hosts on the network that have warranted the highest number of sandboxing analyses. It contains personal data, so the Full access to logs (sensitive data) privilege is required in order to view it.
Protocols that use sandboxing the most frequently	Top protocols that use sandboxing. This report shows the network protocols (HTTP, SSL, SMTP, FTP) that have warranted the highest number of sandboxing analyses.
Users who have submitted the most files for sandboxing	Top users who have submitted files for sandboxing This report shows the users that have warranted the highest number of sandboxing analyses. It contains personal data, so the Full access to logs (sensitive data) privilege is required in order to view it.

SD-WAN reports

Activity analyzed in the SD-WAN category includes metrics and operational statuses obtained when monitoring routers and their gateways, regardless of whether they are used in the configuration of the firewall (router objects, default gateway, routers configured in filter rules and return routes).

Latency	Routers and gateways with the highest latency. This report shows the gateways of router objects with the highest latency (in ms). Unreachable routers and gateways do not appear in this report.
Jitter	Routers and gateways with the highest jitter. This report shows the gateways of router objects with the highest jitter (in ms). Unreachable routers and gateways do not appear in this report.
Packet loss	Routers and gateways with the highest packet loss rate. This refers shows the gateways of router objects with the highest packet loss rate.
Unavailability	Routers and gateways with the highest unavailability rate. This report shows the gateways of router objects with the highest unavailability rate.
Functional status	Routers and gateways with the highest functional status. This refers shows the gateways of router objects with the highest functional status rate.
Unreachable status	Routers and gateways with the highest unreachable status. This report shows the gateways of router objects with the highest unreachable status rate.
Degraded status	Routers and gateways with the highest degraded status. This refers shows the gateways of router objects with the highest degraded status rate.