Assess Network Traffic
Focus
Focus

Assess Network Traffic

Table of Contents

Assess Network Traffic

Now that you have a basic security policy, you can review the statistics and data in the Application Command Center (ACC), traffic logs, and the threat logs to observe trends on your network. Use this information to identify where you need to create more granular security policy rules.
  • Use the Application Command Center and Use the Automated Correlation Engine.
    In the ACC, review the most used applications and the high-risk applications on your network. The ACC graphically summarizes the log information to highlight the applications traversing the network, who is using them (with User-ID enabled), and the potential security impact of the content to help you identify what is happening on the network in real time. You can then use this information to create appropriate security policy rules that block unwanted applications, while allowing and enabling applications in a secure manner.
    The Compromised Hosts widget in ACCThreat Activity displays potentially compromised hosts on your network and the logs and match evidence that corroborates the events.
  • Determine what updates/modifications are required for your network security policy rules and implement the changes.
    For example:
    • Evaluate whether to allow web content based on schedule, users, or groups.
    • Allow or control certain applications or functions within an application.
    • Decrypt and inspect content.
    • Allow but scan for threats and exploits.
    For information on refining your security policies and for attaching custom security profiles, see how to Create a Security Policy Rule and Security Profiles.
  • View Logs.
    Specifically, view the traffic and threat logs (MonitorLogs).
    Traffic logs are dependent on how your security policies are defined and set up to log traffic. The Application Usage widget in the ACC, however, records applications and statistics regardless of policy configuration; it shows all traffic that is allowed on your network, therefore it includes the inter-zone traffic that is allowed by policy and the same zone traffic that is allowed implicitly.
  • Configure Log Storage Quotas and Expiration Periods.
    Review the AutoFocus intelligence summary for artifacts in your logs. An artifact is an item, property, activity, or behavior associated with logged events on the firewall. The intelligence summary reveals the number of sessions and samples in which WildFire detected the artifact. Use WildFire verdict information (benign, grayware, malware) and AutoFocus matching tags to look for potential risks in your network.
    AutoFocus tags created by Unit 42, the Palo Alto Networks threat intelligence team, call attention to advanced, targeted campaigns and threats in your network.
    From the AutoFocus intelligence summary, you can start an AutoFocus search for artifacts and assess their pervasiveness within global, industry, and network contexts.
  • Monitor Web Activity of Network Users.
    Review the URL filtering logs to scan through alerts, denied categories/URLs. URL logs are generated when a traffic matches a security rule that has a URL filtering profile attached with an action of alert, continue, override or block.