Widget Descriptions
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Widget Descriptions
Each tab on the ACC includes a different set of widgets.
Widget | Description |
---|---|
Network Activity—Displays
an overview of traffic and user activity on your network. | |
Application Usage | The table displays the top ten applications
used on your network, all the remaining applications used on the
network are aggregated and displayed as other. The graph displays
all applications by application category, sub category, and application.
Use this widget to scan for applications being used on the network,
it informs you about the predominant applications using bandwidth,
session count, file transfers, triggering the most threats, and
accessing URLs. Sort attributes: bytes, sessions, threats,
content, URLs Charts available: treemap, area, column, line
(the charts vary by the sort by attribute selected) |
User Activity | Displays the top ten most active users on
the network who have generated the largest volume of traffic and
consumed network resources to obtain content. Use this widget to
monitor top users on usage sorted on bytes, sessions, threats, content
(files and patterns), and URLs visited. Sort attributes: bytes,
sessions, threats, content, URLs Charts available: area, column,
line (the charts vary by the sort by attribute selected) |
Source IP Activity | Displays the top ten IP addresses or hostnames
of the devices that have initiated activity on the network. All
other devices are aggregated and displayed as other. Sort
attributes: bytes, sessions, threats, content, URLs Charts
available: area, column, line (the charts vary by the sort by attribute
selected) |
Destination IP Activity | Displays the IP addresses or hostnames of
the top ten destinations that were accessed by users on the network. Sort
attributes: bytes, sessions, threats, content, URLs Charts
available: area, column, line (the charts vary by the sort by attribute
selected) |
Source Regions | Displays the top ten regions (built-in or
custom defined regions) around the world from where users initiated
activity on your network. Sort attributes: bytes, sessions,
threats, content, URLs Charts available: map, bar |
Destination Regions | Displays the top ten destination regions
(built-in or custom defined regions) on the world map from where
content is being accessed by users on the network. Sort attributes:
bytes, sessions, threats, content, URLs Charts available:
map, bar |
GlobalProtect Host Information | Displays information on the state of the hosts
on which the GlobalProtect agent is running; the host system is
a GlobalProtect endpoint. This information is sourced from entries
in the HIP match log that are generated when the data submitted
by the GlobalProtect app matches a HIP object or a HIP profile you
have defined on the firewall. If you do not have HIP Match logs,
this widget is blank. To learn how to create HIP objects and HIP
profiles and use them as policy match criteria, see Configure HIP-Based Policy Enforcement. Sort
attributes: profiles, objects, operating systems Charts available:
bar |
Rule Usage | Displays the top ten rules that have allowed
the most traffic on the network. Use this widget to view the most
commonly used rules, monitor the usage patterns, and to assess whether
the rules are effective in securing your network. Sort attributes:
bytes, sessions, threats, content, URLs Charts available:
line |
Ingress Interfaces | Displays the firewall interfaces that are
most used for allowing traffic into the network. Sort attributes:
bytes, bytes sent, bytes received Charts available: line |
Egress Interfaces | Displays the firewall interfaces that are
most used by traffic exiting the network. Sort attributes:
bytes, bytes sent, bytes received Charts available: line |
Source Zones | Displays the zones that are most used for
allowing traffic into the network. Sort attributes: bytes,
sessions, threats, content, URLs Charts available: line |
Destination Zones | Displays the zones that are most used by
traffic going outside the network. Sort attributes: bytes,
sessions, threats, content, URLs Charts available: line |
Threat Activity—Displays
an overview of the threats on the network | |
Compromised Hosts | Displays the hosts that are likely compromised
on your network. This widget summarizes the events from the correlation
logs. For each source user/IP address, it includes the correlation
object that triggered the match and the match count, which is aggregated
from the match evidence collated in the correlated events logs.
For details see Use
the Automated Correlation Engine. Available on the
PA-5200 Series, PA-7000 Series, and Panorama. Sort attributes:
severity (by default) |
Hosts Visiting Malicious URLs | Displays the frequency with which hosts
(IP address/hostnames) on your network have accessed malicious URLs.
These URLs are known to be malware based on categorization in PAN-DB. Sort
attributes: count Charts available: line |
Hosts Resolving Malicious Domains | Displays the top hosts matching DNS signatures;
hosts on the network that are attempting to resolve the hostname
or domain of a malicious URL. This information is gathered from
an analysis of the DNS activity on your network. It utilizes passive
DNS monitoring, DNS traffic generated on the network, activity seen
in the sandbox if you have configured DNS sinkhole on the firewall,
and DNS reports on malicious DNS sources that are available to Palo
Alto Networks customers. Sort attributes: count Charts
available: line |
Threat Activity | Displays the threats seen on your network.
This information is based on signature matches in Antivirus, Anti-Spyware,
and Vulnerability Protection profiles and viruses reported by WildFire. Sort
attributes: threats Charts available: bar, area, column |
WildFire Activity by Application | Displays the applications that generated
the most WildFire submissions. This widget uses the malicious and
benign verdict from the WildFire Submissions log. Sort attributes:
malicious, benign Charts available: bar, line |
WildFire Activity by File Type | Displays the threat vector by file type.
This widget displays the file types that generated the most WildFire
submissions and uses the malicious and benign verdict from the WildFire
Submissions log. If this data is unavailable, the widget is empty. Sort
attributes: malicious, benign Charts available: bar, line |
Applications using Non Standard Ports | Displays the applications that are entering
your network on non-standard ports. If you have migrated your firewall
rules from a port-based firewall, use this information to craft
policy rules that allow traffic only on the default port for the
application. Where needed, make an exception to allow traffic on
a non-standard port or create a custom application. Sort attributes:
bytes, sessions, threats, content, URLs Charts available:
treemap, line |
Rules Allowing Applications On
Non Standard Ports | Displays the security policy rules that
allow applications on non-default ports. The graph displays all
the rules, while the table displays the top ten rules and aggregates
the data from the remaining rules as other. This information
helps you identify gaps in network security by allowing you to assess
whether an application is hopping ports or sneaking into your network.
For example, you can validate whether you have a rule that allows
traffic on any port except the default port for the application.
Say for example, you have a rule that allow DNS traffic on its application-default port
(port 53 is the standard port for DNS). This widget will display
any rule that allows DNS traffic into your network on any port except
port 53. Sort attributes: bytes, sessions, threats, content,
URLs Charts available: treemap, line |
Blocked Activity—Focuses
on traffic that was prevented from coming into the network | |
Blocked Application Activity | Displays the applications that were denied
on your network, and allows you to view the threats, content, and
URLs that you kept out of your network. Sort attributes: threats,
content, URLs Charts available: treemap, area, column |
Blocked User Activity | Displays user requests that were blocked
by a match on an Antivirus, Anti-spyware, File Blocking or URL Filtering
profile attached to Security policy rule. Sort attributes:
threats, content, URLs Charts available: bar, area, column |
Blocked Threats | Displays the threats that were successfully
denied on your network. These threats were matched on antivirus
signatures, vulnerability signatures, and DNS signatures available
through the dynamic content updates on the firewall. Sort
attributes: threats Charts available: bar, area, column |
Blocked Content | Displays the files and data that was blocked
from entering the network. The content was blocked because security
policy denied access based on criteria defined in a File Blocking
security profile or a Data Filtering security profile. Sort
attributes: files, data Charts available: bar, area, column |
Security Policies Blocking Activity | Displays the security policy rules that
blocked or restricted traffic into your network. Because this widget displays
the threats, content, and URLs that were denied access into your
network, you can use it to assess the effectiveness of your policy
rules. This widget does not display traffic that blocked because
of deny rules that you have defined in policy. Sort attributes:
threats, content, URLs Charts available: bar, area, column |
GlobalProtect Activity—Displays
information of user activity in your GlobalProtect deployment. | |
Successful GlobalProtect Connection Activity | Displays a chart view of GlobalProtect connection
activity over the selected time period. Use the toggle at the top
of the chart to switch between connection statistics by users, portals
and gateways, and location. Sort attributes: users, portals/gateways,
location Charts available: bar, line |
Unsuccessful GlobalProtect Connection Activity | Displays a chart view of unsuccessful GlobalProtect
connection activity over the selected time period. Use the toggle
at the top of the chart to switch between connection statistics
by users, portals and gateways, and location. To help you identify
and troubleshoot connection issues, you can also view the reasons
chart or graph. For this chart, the ACC indicates the error, source
user, public IP address and other information to help you identify
and resolve the issue quickly. Sort attributes: users, portals/gateways,
reasons, location Charts available: bar, line |
GlobalProtect Deployment Activity | Displays a chart view summary of your deployment.
Use the toggle at the top of the chart to view the distribution
of users by authentication method, GlobalProtect app version, and
operating system version. Sort attributes: auth method, globalprotect
app version, os Charts available: bar, line |
GlobalProtect Quarantine Activity | Displays a chart view summary of devices
that have been quarantined. Use the toggle at the top of the chart
to view the quarantined devices by the actions that caused GlobalProtect
to quarantine the device, the reason GlobalProtect quarantined the
device, and the location of the quarantined devices. Sort
attributes: actions, reason, location Charts available: bar,
line |
SSL Activity—Displays
information about SSL/TLS activity in your network. | |
Traffic Activity | Shows SSL/TLS activity compared to non-SSL/TLS
activity by total number of sessions or bytes. |
SSL/TLS Activity | Shows successful TLS connections by TLS
version and application or SNI. This widget helps you understand
how much risk you are taking on by allowing weaker TLS protocol
versions. Identifying applications and SNIs that use weak protocols
enables you to evaluate each one and decide whether you need to
allow access to it for business reasons. If you don’t need the application
for business purposes, you may want to block the traffic instead
of allowing it. Click an application or an SNI to drill down and
see detailed information. |
Decryption Failure Reasons | Shows the reasons for decryption failures,
such as certificate or protocol issues, by SNI. Use this information
to detect problems caused by Decryption policy or profile misconfiguration
or by traffic that uses weak protocols or algorithms. Click a failure
reason to drill down and isolate the number of sessions per SNI
or click an SNI to see the failures for that SNI. |
Successful TLS Version Activity | Shows the amount of decrypted and non-decrypted
traffic by sessions or bytes. Traffic that was not decrypted may
be excepted from decryption by policy, policy misconfiguration,
or by being on the Decryption Exclusion List (DeviceCertificate ManagementSSL Decryption Exclusion). |
Successful Key Exchange Activity | Shows successful key exchange activity per
algorithm, by application or by SNI. Click a key exchange algorithm
to see the activity for just that algorithm or click an application
or SNI to view the key exchange activity for that application or
SNI. |