The table displays the top ten applications used on your network, all the remaining applications used on the network are aggregated and displayed as other. The graph displays all applications by application category, sub category, and application. Use this widget to scan for applications being used on the network, it informs you about the predominant applications using bandwidth, session count, file transfers, triggering the most threats, and accessing URLs.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: treemap, area, column, line (the charts vary by the sort by attribute selected)

Displays the top ten most active users on the network who have generated the largest volume of traffic and consumed network resources to obtain content. Use this widget to monitor top users on usage sorted on bytes, sessions, threats, content (files and patterns), and URLs visited.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: area, column, line (the charts vary by the sort by attribute selected)

Displays the top ten IP addresses or hostnames of the devices that have initiated activity on the network. All other devices are aggregated and displayed as other.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: area, column, line (the charts vary by the sort by attribute selected)

Displays the IP addresses or hostnames of the top ten destinations that were accessed by users on the network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: area, column, line (the charts vary by the sort by attribute selected)

Displays the top ten regions (built-in or custom defined regions) around the world from where users initiated activity on your network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: map, bar

Displays the top ten destination regions (built-in or custom defined regions) on the world map from where content is being accessed by users on the network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: map, bar

Displays information on the state of the hosts on which the GlobalProtect agent is running; the host system is a GlobalProtect endpoint. This information is sourced from entries in the HIP match log that are generated when the data submitted by the GlobalProtect app matches a HIP object or a HIP profile you have defined on the firewall. If you do not have HIP Match logs, this widget is blank. To learn how to create HIP objects and HIP profiles and use them as policy match criteria, see Configure HIP-Based Policy Enforcement.

Sort attributes: profiles, objects, operating systems

Charts available: bar

Displays the top ten rules that have allowed the most traffic on the network. Use this widget to view the most commonly used rules, monitor the usage patterns, and to assess whether the rules are effective in securing your network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: line

Displays the firewall interfaces that are most used for allowing traffic into the network.

Sort attributes: bytes, bytes sent, bytes received

Charts available: line

Displays the firewall interfaces that are most used by traffic exiting the network.

Sort attributes: bytes, bytes sent, bytes received

Charts available: line

Displays the zones that are most used for allowing traffic into the network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: line

Displays the zones that are most used by traffic going outside the network.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: line

Displays the hosts that are likely compromised on your network. This widget summarizes the events from the correlation logs. For each source user/IP address, it includes the correlation object that triggered the match and the match count, which is aggregated from the match evidence collated in the correlated events logs. For details see Use the Automated Correlation Engine.

Available on the PA-5200 Series, PA-7000 Series, and Panorama.

Sort attributes: severity (by default)

Displays the frequency with which hosts (IP address/hostnames) on your network have accessed malicious URLs. These URLs are known to be malware based on categorization in PAN-DB.

Sort attributes: count

Charts available: line

Displays the top hosts matching DNS signatures; hosts on the network that are attempting to resolve the hostname or domain of a malicious URL. This information is gathered from an analysis of the DNS activity on your network. It utilizes passive DNS monitoring, DNS traffic generated on the network, activity seen in the sandbox if you have configured DNS sinkhole on the firewall, and DNS reports on malicious DNS sources that are available to Palo Alto Networks customers.

Sort attributes: count

Charts available: line

Displays the threats seen on your network. This information is based on signature matches in Antivirus, Anti-Spyware, and Vulnerability Protection profiles and viruses reported by WildFire.

Sort attributes: threats

Charts available: bar, area, column

Displays the applications that generated the most WildFire submissions. This widget uses the malicious and benign verdict from the WildFire Submissions log.

Sort attributes: malicious, benign

Charts available: bar, line

Displays the threat vector by file type. This widget displays the file types that generated the most WildFire submissions and uses the malicious and benign verdict from the WildFire Submissions log. If this data is unavailable, the widget is empty.

Sort attributes: malicious, benign

Charts available: bar, line

Displays the applications that are entering your network on non-standard ports. If you have migrated your firewall rules from a port-based firewall, use this information to craft policy rules that allow traffic only on the default port for the application. Where needed, make an exception to allow traffic on a non-standard port or create a custom application.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: treemap, line

Displays the security policy rules that allow applications on non-default ports. The graph displays all the rules, while the table displays the top ten rules and aggregates the data from the remaining rules as other.

This information helps you identify gaps in network security by allowing you to assess whether an application is hopping ports or sneaking into your network. For example, you can validate whether you have a rule that allows traffic on any port except the default port for the application. Say for example, you have a rule that allow DNS traffic on its application-default port (port 53 is the standard port for DNS). This widget will display any rule that allows DNS traffic into your network on any port except port 53.

Sort attributes: bytes, sessions, threats, content, URLs

Charts available: treemap, line

Displays the applications that were denied on your network, and allows you to view the threats, content, and URLs that you kept out of your network.

Sort attributes: threats, content, URLs

Charts available: treemap, area, column

Displays user requests that were blocked by a match on an Antivirus, Anti-spyware, File Blocking or URL Filtering profile attached to Security policy rule.

Sort attributes: threats, content, URLs

Charts available: bar, area, column

Displays the threats that were successfully denied on your network. These threats were matched on antivirus signatures, vulnerability signatures, and DNS signatures available through the dynamic content updates on the firewall.

Sort attributes: threats

Charts available: bar, area, column

Displays the files and data that was blocked from entering the network. The content was blocked because security policy denied access based on criteria defined in a File Blocking security profile or a Data Filtering security profile.

Sort attributes: files, data

Charts available: bar, area, column

Displays the security policy rules that blocked or restricted traffic into your network. Because this widget displays the threats, content, and URLs that were denied access into your network, you can use it to assess the effectiveness of your policy rules. This widget does not display traffic that blocked because of deny rules that you have defined in policy.

Sort attributes: threats, content, URLs

Charts available: bar, area, column

Displays a chart view of GlobalProtect connection activity over the selected time period. Use the toggle at the top of the chart to switch between connection statistics by users, portals and gateways, and location.

Sort attributes: users, portals/gateways, location

Charts available: bar, line

Displays a chart view of unsuccessful GlobalProtect connection activity over the selected time period. Use the toggle at the top of the chart to switch between connection statistics by users, portals and gateways, and location. To help you identify and troubleshoot connection issues, you can also view the reasons chart or graph. For this chart, the ACC indicates the error, source user, public IP address and other information to help you identify and resolve the issue quickly.

Sort attributes: users, portals/gateways, reasons, location

Charts available: bar, line

Displays a chart view summary of your deployment. Use the toggle at the top of the chart to view the distribution of users by authentication method, GlobalProtect app version, and operating system version.

Sort attributes: auth method, globalprotect app version, os

Charts available: bar, line

Displays a chart view summary of devices that have been quarantined. Use the toggle at the top of the chart to view the quarantined devices by the actions that caused GlobalProtect to quarantine the device, the reason GlobalProtect quarantined the device, and the location of the quarantined devices.

Sort attributes: actions, reason, location

Charts available: bar, line

Shows SSL/TLS activity compared to non-SSL/TLS activity by total number of sessions or bytes.

Shows successful TLS connections by TLS version and application or SNI. This widget helps you understand how much risk you are taking on by allowing weaker TLS protocol versions. Identifying applications and SNIs that use weak protocols enables you to evaluate each one and decide whether you need to allow access to it for business reasons. If you don’t need the application for business purposes, you may want to block the traffic instead of allowing it. Click an application or an SNI to drill down and see detailed information.

Shows the reasons for decryption failures, such as certificate or protocol issues, by SNI. Use this information to detect problems caused by Decryption policy or profile misconfiguration or by traffic that uses weak protocols or algorithms. Click a failure reason to drill down and isolate the number of sessions per SNI or click an SNI to see the failures for that SNI.

Shows the amount of decrypted and non-decrypted traffic by sessions or bytes. Traffic that was not decrypted may be excepted from decryption by policy, policy misconfiguration, or by being on the Decryption Exclusion List (DeviceCertificate ManagementSSL Decryption Exclusion).