Using the Dashboard

The Dashboard is shown when the Home tab is clicked. It is the first page you see when you log in. You can also customize your Dashboard Views as per requirements.

Dashboard Views selection is available only in the Home tab.

Select the Firewall Analyzer Collector Server, of which you want to view the dashboard, in the Dashboard Views of the left navigation panel.

Once the Collector Server is selected, the Dashboard dynamically changes to display the current statistics for each device whose log files are analyzed. The Firewall Analyzer dashboard shows the:

The Traffic Overview graphs shows protocol-wise distribution of traffic across each device. At one glance, you can see the total traffic generated by each protocol group across each device. You can also drill down from the bars in the graph to see specific protocol usage in the Protocol Usage Report.

The Security Overview graphs shows distribution of security events like attack, virus, port scans, denied events, failed log ons, etc.. generated across each device. Drill down from the bars in the graph to see the corresponding events generated.

Firewall Analyzer will recognize only those firewall log messages which contains the attribute denoting a port scan. Currently Firewall Analyzer recognizes the attribute denoting a port scan for Fortigate, NetScreen & CheckPoint firewall's alone.

The Traffic Statistics table, shows the Traffic Overview graph's data in more detail, with specific percentage values of incoming and outgoing traffic per protocol group across each device. The Show bar lets you view the the top 5(default) / 10 / 15 or All protocol groups, captured in the logs across the configured devices. You can click on the Traffic IN, Traffic OUT, and Total Traffic for each protocol group of the configured device to obtain the drill-downs of the traffic. You can view the intranet's settings of various Collector Servers.

The traffic values in the table let you drill down to see traffic details for the corresponding protocol group in the Protocol Usage Report.

The Quick Reports link provides you 'quick' access to the top level details of traffic like Top Hosts, Top Destinations, Top Conversations, Top Protocol Groups, Top Firewall Rules, Top VPN Reports, and Top Attack Reports for the corresponding firewall.

Quick Reports for Squid Proxies will provide only the following reports: Top Hosts, Top Destinations, and Top Conversations.

The Security Statistics table, shows the Security Overview graph's data in more detail, along with the distribution of the Configured Alerts. The Configured Alerts are classified according to the priority as High, Medium, and Low. Clicking on the alert counts against High, Medium, Low, or All Alerts will list you complete details like Alert Profile name, the generated time, the device for which the alert was raised, the alert priority, and the status of the alert.

The security statistics table provides you with the counts for attacks, virus, failed log ons, security events, and denied events.

Attacks: Firewall Analyzer will recognize only those firewall log messages which contains the attribute denoting an attack.

Virus: Firewall Analyzer will recognize only those firewall log messages which contains the attribute denoting a virus.

Currently Firewall Analyzer recognizes the attribute denoting a virus for almost all firewall's except Cisco Pix, whose log messages do not contain the attribute denoting a virus.

Failed Log Ons: Firewall Analyzer will recognize only those firewall log messages which contains the attribute denoting a failed log on.

Currently Firewall Analyzer recognizes the attribute denoting a failed log on for Fortigate, NetScreen, Cisco Pix, & Identiforce firewall's Failed Log Ons are not available for CheckPoint firewall's

Denied Events: Firewall Analyzer will recognize only those firewall log messages which contains the attribute denoting a denied request.

Security Events: The Security Events in Firewall Analyzer are based on the severity attributes Emergency, Alert, Critical, and Error only.

Since Security Events are based on severity attributes, they may also include the other events like port scans, attacks, virus, failed log ons, security events, and denied events.

Clicking on the counts against each of the above events in the security statistics table will lead you to the corresponding the quick reports for those events.

Search

Doing a search in Firewall Analyzer UI is easy. Firewall Analyzer offers both Basic Search and Advanced Search in the product.

Basic Search, enables you to search for the following :

Search for	Description
Hosts	Refers to the IP Address or DNS Names which were recorded in the firewall logs example: 192.168.0.1,web-server
Protocol Identifiers	Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings >> Protocol Groups) example: 6969/tcp, icmp, IPSec
User Names	Refers to the authenticated user name required by some firewall's example: john, kate
Attack	Refers to the attack name. examples: UDP Snort, Ip spoof
Virus	Refers to the Virus name. examples: JS/Exception, W32/Mitglieder

Advanced Search, offers numerous options for making your searches more precise and getting more useful results from the Aggregated Logs Database. It also allows you to search from the Raw Firewall Logs.

In Advance Search, you can search the logs for the selected devices, from the aggregated logs database or raw firewall logs, and define matching criteria.

Selected Devices

In this section, you can choose the devices for which you want the logs to be searched. If no device is selected or you want to change the list of selected devices, select the devices.

Click Change Selection link.
Select Devices from the list window pops-up. In that window, All Devices with selection check box and individual devices with selection check boxes options are available.
Select the devices by selecting the check boxes as per your requirement. Click OK to select the devices and close the window or click Cancel to cancel the operation and close the window.

The selected devices are displayed in this section.

Search From

In this section, you can select one from the two options:

Aggregated Logs Database
Raw Firewall Logs

Aggregated Logs Database

Select this option if you want to search from the aggregated logs database.

Raw Firewall Logs

Select this option if you want to search from the raw firewall logs. Selecting this option will enable the following options:

Raw VPN Logs

Raw Virus/Attack Logs

Raw Device Management Logs

Raw Denied Logs

Select the above logs options as per your requirement.

Define Criteria

This section, enables you to search the database for attributes using more than one following criteria's:

Criteria	Description
Protocol	Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings >> Protocol Groups) example: 8554/tcp, rtsp, IPSec
Source	Refers to the source host name or IP address from which requests originated
Destination	Refers to the destination host name or IP address to which requests were sent
User	Refers to the authenticated user name required by some firewall's example: john, kate
Virus	Refers to the Virus name. examples: JS/Exception, W32/Mitglieder
Attack	Refers to the attack name. examples: UDP Snort, Ip spoof
URL	Refers to the URL, which you want to search
Rule	Refers to the Firewall Rule, which you want to search
Device	Refers to the device from which logs are collected
Message	Refers to the log message texts stored in the DB

If the search string exists then the search result will be intelligently displayed based on the report category in which it occurred.
By default, the search is carried out for the time period selected in the Global Calendar present in the left pane of the UI.
You can also search within the search results.

Advanced Search of Imported Firewall Logs

You can carry out Advanced Search on the imported Firewall logs.

ManageEngine