Palo Alto Networks dives into the next-generation firewall web interface to explain some features in the ACC tab to help you identify threat activity and blocked activity in your network. Find answers on LIVEcommunity.
The ACC has a wealth of information you can leverage to optimize your security posture.
This time, I'll go over the Threat Activity and Blocked Activity tabs in the ACC.
Firewall web interface - ACC Tab - Threat Activity and Blocked Activity
Inside the Threat Activity tab, you will find the following widgets selected by default:
- Applications Using Non Standard Ports
- Hosts Resolving Malicious Domains
- Hosts Visiting Malicious URLs
- Rules Allowing Apps On Non Standard Ports
- Threat Activity
- Wildfire Activity By File Type
- Wildfire Activity By Application
Here's what that will look like on your screen:
View of Threat Activity widgets selected by default
In the Blocked Activity tab, you will find the following widgets selected by default:
- Blocked Application Activity
- Blocked Content
- Blocked Threats
- Blocked User Activity
- Security Policies Blocking Activity
View of Blocked Activity widgets selected by default
The very last tab you will notice a Plus (+) symbol. Clicking on this creates a new tab, which you can rename and customize to your liking with columns, the desired widget groups, and widgets respectively.
Blocked Activity View to Add a Custom Widget
NOTE: Every widget has some useful options in the upper right corner.
View of widget options
Let's go over four options so you can have a better idea of what each option offers.
Maximize & View More Data
- Creates a popup window that fills the screen and does not display any graphs, only text. The option also expands the number of lines that are displayed. (You have two additional options in the upper right to Export CSV and Exit.)
Blocked Application Activity as text
Set Local Filters
- This popup window allows you to create a new filter for this widget. Select Apply to display the filter.
View of popup to set local filter
Jump to Logs
- Brings you directly to the logs associated with the widget. Threat Activity will bring you directly to the Threat Logs.
View of quick links to jump to a log
- Popup window displays status as the widget data is exported to PDF.
View of Export PDF status bar
Below are the widget options you also have as graph options. These can vary depending on the data you're looking at, but, as an example, they can be:
View of graph options
Now that you know what those options do, you can extract more information from the data being displayed.
While looking at a widget, you can click one of the options to display different data. Some widgets can be sorted by different data.
View of data displaying options
If you click on a graph or on the text below, it will drill down and add that information to the local filter.
View of information drill-down
To remove the filter, click the "X" to the left of the filter name. In the illustration above, it is Application[web-browsing].>
You also can add this to the global filter by clicking the "<-|" to the right of the filter.
You will also see the same symbol "<-|" when hovering over any text that is clickable. On any of the values displayed, a dropdown arrow provides even more options as illustrated below:
View of dropdown menu button
Depending on what data you are looking at, you will have different options. For example, if you hover over an application and select the dropdown, you will see the following:
View of dropdown menu options
- Displays a Search window in the upper right corner of the web interface and displays search results based on your selection.
View of search window
- Displays value information about the application.
View of application value information
If you are looking at IP-related data, you will have other options:
- Pulls up a new browser window and shows the "Who Is" record of an IP.
Search HIP Report
- Allows you to search through the Host Information Profile on this IP to correlate the data with a possible GlobalProtect user.
Promote as Address
- Will add the IP address to the Global Filter on the left pane and will change your graphs accordingly.
I hope this helps you understand the new ACC tab even better and helps you leverage this feature to find what you're looking for.
More ACC information can be found on the following links:
How To Use The Application Command Center (ACC)
Tips & Tricks: ACC FAQ
Thanks for taking time to read the blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.
As always, we welcome all comments and feedback in the comments section below.