Palo Alto Networks dives into the next-generation firewall web interface to explain some features in the ACC tab to help you identify threat activity and blocked activity in your network. Find answers on LIVEcommunity.
The ACC has a wealth of information you can leverage to optimize your security posture.
This time, I'll go over the Threat Activity and Blocked Activity tabs in the ACC.
Firewall web interface - ACC Tab - Threat Activity and Blocked Activity
Inside the Threat Activity tab, you will find the following widgets selected by default:
Applications Using Non Standard Ports
Hosts Resolving Malicious Domains
Hosts Visiting Malicious URLs
Rules Allowing Apps On Non Standard Ports
Wildfire Activity By File Type
Wildfire Activity By Application
Here's what that will look like on your screen:
View of Threat Activity widgets selected by default
In the Blocked Activity tab, you will find the following widgets selected by default:
Blocked Application Activity
Blocked User Activity
Security Policies Blocking Activity
View of Blocked Activity widgets selected by default
The very last tab you will notice a Plus (+) symbol. Clicking on this creates a new tab, which you can rename and customize to your liking with columns, the desired widget groups, and widgets respectively.
Blocked Activity View to Add a Custom Widget
NOTE: Every widget has some useful options in the upper right corner.
View of widget options
Let's go over four options so you can have a better idea of what each option offers.
Maximize & View More Data
Creates a popup window that fills the screen and does not display any graphs, only text. The option also expands the number of lines that are displayed. (You have two additional options in the upper right to Export CSV and Exit.)
Blocked Application Activity as text
Set Local Filters
This popup window allows you to create a new filter for this widget. Select Apply to display the filter.
View of popup to set local filter
Jump to Logs
Brings you directly to the logs associated with the widget. Threat Activity will bring you directly to the Threat Logs.
View of quick links to jump to a log
Popup window displays status as the widget data is exported to PDF.
View of Export PDF status bar
Below are the widget options you also have as graph options. These can vary depending on the data you're looking at, but, as an example, they can be:
View of graph options
Now that you know what those options do, you can extract more information from the data being displayed.
While looking at a widget, you can click one of the options to display different data. Some widgets can be sorted by different data.
View of data displaying options
If you click on a graph or on the text below, it will drill down and add that information to the local filter.
View of information drill-down
To remove the filter, click the "X" to the left of the filter name. In the illustration above, it is Application[web-browsing].>
You also can add this to the global filter by clicking the "<-|" to the right of the filter.
You will also see the same symbol "<-|" when hovering over any text that is clickable. On any of the values displayed, a dropdown arrow provides even more options as illustrated below:
View of dropdown menu button
Depending on what data you are looking at, you will have different options. For example, if you hover over an application and select the dropdown, you will see the following:
View of dropdown menu options
Displays a Search window in the upper right corner of the web interface and displays search results based on your selection.
View of search window
Displays value information about the application.
View of application value information
If you are looking at IP-related data, you will have other options:
Pulls up a new browser window and shows the "Who Is" record of an IP.
Search HIP Report
Allows you to search through the Host Information Profile on this IP to correlate the data with a possible GlobalProtect user.
Promote as Address
Will add the IP address to the Global Filter on the left pane and will change your graphs accordingly.
I hope this helps you understand the new ACC tab even better and helps you leverage this feature to find what you're looking for.
More ACC information can be found on the following links: