09-26-2017 11:44 PM
Hey all,
I want to create some custom reports to get more useful information about what is going on in my network.
I would like to know - just informational - which reports do you use in your daily business?
Respectively which reports you consider as useful.
Until now, I created one report that shows me the denied packets for every last week.
Can you give me some more hints?
Thank you!
09-27-2017 06:32 AM
Here are three reports that I always schedule to run every day.
1) Reset report: I have a report that looks for the 'reset-client', 'reset-both', and 'reset-server' actions going from untrust to my dmz zone. This includes anything that reset likely due to a vulnerability or threat being identified.
2) Risk Report: This report includes the widgets Risky Users, Botnet, Spyware Infected Hosts, and Top Spyware Threats.
3) Summary Reports: Daily PDF Reports which includes the following widgets; Bandwidth trent, Top Denied Sources, Top Secuirty Rules, Risk Trent, Top Destination Countries, Top Source Countries, Threat Tred, Top Destination Zones, Top Source Zones, Top Connections, Top Destinations, Top Sources, Top Denied Applications, Top Egress Interfaces, Top Denied Destinations, Top Ingress Interfaces. So most of the widgets really.
10-06-2017 03:49 AM - edited 10-06-2017 03:52 AM
Thanks for your answer!
I have a question to your risk reports:
are these custom reports or predefined?
I don't find Risky Users
and my second question:
When I take a look into Spyware Infected Hosts, there are only external ip addresses. What do I need that information for?
and 3)
Where can I find Bandwidth trent, Risk Trent and Threat Tred?
10-06-2017 05:33 AM
The reset report that I have listed at the top is the only custom report within that list. Risky Users can be found when you are building your Report Groups, it's one of the predefined reports available within that list.
You'd want to keep the Spyware infected hosts so that you can see if an internal address shows up; I would also verify where those external IPs were going and who was communicating with them. Depending on the actual threat detected and in what direction the PA sees it going, you may see an external IP when it's one of your internal users infected.
The Bandwidth trend, Risk trend, and threat trend are again predefined reports. You can add these when you are building the Report Group or if you create PDF Summary reports.
11-02-2017 06:46 AM
Hey BPry,
I built a report group and added the predefined report risky-users.
I am wondering now, why that report doesn't show up under Monitor -> Reports?
11-02-2017 06:56 AM
Can't really answer that one I'm afraid, I don't have any idea why it wouldn't show up there.
11-15-2017 02:12 AM - edited 11-15-2017 02:12 AM
I built a good overall report, thanks for your hints.
Still a last question to the risky users:
there are a lot of different risky users shown up in the report.
They have a risk of 4 or 5.
They are sorted by "Bytes"
Why are they risky? What am I supposed to do? What entries are important?
I'm confused.
11-15-2017 05:55 AM
It generally takes the risk associated with the app-ids identified on that user's traffic. So if you haven't modified the app-id's associated risk then it's likely just displaying your most active users.
11-20-2017 02:03 AM
I have some more questions:
-The Spyware Infected Hosts, how does the firewall know that hosts are spyware affected, especially external hosts? But also internal hosts?
-URL Report:
Is it possible to create a custom url report that doesn't list the top blocked url's but the less blocked url's?
The problem is: I have a url report that lists the top 50 blocked url's. That report isn't really helpful because all url's shown there are web-advertisments, that are accessed over 1k times.
I would like to get url's that are accessed only a few times, maybe 1 or 2. Because most likely, that's an url that was accessed consciously by a user. So I can proactively unblock these url's. Do you know what I mean?
11-20-2017 05:35 AM
Spyware Infected Hosts are generated by what the firewall sees through the Threat database. Specifically, if you run the following filter '( subtype eq spyware )' on the threat database you'll see what it's picking up on. In this case the 'Victim' is going to be what is considered a Infected Host.
As for a URL report, your best bet there would be to simply ignore the whole web-advertisements category if it isn't something you are interested in seeing. For that I would likely recommend you create a custom report looking at the URL Log database, you would want to have the following in your Query Builder as to not display any of the web-advertisements category.
not ( category eq web-advertisements )
11-27-2017 12:24 AM
yeah that's a good idea.
Sorry, but another question comes into my mind:
In my report group that is sent every Sunday, there are included: botnet, Spyware Infected Hosts, Top denied applications, Top egress interfaces.
The problem is, these reports just show facts for the sunday.
Is there a possibilty to change that from sunday to the whole last calendar week?
11-27-2017 06:31 AM
Since those reports are actually built into the firewall there isn't a way to modify them that I know of. That being said, all of the reports can be generated as a custom report that specifies the last 7 days so you have a full week.
11-27-2017 01:20 PM
@MPI-AE wrote:
I built a good overall report, thanks for your hints.
Still a last question to the risky users:
there are a lot of different risky users shown up in the report.
They have a risk of 4 or 5.
They are sorted by "Bytes"
Why are they risky? What am I supposed to do? What entries are important?
I'm confused.
IMO, the "risk" number is to be a guage not even so much a guide.
Hell, application "web-browsing" is a 4 and "FTP" is a 5. I wouldn't necessarily base any report or security policy around a risk score.
11-27-2017 01:24 PM
Risky users can be extremely helpful if you've taken the time to customize the application risk level specific to the company you are working for. At default value you are very much correct, the risk level is likely not a good indicator to actually use for anything.
11-27-2017 01:29 PM
Agreed, my meaning was around the stock value of apps. Again IMO, it's akin to a shiny object you can show to leadership. Doesn't really mean you're more secure at a "3" with no security profiles than someone at a "5" who's running Threat/URL/WF services.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
