I want to create some custom reports to get more useful information about what is going on in my network.
I would like to know - just informational - which reports do you use in your daily business?
Respectively which reports you consider as useful.
Until now, I created one report that shows me the denied packets for every last week.
Can you give me some more hints?
Here are three reports that I always schedule to run every day.
1) Reset report: I have a report that looks for the 'reset-client', 'reset-both', and 'reset-server' actions going from untrust to my dmz zone. This includes anything that reset likely due to a vulnerability or threat being identified.
2) Risk Report: This report includes the widgets Risky Users, Botnet, Spyware Infected Hosts, and Top Spyware Threats.
3) Summary Reports: Daily PDF Reports which includes the following widgets; Bandwidth trent, Top Denied Sources, Top Secuirty Rules, Risk Trent, Top Destination Countries, Top Source Countries, Threat Tred, Top Destination Zones, Top Source Zones, Top Connections, Top Destinations, Top Sources, Top Denied Applications, Top Egress Interfaces, Top Denied Destinations, Top Ingress Interfaces. So most of the widgets really.
Thanks for your answer!
I have a question to your risk reports:
are these custom reports or predefined?
I don't find Risky Users
and my second question:
When I take a look into Spyware Infected Hosts, there are only external ip addresses. What do I need that information for?
Where can I find Bandwidth trent, Risk Trent and Threat Tred?
The reset report that I have listed at the top is the only custom report within that list. Risky Users can be found when you are building your Report Groups, it's one of the predefined reports available within that list.
You'd want to keep the Spyware infected hosts so that you can see if an internal address shows up; I would also verify where those external IPs were going and who was communicating with them. Depending on the actual threat detected and in what direction the PA sees it going, you may see an external IP when it's one of your internal users infected.
The Bandwidth trend, Risk trend, and threat trend are again predefined reports. You can add these when you are building the Report Group or if you create PDF Summary reports.
I built a good overall report, thanks for your hints.
Still a last question to the risky users:
there are a lot of different risky users shown up in the report.
They have a risk of 4 or 5.
They are sorted by "Bytes"
Why are they risky? What am I supposed to do? What entries are important?
It generally takes the risk associated with the app-ids identified on that user's traffic. So if you haven't modified the app-id's associated risk then it's likely just displaying your most active users.
I have some more questions:
-The Spyware Infected Hosts, how does the firewall know that hosts are spyware affected, especially external hosts? But also internal hosts?
Is it possible to create a custom url report that doesn't list the top blocked url's but the less blocked url's?
The problem is: I have a url report that lists the top 50 blocked url's. That report isn't really helpful because all url's shown there are web-advertisments, that are accessed over 1k times.
I would like to get url's that are accessed only a few times, maybe 1 or 2. Because most likely, that's an url that was accessed consciously by a user. So I can proactively unblock these url's. Do you know what I mean?
Spyware Infected Hosts are generated by what the firewall sees through the Threat database. Specifically, if you run the following filter '( subtype eq spyware )' on the threat database you'll see what it's picking up on. In this case the 'Victim' is going to be what is considered a Infected Host.
As for a URL report, your best bet there would be to simply ignore the whole web-advertisements category if it isn't something you are interested in seeing. For that I would likely recommend you create a custom report looking at the URL Log database, you would want to have the following in your Query Builder as to not display any of the web-advertisements category.
not ( category eq web-advertisements )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!