Skip to main content
Versa Networks

View Security Analytics Data

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

SD-WAN branches, hubs, and controllers generate logs and events that Analytics nodes use to display information related to the network security provided by next-generation firewall (NGFW) features. To capture the traffic to be monitored and analyzed by Analytics nodes, you configure policy rules on VOS devices. The policy rules are associated with LEF profiles that indicate the IP address, protocol, and port to send traffic logs. For more information about associating LEF profiles with features and services, see Apply Log Export Functionality.

This article describes the Security dashboards, which are located at Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security dashboards:

  • Top-level Security dashboard—Displays summary statistics about NGFW security
  • Applications dashboard—Displays TCP application usage
  • Web dashboard—Displays URLs and URL reputations
  • Identity dashboard—Displays device identity statistics
  • Firewall dashboard—Displays firewall statistics
  • Threats dashboard—Displays threat detection statistics
  • DLP dashboard—Displays data loss prevention statistics

For general information about how to use an Analytics dashboard, see View Analytics Dashboards and Log Screens.

Top-Level Security Dashboard

To view summary statistics about NGFW security features, select the top-level Security dashboard, at Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security.

The top-level security dashboard displays the following charts:

  • Top Applications
  • Top URL Categories
  • Top Bandwidth Consuming Applications
  • Top Rules
  • Top Destination Addresses
  • Top Source Addresses
  • Top Zone
  • Firewall actions
  • Top Threat Types

    Security_main_dashboard.png

Security Applications Dashboard

The VOS software supports and automatically recognizes more than 3000 applications based on their signatures. The software uses deep-packet inspection (DPI) to identify applications, and the firewall software uses IP addresses and port numbers to enforce policies. The use of IP addresses and port numbers is based on the assumption that users connect to the network from a fixed location and access particular resources using specific port numbers.

Each application is associated with attributes, such as family, subfamily and tags. You can also create custom applications, application groups, and dynamic application filters. The Analytics node provides visibility into predefined and custom applications and application groups, and you can define dynamic application filters.

The Security Applications dashboard provides a summary of statistics about NGFW security features. To view the Security Applications dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > Applications.

The Security Applications dashboard has the following tabs in the horizontal menu bar:

  • Applications
  • Risk
  • Productivity
  • Families
  • Subfamilies

Applications Tab

The Applications tab displays a dashboard that includes statistics about applications affected by NGFW filtering profiles for the following items:

  • Top Applications By Sessions—Displays information about top applications by session
  • Application Usage Over Time By Bandwidth—Displays application bandwidth over time
  • Applications—Displays application statistics, including the number of sessions running that application, the amount of received and transmitted traffic by volume (in bytes) and bandwidth for the application, and the total bandwidth that an application is using.

security-applications.png

To display application usage, in either the Top Applications chart or the Application table, drill down on an application. For example, clicking DNS displays the following:

Security_Application_drilldown.png

Risk Tab

The Risk tab displays traffic statistics by risk level. Level 1 is the lowest-level risk, and Level 5 is the highest-level risk.

application-risks.png

To display statistics for a risk level, drill down on the risk level. For example, clicking Risk 1 displays the following:

application-risks-drilldown.png

Productivity Tab

The Productivity tab displays traffic usage per productivity level.

application-productivity.png

To display statistics for a risk level, drill down on a productivity level. For example, clicking Level 2 displays the following:

application-productivity-drilldown.png

Families Tab

The Families tab displays traffic usage for application families.

application-families.png

To display statistics for that application family, drill down on the family. For example, clicking business system displays the following:

application-families-drilldown.png

Subfamilies Tab

The Subfamilies tab displays traffic usage for application subfamilies.

application-subfamilies.png

To display statistics for an application subfamily, drill down on the subfamily. For example, clicking encrypted displays the following:

application-subfamilies-drilldown.png

Security Web Dashboard

The Security Web dashboard displays statistics about URL activity for an organization. To view the Security Web dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > Web.

The Security Web dashboard has the following tabs in the horizontal menu bar:

  • URL Categories
  • URL Reputations

URL Categories Tab

The URL Categories tab displays traffic usage by URL category.

The URL Categories dashboard displays the following items:

  • URL Category Usage Over Time
  • URL Category Usage—Displays details for each URL category, including the number of sessions using that URL category, the amount of received and transmitted traffic by volume (in bytes) and bandwidth for the URL category, and the total bandwidth that a URL category is using.

application-url-categories.png

To display statistics for a category, in the Category Usage table, drill down on the URL category name. For example, clicking the Computer and Internal Security URL category displays the following:

application-url-categories-drilldown.png

URL Reputation Tab

The URL reputation tab displays traffic usage by URL reputation.

The URL Reputations dashboard displays the following items:

  • URL Reputation Usage Over Time
  • URL Reputation Usage


Security_Web_URL_Reputation_tab.png

To display event statistics for a reputation, in the URL Reputation Usage table, drill down on the reputation. For example, drilling down on the reputation type suspicious displays the following screen.

Security_Web_URL_Reputation_drilldown.png

Security Identity Dashboard

The Security Identity dashboard displays NGFW device identity statistics. To view the Security Identity dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > Identity.

The Security Identity dashboard displays the following items:

  • Top Device Type
  • Top Device Vendor
  • Top Device Model
  • Device Details

application-identity.png

Security Firewall Dashboard

The Security Firewall dashboard displays information about NGFW firewall statistics and analytics. To view the Security Identity dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > Security.

The Security Firewall dashboard displays the following items:

  • Rules
  • Source
  • Destination
  • Zones
  • Forwarding Class

Rules Tab

The Rules tab displays rule usage for rules configured in security access policy.

The Rules dashboard displays the following items:

  • Rule Usage Over Time
  • Rule Usage

security-firewall-rules.png

To display statistics for a rule the Rule Usage table, drill down on the rule name. For example, clicking the Allow-From-SDWAN rule displays the following:

security-firewall-rules-allow-from-sdwan-drilldown.png

Source Tab

The Source tab displays statistics about NGFW source IP address usage.

The Source dashboard displays the following table:

  • Source IP Usage

security-firewall-source.png

To display statistics over time for a source IP address, drill down on the address. For example, clicking 10.100.197.2 displays the following:

security-firewall-source-drilldown.png

Destination Tab

The Destination tab displays statistics about NGFW destination IP address usage.

The Destination dashboard displays the following table:

  • Destination IP Usage

security-firewall-destination.png

To display statistics over time for a destination IP address, drill down on the address. For example, clicking 8.8.8.8 displays the following:

security-firewall-destination-drilldown.png

Zones Tab

The Zones tab displays NGFW zone usage for traffic that matches the rules configured in security access policy rules.

The Zones dashboard displays the following items:

  • Zone Usage Over Time
  • Zone Usage—Displays details for each zone, including the number of sessions using that zone, the amount of received and transmitted traffic by volume (in bytes) and bandwidth that traffic matching for a zone is using, and the total bandwidth that traffic matching for a zone is using.

security-firewall-zone.png

To display statistics over time for a zone, in the Zone Usage table, drill down on the zone. For example, clicking the Intf-LAN7-Zone zone displays the following:

security-firewall-zone-drilldown.png

Forwarding Class Tab

The Forwarding Class tab displays forwarding class usage for traffic that matches the rules configured in security access policy rules.

The Forwarding Class dashboard displays the following items:

  • Forwarding Class Usage Over Time
  • Forwarding Class Usage—Displays details for each forwarding class, including the number of sessions using that forwarding class, the amount of received and transmitted traffic by volume (in bytes) and bandwidth that traffic matching a rule is using, and the total bandwidth that traffic matching a rule is using.

security-firewall-forwarding-class.png

To display statistics over time, in the Forwarding Class Usage table, drill down on a forwarding class. For example, clicking the fc_be forwarding class displays the following:

security-firewall-forwarding-class-drilldown.png

Security Threats Dashboard

The VOS NGFW security software monitors threats from various sources, including web URLs and URL reputations, IP addresses, files, DNS queries, malware, vulnerabilities, and distributed denial-of-service (DDoS) attacks.

The Security Threats dashboard displays information about NGFW firewall statistics and analytics. To view the Security Threats dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > Firewall.

The Security Threats dashboard displays the following tabs in the horizontal menu bar:

  • Web
  • IP
  • File
  • DNS
  • CASB (Available through Versa cloud-hosted SASE services only)
  • DLP (For Releases 22.1.1 and later)
  • Malware
  • Vulnerabilities
  • DDoS
  • Summary

Web Tab

The Web tab displays statistics about threat filtering performed by NGFW and URL-filtering profiles.

The Web dashboard displays the following charts:

  • Top URL Categories
  • Top URL Reputations
  • Top URL-Filtering Profiles
  • Top URL-Filtering Sources

security-threats-web-window.png

To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking the proxy_avoid_and_anonymizers key in the Top URL Categories chart displays the following:

threats-events-drilldown-screen.png

IP Tab

The IP tab display statistics about IP addresses.

The IP dashboard displays the following charts:

  • Top IP-Filtering Actions
  • Top IP-Filtering Profiles
  • Top Filtering Destination Reputations
  • Top IP-Filtering Sources


threats-ip-filtering-screen.png
To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking the reject action in the Top IP Filtering Actions chart displays the following:

threats-events-IP-drilldown-screen.png

File Tab

The File tab displays statistics about file filtering.

The File dashboard displays the following charts:

  • Top File-Filtering Actions
  • Top File-Filtering Profiles
  • Top File Types
  • Top File-Filtering Sources

threats-file-filtering-screen.png
To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking the IP address 172.30.57.55 in the Top File-Filtering Sources chart displays the following:

threats-events-file-filtering-drilldown-screen.png

DNS Tab

The DNS tab displays statistics about DNS filtering.

The DNS dashboard displays the following charts:

  • Top DNS-Filtering Actions
  • Top DNS-Filtering Message Types
  • Top DNS-Filtering Actions
  • Top DNS-Filtering Domains

threats-dns-filtering-screen.png
To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking the response message type in the Top DNS Filtering Message Type chart displays the following:

threats-events-dns-filtering-drilldown-screen.png

CASB Tab

Available through Versa Networks cloud-hosted SASE services only.

The CASB dashboard displays threat analytics for cloud access security broker (CASB).

The CASB dashboard displays the following charts:

  • Top CASB Application
  • Top CASB Action
  • Top CASB Users
  • Top Attackers

Threats_CASB_tab.png

Malware Tab

The Malware tab displays statistics about antivirus malware filtering.

The Malware dashboard displays the following charts:

  • Top Antivirus Malwares
  • Top Infected Applications
  • Top Victims
  • Top Attackers

security-threats-malware-window.png

To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking AV_DETECTION_TYPE_VIRUS in the Top Antivirus Malwares chart displays the following:

threats-events-malware-drilldown-screen.png

Vulnerabilities Tab

The Vulnerabilities tab displays statistics about IDP threats.

The Vulnerabilities dashboard displays the following charts:

  • Top Threats
  • Top Signature IDs
  • Top Sources
  • Top Destinations

security-threats-vulnerabilities-window.png

To display detailed statistics for events that match a chart key, you can drill down on the key in each of the four charts. For example, clicking the bad-unknown threat in the Top Threats chart displays the following:

threats-events-vulnerabilities-drilldown-screen.png

DDoS Tab

The DDoS tab displays DDoS threat reports.

The DDoS dashboard displays the following chart:

  • Top DDoS Threats chart

Security_Threats_DDOS_tab.png

Summary Tab

The Summary tab displays a summary of threats over the selected time period.

The Summary dashboard displays the following charts:

  • Threat Activity Over Time
  • Top Threat Types
  • Alerts by Severity
  • Top Infected Applications
  • Top Users With Threats


Security_Threats_Summary_tab.png

Security DLP Dashboard

For Releases 22.1.1 and later.

The Security DLP dashboard displays information about DLP applications and users. To view the Security DLP dashboard, select Analytics > Dashboard (Home) Dashboard_icon.png > Dashboards > Security > DLP.

The Security DLP dashboard displays the following charts:

  • Top DLP Applications
  • Top DLP Action
  • Top DLP User
  • Top DLP Data Profiles


Security_dlp_dashboard_2.png

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • CASB and DLP dashboards available through Versa Networks cloud-hosted SASE services only.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
    Product
    Director
  2. Tags
    This page has no tags.