Network Traffic

If the ETP Proxy is enabled for your enterprise, you can report on all network traffic that is directed to ETP, including suspicious traffic or traffic that bypasses ETP Proxy. The Network Traffic report logs all connections that are directed to ETP. If traffic was dropped, the connection data reports why.

The organization of traffic or connection data is similar to event data. The following applies:

  • Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data in the report. You can create a filter where you include or exclude data from the view.

  • Connection data that appears on the Network Traffic report is defined by the selected dimension.

    • The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.

    • Connection data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated connections.

You can perform the these actions in this report:

  • View connection details. If you select the information icon beside a connection, connection details appear in a separate window.

  • Add data to the filter. You can decide to exclude or include data in the filter.

  • View the IoC details for a requested domain. When viewing events based on domain, you can click the information icon and the IoC Details appear in a separate window.

If you are a delegated administrator, the data that appears in this report is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Network Traffic report.

Filter network traffic data

To filter network traffic data:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most traffic occurred.

  5. Select a dimension or criteria to define what data is shown.

  6. To hide data shown in the top 6 area, click one of top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.

  7. To search for network connections that are grouped by the selected dimension, see Search for network traffic connections.

Search for network traffic connections

You can search for network connections in the Network Traffic report. Traffic data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the Connections area.

To search for network traffic connections:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.

  2. To filter data based on date and time, see Filter data based on date and time.

  3. To configure and apply a filter, see Configure and apply a filter.

  4. Select a dimension or criteria to define what data is shown.

  5. In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.

  6. To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Destination Ports as a dimension, the All Destination Ports group is available and includes all destinations ports for all connections. All connection information appears in a table format. Go to step 8.

  7. To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by destination port, this action shows connections that are associated with a specific destination port. A list of connections appear in a table format.

  8. In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.

View connection details

In the Network Traffic report, you can view detailed information about traffic that was allowed or dropped by ​Enterprise Threat Protector​.

To view connection details:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.

  2. Filter events as needed. For more information see Filter data based on date and time and Filter network traffic data.

  3. If you haven't done so already, select a dimension.

  4. In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged connections appear in a table format.

  5. Click the information button. Connection details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other connections in the table and show details.

Add or remove data columns to connection or activity data tables

On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.

📘

You need to be an ETP administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.

To add or remove data columns to connection or activity data tables:

  1. In the Threat Protection menu of Enterprise Center, select Reports > Activity.

  2. Select one of these:

    • For data on DNS traffic directed to ETP, select DNS Activity.

    • For data on traffic directed to ETP Proxy, select Proxy Activity.

    • For data on traffic directed to ETP, select Network Traffic.

  3. Filter events as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. To add a data column to the connections or activity data table:

    1. In the grouped connections area on the page, click the table icon. A list of additional attributes appear.

    2. Select the data type that you want to add to the table. A column for this data appears.

  6. To remove a data column from the connections or activity data table:

    1. In the grouped connections or activity area on the page, click the table icon. A list of data types appear.

    2. Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.

Download a CSV file with connection or activity information

From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.

📘

You need to be an ETP administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.

To download a CSV file with connection or activity information:

  1. In the Threat Protection menu of Enterprise Center, select Reports.

  2. Do one of these steps:

    • For data on DNS traffic directed to ETP, select DNS Activity.

    • For data on traffic directed to ETP Proxy, select Proxy Activity.

    • For data on traffic directed to ETP, select Network Traffic.

  3. Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:

  4. If you haven't done so already, select a dimension or criteria.

  5. In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.

  6. Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.

Connection dimensions

You can organize data based on these dimensions available on the Network Traffic activity report:

📘

If these dimensions are not available by default in the list of connections shown in the Connections table, you can add them to your view.

Dimension

Description

Destination Port

TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.

Status

Indicates if the connection was allowed or blocked by ETP. If the traffic was dropped, the status indicates why it was dropped.

Location

Indicates where the connection originated from.

Geo

Geographical region where connection originated from.

Domain

Domain requested by the user.

Destination IP

IP address of the destination (origin) website.

Source IP

IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.

Source Port

The TCP/UDP port of the user’s machine.

Autonomous System

Unique identifier for a network.

Sub-Location

Indicates the sub-location where the event originated from.

Onramp Type

Indicates how a request was directed to ETP Proxy.

One of these values may appear:

  • **dns**. Indicates DNS activity was forwarded to <> Proxy.
  • **web**. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy.
  • **onramp_dns**. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy.
  • **etp_client**. Indicates the request was directed to <> Proxy as a result of <> Client.
  • **etp_offnet_client**. Indicates the request was directed to <> Proxy as a result of <> client. In this case, the <> Client was off the corporate network.
  • **explicit_proxy_tls**. Indicates the request was directed to <> Proxy as a result of an on-premises proxy configuration.

Policy Action

Policy action that was applied. If this traffic was directed to ETP Proxy, the policy action onramp is shown.

Internal Client Name

Internal client name of device that’s detected by DNS Forwarder or HTTP Forwarder.

Internal Client IP

Internal IP address of the user’s device.

Device Name

Name of the device where ETP Client is hosted or installed.

Client Request ID

UUID of ETP Client that’s installed on the machine.

Invalid Certificate Action

Shows the action that was applied to a website’s origin certificate when ETP Proxy cannot verify the certificate. In a policy, an administrator selects an action in the Invalid Certificate Response menu.

Depending on the action that’s selected, the Bypass or Block - Error Page action appears. If no action was selected by an administrator, N/A is shown.

Connection details

The Network Traffic report allows you to review connection data that's directed to ETP Proxy.

Connection data appears in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the Connection dimensions topic, you can show this data in the table:

Connection Detail

Description

Connection Start Time

Date and time when request was forwarded to ETP.

Connection End Time

Date and time when either the request was resolved or dropped by ETP.

HTTP(s) Request Count

Number of HTTP or HTTPS requests to the associated domain.

Dropped

Indicates whether traffic is dropped or allowed. If proxy authorization is enabled in a policy, this field also indicates that a connection from the on-premises proxy was not authorized.

Status

Indicates if the connection was allowed or blocked by ETP. If the traffic was dropped, the status indicates why it was dropped.

Destination Port

TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.

Connection ID

Uniquely identifies a connection in a network.

Input Bytes

The size in bytes of an HTTP request.

Output Bytes

The size in bytes of an HTTP response.

Client Agents

String for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ETP Client, and more.

HTTP Version

Version of the HTTP protocol.


Did this page help you?