If the SIA Proxy is enabled for your enterprise, you can report on all network traffic that is directed to SIA, including suspicious traffic or traffic that bypasses SIA Proxy. The Network Traffic report logs all connections that are directed to SIA. If traffic was dropped, the connection data reports why.

The organization of traffic or connection data is similar to event data. The following applies:

Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data in the report. You can create a filter where you include or exclude data from the view.
Connection data that appears on the Network Traffic report is defined by the selected dimension.
- The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.
- Connection data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated connections.

You can perform the these actions in this report:

View connection details. If you select the information icon beside a connection, connection details appear in a separate window.
Add data to the filter. You can decide to exclude or include data in the filter.
View the IoC details for a requested domain. When viewing events based on domain, you can click the information icon and the IoC Details appear in a separate window.
Download CSV with aggregate data. You can download a CSV that contains the total number of queries based on the dimension you selected. For example, if you selected Domain as the dimension for organizing and viewing data in the report, the CSV shows the total number of queries for each domain.

If you are a delegated administrator, the data that appears in this report is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Network Traffic report.

Filter network traffic data

To filter network traffic data:

In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
To filter data based on date and time, see Filter data based on date and time.
To configure and apply a filter, see Configure and apply a filter.
To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most traffic occurred.
Select a dimension or criteria to define what data is shown.
To hide data shown in the top 6 area, click one of top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.
To search for network connections that are grouped by the selected dimension, see Search for network traffic connections.

Search for network traffic connections

You can search for network connections in the Network Traffic report. Traffic data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the Connections area.

To search for network traffic connections:

In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
To filter data based on date and time, see Filter data based on date and time.
To configure and apply a filter, see Configure and apply a filter.
Select a dimension or criteria to define what data is shown.
In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.
To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Destination Ports as a dimension, the All Destination Ports group is available and includes all destinations ports for all connections. All connection information appears in a table format. Go to step 8.
To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by destination port, this action shows connections that are associated with a specific destination port. A list of connections appear in a table format.
In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.

View connection details

In the Network Traffic report, you can view detailed information about traffic that was allowed or dropped by Secure Internet Access Enterprise.

To view connection details:

In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
Filter events as needed. For more information see Filter data based on date and time and Filter network traffic data.
If you haven't done so already, select a dimension.
In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged connections appear in a table format.
Click the information button. Connection details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other connections in the table and show details.

Add or remove data columns to connection or activity data tables

On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.

📘
You need to be an SIA administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.

To add or remove data columns to connection or activity data tables:

In the Threat Protection menu of Enterprise Center, select Reports > Activity.
Select one of these:
- For data on DNS traffic directed to SIA, select DNS Activity.
- For data on traffic directed to SIA Proxy, select Proxy Activity.
- For data on traffic directed to SIA, select Network Traffic.
Filter events as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:
- If you are filtering data on the DNS Activity tab, see Filter DNS activity data.
- If you are filtering data on the Proxy Activity tab, see Filter proxy activity data.
- If you are filtering data on the Network Traffic tab, see Filter network traffic data.
If you haven't done so already, select a dimension or criteria.
To add a data column to the connections or activity data table:
1. In the grouped connections area on the page, click the table icon. A list of additional attributes appear.
2. Select the data type that you want to add to the table. A column for this data appears.
To remove a data column from the connections or activity data table:
1. In the grouped connections or activity area on the page, click the table icon. A list of data types appear.
2. Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.

Download a CSV file with connection or activity information

From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.

📘
You need to be an SIA administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.

To download a CSV file with connection or activity information:

In the Threat Protection menu of Enterprise Center, select Reports.
Do one of these steps:
- For data on DNS traffic directed to SIA, select DNS Activity.
- For data on traffic directed to SIA Proxy, select Proxy Activity.
- For data on traffic directed to SIA, select Network Traffic.
Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:
- If you are filtering data on the DNS Activity report, see Filter DNS activity data.
- If you are filtering data on the Proxy Activity report, see Filter proxy activity data.
- If you are filtering data on the Network Traffic report, see Filter network traffic data.
If you haven't done so already, select a dimension or criteria.
In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.
Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.

Connection dimensions

You can organize data based on these dimensions available on the Network Traffic activity report:

📘
If these dimensions are not available by default in the list of connections shown in the Connections table, you can add them to your view.

Dimension	Description
Destination Port	TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.
Status	Indicates if the connection was allowed or blocked by SIA. If the traffic was dropped, the status indicates why it was dropped.
Location	Indicates where the connection originated from.
Geo	Geographical region where connection originated from.
Domain	Domain requested by the user.
Destination IP	IP address of the destination (origin) website.
Source IP	IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT.
Source Port	The TCP/UDP port of the user’s machine.
Autonomous System	Unique identifier for a network.
Sub-Location	Indicates the sub-location where the event originated from.
Onramp Type	Indicates how a request was directed to SIA Proxy. One of these values may appear: dns. Indicates DNS activity was forwarded to SIA Proxy. web. Indicates web (HTTP and HTTPS) request was forwarded to the full web proxy. onramp_dns. Indicates that risky HTTP and HTTPS traffic was forwarded to the selective proxy. etp_client. Indicates the request was directed to SIA Proxy as a result of ETP Client. etp_offnet_client. Indicates the request was directed to SIA Proxy as a result of ETP Client. In this case, the ETP Client was off the corporate network. explicit_proxy_tls. Indicates the request was directed to SIA Proxy as a result of an on-premises proxy configuration.
Policy Action	Policy action that was applied. If this traffic was directed to SIA Proxy, the policy action onramp is shown.
Internal Client Name	Internal client name of device that’s detected by DNS Forwarder or HTTP Forwarder.
Internal Client IP	Internal IP address of the user’s device.
Device Name	Name of the device where ETP Client is hosted or installed.
Client Request ID	UUID of ETP Client that’s installed on the machine.
Invalid Certificate Action	Shows the action that was applied to a website’s origin certificate when SIA Proxy cannot verify the certificate. In a policy, an administrator selects an action in the Invalid Certificate Response menu. Depending on the action that’s selected, the Bypass or Block - Error Page action appears. If no action was selected by an administrator, N/A is shown.

Connection details

The Network Traffic report allows you to review connection data that's directed to SIA Proxy.

Connection data appears in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the Connection dimensions topic, you can show this data in the table:

Connection Detail	Description
Connection Start Time	Date and time when request was forwarded to SIA.
Connection End Time	Date and time when either the request was resolved or dropped by SIA.
HTTP(s) Request Count	Number of HTTP or HTTPS requests to the associated domain.
Dropped	Indicates whether traffic is dropped or allowed. If proxy authorization is enabled in a policy, this field also indicates that a connection from the on-premises proxy was not authorized.
Status	Indicates if the connection was allowed or blocked by SIA. If the traffic was dropped, the status indicates why it was dropped.
Destination Port	TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic.
Connection ID	Uniquely identifies a connection in a network.
Input Bytes	The size in bytes of an HTTP request.
Output Bytes	The size in bytes of an HTTP response.
Client Agents	String for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ETP Client, and more.
HTTP Version	Version of the HTTP protocol.