Network Traffic
If the SIA Proxy is enabled for your enterprise, you can report on all network traffic that is directed to SIA, including suspicious traffic or traffic that bypasses SIA Proxy. The Network Traffic report logs all connections that are directed to SIA. If traffic was dropped, the connection data reports why.
The organization of traffic or connection data is similar to event data. The following applies:
-
Any applied date or data filter defines the data that is shown. You can filter data based on the selected date or date range, the time of day you enter, the area you select in the Time graph, and the actual filters applied to data in the report. You can create a filter where you include or exclude data from the view.
-
Connection data that appears on the Network Traffic report is defined by the selected dimension.
-
The Top 6 area lists the top 6 data values for the selected dimension. For example, if you select the Location dimension, the Top 6 Locations are listed.
-
Connection data is grouped by the selected dimension. For example, if you select the Location dimension, this data is organized by specific locations. You can expand a specific location to view the associated connections.
-
You can perform the these actions in this report:
-
View connection details. If you select the information icon beside a connection, connection details appear in a separate window.
-
Add data to the filter. You can decide to exclude or include data in the filter.
-
View the IoC details for a requested domain. When viewing events based on domain, you can click the information icon and the IoC Details appear in a separate window.
-
Download CSV with aggregate data. You can download a CSV that contains the total number of queries based on the dimension you selected. For example, if you selected Domain as the dimension for organizing and viewing data in the report, the CSV shows the total number of queries for each domain.
If you are a delegated administrator, the data that appears in this report is based on the locations you created and are allowed to access. A strict delegated administrator cannot view the Network Traffic report.
Filter network traffic data
To filter network traffic data:
-
In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
-
To filter data based on date and time, see Filter data based on date and time.
-
To configure and apply a filter, see Configure and apply a filter.
-
To further narrow the date and time that you want to report on, move the slider handles of the provided graph to select the desired area or the date and time you want to focus on. For example, you may want to focus on the time when the most traffic occurred.
-
Select a dimension or criteria to define what data is shown.
-
To hide data shown in the top 6 area, click one of top 6 items. This data is hidden from the Top 6 graph. Likewise, you can click it again to show this data in the graph.
-
To search for network connections that are grouped by the selected dimension, see Search for network traffic connections.
Search for network traffic connections
You can search for network connections in the Network Traffic report. Traffic data appears based on applied filters and the dimension or criteria you select. Search functionality is available to locate specific data in the Connections area.
To search for network traffic connections:
-
In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
-
To filter data based on date and time, see Filter data based on date and time.
-
To configure and apply a filter, see Configure and apply a filter.
-
Select a dimension or criteria to define what data is shown.
-
In the search field provided for grouped values, enter the dimension or criteria value. For example, if you select to show data based on domain, this means that events are grouped by domain. In this case, you would enter a domain.
-
To search all connections associated with the dimension you selected, click the arrow icon for all filtered connections. For example, if you selected Destination Ports as a dimension, the All Destination Ports group is available and includes all destinations ports for all connections. All connection information appears in a table format. Go to step 8.
-
To search for a specific event that is part of a dimension group, click the arrow icon associated with the dimension value. For example, if events are grouped by destination port, this action shows connections that are associated with a specific destination port. A list of connections appear in a table format.
-
In the provided search field, enter a data value that is associated with the connection. For example, you can enter the location, connection start time, end time, and more. The value you search for should match a value in one of the table columns.
View connection details
In the Network Traffic report, you can view detailed information about traffic that was allowed or dropped by Secure Internet Access Enterprise.
To view connection details:
-
In the Threat Protection menu of Enterprise Center, select Reports > Network Traffic.
-
Filter events as needed. For more information see Filter data based on date and time and Filter network traffic data.
-
If you haven't done so already, select a dimension.
-
In the list of grouped events, click the arrow icon that is associated with a dimension value. For example, if you selected Domain, click the arrow icon to see the associated traffic. Logged connections appear in a table format.
-
Click the information button. Connection details appear in a separate window. You can use the arrow keys on your keyboard to navigate to other connections in the table and show details.
Add or remove data columns to connection or activity data tables
On the DNS Activity, Proxy Activity, and the Network Traffic tabs of the Activity page, you can add or remove data that appears in the connections or activity data tables. The modifications you make to an individual table apply to all connection and activity tables you view.
You need to be an SIA administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.
To add or remove data columns to connection or activity data tables:
-
In the Threat Protection menu of Enterprise Center, select Reports > Activity.
-
Select one of these:
-
For data on DNS traffic directed to SIA, select DNS Activity.
-
For data on traffic directed to SIA Proxy, select Proxy Activity.
-
For data on traffic directed to SIA, select Network Traffic.
-
-
Filter events as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:
-
If you are filtering data on the DNS Activity tab, see Filter DNS activity data.
-
If you are filtering data on the Proxy Activity tab, see Filter proxy activity data.
-
If you are filtering data on the Network Traffic tab, see Filter network traffic data.
-
-
If you haven't done so already, select a dimension or criteria.
-
To add a data column to the connections or activity data table:
-
In the grouped connections area on the page, click the table icon. A list of additional attributes appear.
-
Select the data type that you want to add to the table. A column for this data appears.
-
-
To remove a data column from the connections or activity data table:
-
In the grouped connections or activity area on the page, click the table icon. A list of data types appear.
-
Deselect any data type that you want to remove from the table. After a data type is deselected, the column is removed from the table.
-
Download a CSV file with connection or activity information
From the DNS Activity, Proxy Activity and Network Traffic reports, you can download a CSV that contains a complete list of connections or activity. Each table shows the latest 500 connections. However, you can download a CSV file to see up to 5,000 of the most recent connections or activity based on the dimension and filters you selected.
You need to be an SIA administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.
To download a CSV file with connection or activity information:
-
In the Threat Protection menu of Enterprise Center, select Reports.
-
Do one of these steps:
-
For data on DNS traffic directed to SIA, select DNS Activity.
-
For data on traffic directed to SIA Proxy, select Proxy Activity.
-
For data on traffic directed to SIA, select Network Traffic.
-
-
Filter data as needed. For more information see Filter data based on date and time. Depending on the data you are filtering, do one of these steps:
-
If you are filtering data on the DNS Activity report, see Filter DNS activity data.
-
If you are filtering data on the Proxy Activity report, see Filter proxy activity data.
-
If you are filtering data on the Network Traffic report, see Filter network traffic data.
-
-
If you haven't done so already, select a dimension or criteria.
-
In the grouped connections or activity area, click the arrow icon to show the connections or activity associated with the selected dimension.
-
Click Download CSV (All Events) to download the connections or activity that are associated with the dimension you selected.
Connection dimensions
You can organize data based on these dimensions available on the Network Traffic activity report:
If these dimensions are not available by default in the list of connections shown in the Connections table, you can add them to your view.
Dimension | Description |
---|---|
Destination Port | TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic. |
Status | Indicates if the connection was allowed or blocked by SIA. If the traffic was dropped, the status indicates why it was dropped. |
Location | Indicates where the connection originated from. |
Geo | Geographical region where connection originated from. |
Domain | Domain requested by the user. |
Destination IP | IP address of the destination (origin) website. |
Source IP | IP address of traffic. This is likely the IP address that is assigned to a location as a result of NAT. |
Source Port | The TCP/UDP port of the user’s machine. |
Autonomous System | Unique identifier for a network. |
Sub-Location | Indicates the sub-location where the event originated from. |
Onramp Type | Indicates how a request was directed to SIA Proxy. One of these values may appear:
|
Policy Action | Policy action that was applied. If this traffic was directed to SIA Proxy, the policy action onramp is shown. |
Internal Client Name | Internal client name of device that’s detected by DNS Forwarder or HTTP Forwarder. |
Internal Client IP | Internal IP address of the user’s device. |
Device Name | Name of the device where ETP Client is hosted or installed. |
Client Request ID | UUID of ETP Client that’s installed on the machine. |
Invalid Certificate Action | Shows the action that was applied to a website’s origin certificate when SIA Proxy cannot verify the certificate. In a policy, an administrator selects an action in the Invalid Certificate Response menu. Depending on the action that’s selected, the Bypass or Block - Error Page action appears. If no action was selected by an administrator, N/A is shown. |
Connection details
The Network Traffic report allows you to review connection data that's directed to SIA Proxy.
Connection data appears in a table. After you select a filter and dimension, you can select the type of data that you want to show in the table. In addition to data listed in the Connection dimensions topic, you can show this data in the table:
Connection Detail | Description |
---|---|
Connection Start Time | Date and time when request was forwarded to SIA. |
Connection End Time | Date and time when either the request was resolved or dropped by SIA. |
HTTP(s) Request Count | Number of HTTP or HTTPS requests to the associated domain. |
Dropped | Indicates whether traffic is dropped or allowed. If proxy authorization is enabled in a policy, this field also indicates that a connection from the on-premises proxy was not authorized. |
Status | Indicates if the connection was allowed or blocked by SIA. If the traffic was dropped, the status indicates why it was dropped. |
Destination Port | TCP or UDP port number of traffic such as port 80 for HTTP traffic and port 443 for HTTPS traffic. |
Connection ID | Uniquely identifies a connection in a network. |
Input Bytes | The size in bytes of an HTTP request. |
Output Bytes | The size in bytes of an HTTP response. |
Client Agents | String for HTTP-based traffic that includes details about the end user's browser and system, such as the browser, browser version, operating system, command line tools, version of ETP Client, and more. |
HTTP Version | Version of the HTTP protocol. |
Updated 10 days ago