The Application Command Center (ACC) is an analytical tool that provides actionable intelligence on activity within your network. The ACC uses the firewall logs for graphically depicting traffic trends on your network. The graphical representation allows you to interact with the data and visualize the relationships between events on the network including network usage patterns, traffic patterns, and suspicious activity and anomalies.
The ACC includes three predefined tabs or views that provide visibility into network traffic, threat activity, and blocked activity. For information on each view, see
Each tab includes a default set of widgets that best represent the events and trends associated with the tab. The widgets allow you to survey the data using the following filters: bytes (in and out), sessions, content (files and data), URL categories, threats (malicious and benign), and count. For information on each widget, see
The charts and graphs in each widget provide a real-time and historic view. You can choose a custom range or use the predefined time periods that range from the last 15 minutes up to the last 30 days or last 30 calendar days.
The time period used to render data, by default, is the last hour. The date and time interval are displayed on screen. For example:
01/12 10:30:00-01/12 11:29:59
The global filters allow you to set the filter across all tabs. The charts and graphs apply the selected filters before rendering the data. For information on using the filters, see
The risk meter (1=lowest to 5=highest) indicates the relative security risk on your network. The risk meter uses a variety of factors such as the type of applications seen on the network and the risk levels associated with the applications, the threat activity and malware as seen through the number of blocked threats, and compromised hosts or traffic to malware hosts and domains.
The data source used for the display varies between the firewall and Panorama™.
On the firewall, if enabled for multiple virtual systems, you can use the
drop-down to change the ACC display to include all virtual systems or just a selected virtual system.
On Panorama, you can change the display to use
Remote Device Data
(managed firewall data). When the data source is
Panorama, you can filter the display for a specific device group.
You can export the widgets displayed in the current tab as a PDF.
—This tab displays an overview of traffic and user activity on your network. It focuses on the top applications being used, the top users who generate traffic with a drill down into the bytes, content, threats or URLs accessed by the user, and the most used security rules against which traffic matches occur. In addition, you can also view network activity by source or destination zone, region, or IP address, by ingress or egress interfaces, and by host information such as the operating systems of the devices most commonly used on the network.
—This tab displays an overview of the threats on the network. It focuses on the top threats—vulnerabilities, spyware, viruses, hosts visiting malicious domains or URLs, top WildFire™ submissions by file type and application, and applications that use non-standard ports. The Compromised Hosts widget, supplements detection with better visualization techniques. It uses the information from the correlated events tab (
Automated Correlation Engine > Correlated Events) to present an aggregated view of compromised hosts on your network by source users or IP addresses, sorted on severity.
—This tab focuses on traffic that was prevented from coming into the network. The widgets in this tab allow you to view activity denied by application name, user name, threat name, content (files and data), and the top security rules with a deny action that blocked traffic.
The widgets on each tab are interactive. You can set filters and drill down into the view to customize the view to focus on the information you need.
Each widget is structured to display the following information.
You can sort the data by bytes, sessions, threats, count, content, URLs, malicious, benign, files, data, profiles, objects. The available options vary by widget.
The graphical display options are treemap, line graph, horizontal bar graph, stacked area graph, stacked bar graph, and map. The available options vary by widget; the interaction experience also varies with each graph type. For example, the widget for Applications using Non-Standard Ports allows you to choose between a treemap and a line graph.
To drill down into the display, click into the graph. The area you click on becomes a filter and allows you to zoom in to the selection and view more granular information for that selection.
The detailed view of the data used to render the graph is provided in a table below the graph.
You can click and set a local filter or a global filter for elements in the table. With a local filter, the graph is updated and the table is sorted by that filter.
With a global filter, the view across the ACC pivots to only display information that pertains to your filter.
The following are actions available in the title bar of a widget:
—Allows you enlarge the widget and view it in a larger screen space. In the maximized view, you can see more than the top ten items displayed in the default screen width for the widget.
Set up local filters
—Allows you to add filters to refine the display within the widget. See
Working with Filters—Local Filters and Global Filters.
Jump to logs
—Allows you to directly navigate to the logs (
Monitor > Logs > <Log type>). The logs are filtered using the time period for which the graph is rendered.
If you have set local and global filters, the log query concatenates the time period and filters and displays only logs that match your filter set.Export—Allows you to export the graph as a PDF.
For a description of each widget, see the details on using the ACC
To customize and refine the ACC display, you can add and delete tabs, add and delete widgets, set local and global filters, and interact with the widgets.
The following table describes how to use and customize tabs and widgets.
Working with Tabs and Widgets
Add a custom tab.
Select Add (
) along the list of tabs.
View Name. This name will be used as the name for the tab.
You can add up to 5 tabs.
Edit a tab.
Select the tab and click edit next to the tab name to edit the tab.
See what the widgets are included in a view.
Select the view and click edit (
drop-down to review selected widgets.
Add a widget or a widget group.
Add a new tab or edit a predefined tab.
Add Widget, and then select the widget you want to add. You can select up to a maximum of 12 widgets.
(Optional) To create a 2-column layout, select
Add Widget Group. You can drag and drop widgets into the 2-column display. As you drag the widget into the layout, a placeholder will display for you to drop the widget.
You cannot name a widget group.
Delete a tab or a widget group/ widget.
To delete a custom tab, select the tab and click delete (
You cannot delete a predefined tab.
To delete a widget or widget group, edit the tab and then click delete ( [X] ). You cannot undo a deletion.
Reset the default view.
On a predefined view, such as the
view, you can delete one or more widgets. If you want to reset the layout to include the default set of widgets for the tab, edit the tab and
Working with Filters—Local Filters and Global Filters
To hone the details and finely control what the ACC displays, you can use filters:
—Local filters are applied on a specific widget. A local filter allows you to interact with the graph and customize the display so that you can dig in to the details and access the information you want to monitor on a specific widget. You can apply a local filter in two ways—click into an attribute in the graph or table or select Set Filter within a widget. Set Filter allows you to set a local filter that is persistent across reboots.
—Global filters are applied across the ACC. A global filter allows you to pivot the display around the details you care about right now and exclude the unrelated information from the current display. For example, to view all events related to a specific user and application, you can apply the user’s IP address and the application as a global filter and view only information pertaining to that user and application through all the tabs and widgets on the ACC. Global filters are not persistent.
Global filters can be applied in three ways:
Set a global filter from a table
—Select an attribute from a table in any widget and apply the attribute as a global filter.
Add a widget filter to a global filter
—Hover over the attribute and click the arrow icon to the right of the attribute. This option allows you to elevate a local filter used in a widget, and apply the attribute globally to update the display across all the tabs on the ACC.
Define a global filter
—Define a filter using the
pane on the ACC.
The following table describes how to use filters in widgets.
Working with Filters
Set a local filter.
You can also click an attribute in the table below the graph to apply it as a local filter.
Select a widget and click Filter (
) filters you want to apply.
Apply. These filters are persistent across reboots.
The number of local filters applied on a widget are indicated next to the widget name.
Set a global filter from a table.
Hover over an attribute in a table and click the arrow that appears to the right of the attribute.
Set a global filter using the Global Filters pane.
) filters you want to apply.
Promote a local filter to as global filter.
On any table in a widget, select an attribute. This sets the attribute as a local filter.
To promote the filter to a global filter, hover over the attribute and click the arrow to the right of the attribute.
Remove a filter.
Click Remove (
) to remove a filter.
—Located in the Global Filters pane.
—Click Filter (
) to bring up the Set Local Filters dialog and then select the filter and remove it.
Clear all filters
—Select a widget and click Filter (
in the Set Local Filters widget.
Select an attribute and Negate (
) a filter.
—Located in the Global Filters pane.
—Click Filter (
) to bring up the Set Local Filters dialog add a filter, and then negate it.
View what filters are in use.
—The number of global filters applied are displayed on the left pane under Global Filters.
—The number of local filters applied on a widget are displayed next to the widget name. To view the filters, click
Set Local Filters.