Widget Descriptions

Each tab on the ACC includes a different set of widgets.
Widget
Description
Network Activity—Displays an overview of traffic and user activity on your network.
Application Usage
The table displays the top ten applications used on your network, all the remaining applications used on the network are aggregated and displayed as other. The graph displays all applications by application category, sub category, and application. Use this widget to scan for applications being used on the network, it informs you about the predominant applications using bandwidth, session count, file transfers, triggering the most threats, and accessing URLs.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, area, column, line (the charts vary by the sort by attribute selected)
User Activity
Displays the top ten most active users on the network who have generated the largest volume of traffic and consumed network resources to obtain content. Use this widget to monitor top users on usage sorted on bytes, sessions, threats, content (files and patterns), and URLs visited.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)
Source IP Activity
Displays the top ten IP addresses or hostnames of the devices that have initiated activity on the network. All other devices are aggregated and displayed as other.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)
Destination IP Activity
Displays the IP addresses or hostnames of the top ten destinations that were accessed by users on the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: area, column, line (the charts vary by the sort by attribute selected)
Source Regions
Displays the top ten regions (built-in or custom defined regions) around the world from where users initiated activity on your network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: map, bar
Destination Regions
Displays the top ten destination regions (built-in or custom defined regions) on the world map from where content is being accessed by users on the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: map, bar
GlobalProtect Host Information
Displays information on the state of the hosts on which the GlobalProtect agent is running; the host system is a GlobalProtect client. This information is sourced from entries in the HIP match log that are generated when the data submitted by the GlobalProtect agent matches a HIP object or a HIP profile you have defined on the firewall. If you do not have HIP Match logs, this widget is blank. To learn how to create HIP objects and HIP profiles and use them as policy match criteria, see Configure HIP-Based Policy Enforcement.
Sort attributes: profiles, objects, operating systems
Charts available: bar
Rule Usage
Displays the top ten rules that have allowed the most traffic on the network. Use this widget to view the most commonly used rules, monitor the usage patterns, and to assess whether the rules are effective in securing your network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line
Ingress Interfaces
Displays the firewall interfaces that are most used for allowing traffic into the network.
Sort attributes: bytes, bytes sent, bytes received
Charts available: line
Egress Interfaces
Displays the firewall interfaces that are most used by traffic exiting the network.
Sort attributes: bytes, bytes sent, bytes received
Charts available: line
Source Zones
Displays the zones that are most used for allowing traffic into the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line
Destination Zones
Displays the zones that are most used by traffic going outside the network.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: line
Threat Activity—Displays an overview of the threats on the network
Compromised Hosts
Displays the hosts that are likely compromised on your network. This widget summarizes the events from the correlation logs. For each source user/IP address, it includes the correlation object that triggered the match and the match count, which is aggregated from the match evidence collated in the correlated events logs. For details see Use the Automated Correlation Engine.
Available on the PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and Panorama.
Sort attributes: severity (by default)
Hosts Visiting Malicious URLs
Displays the frequency with which hosts (IP address/hostnames) on your network have accessed malicious URLs. These URLs are known to be malware based on categorization in PAN-DB.
Sort attributes: count
Charts available: line
Hosts Resolving Malicious Domains
Displays the top hosts matching DNS signatures; hosts on the network that are attempting to resolve the hostname or domain of a malicious URL. This information is gathered from an analysis of the DNS activity on your network. It utilizes passive DNS monitoring, DNS traffic generated on the network, activity seen in the sandbox if you have configured DNS sinkhole on the firewall, and DNS reports on malicious DNS sources that are available to Palo Alto Networks customers.
Sort attributes: count
Charts available: line
Threat Activity
Displays the threats seen on your network. This information is based on signature matches in Antivirus, Anti-Spyware, and Vulnerability Protection profiles and viruses reported by WildFire.
Sort attributes: threats
Charts available: bar, area, column
WildFire Activity by Application
Displays the applications that generated the most WildFire submissions. This widget uses the malicious and benign verdict from the WildFire Submissions log.
Sort attributes: malicious, benign
Charts available: bar, line
WildFire Activity by File Type
Displays the threat vector by file type. This widget displays the file types that generated the most WildFire submissions and uses the malicious and benign verdict from the WildFire Submissions log. If this data is unavailable, the widget is empty.
Sort attributes: malicious, benign
Charts available: bar, line
Applications using Non Standard Ports
Displays the applications that are entering your network on non-standard ports. If you have migrated your firewall rules from a port-based firewall, use this information to craft policy rules that allow traffic only on the default port for the application. Where needed, make an exception to allow traffic on a non-standard port or create a custom application.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line
Rules Allowing Applications On Non Standard Ports
Displays the security policy rules that allow applications on non-default ports. The graph displays all the rules, while the table displays the top ten rules and aggregates the data from the remaining rules as other.
This information helps you identify gaps in network security by allowing you to assess whether an application is hopping ports or sneaking into your network. For example, you can validate whether you have a rule that allows traffic on any port except the default port for the application. Say for example, you have a rule that allow DNS traffic on its application-default port (port 53 is the standard port for DNS). This widget will display any rule that allows DNS traffic into your network on any port except port 53.
Sort attributes: bytes, sessions, threats, content, URLs
Charts available: treemap, line
Blocked Activity—Focuses on traffic that was prevented from coming into the network
Blocked Application Activity
Displays the applications that were denied on your network, and allows you to view the threats, content, and URLs that you kept out of your network.
Sort attributes: threats, content, URLs
Charts available: treemap, area, column
Blocked User Activity
Displays user requests that were blocked by a match on an Antivirus, Anti-spyware, File Blocking or URL Filtering profile attached to Security policy rule.
Sort attributes: threats, content, URLs
Charts available: bar, area, column
Blocked Threats
Displays the threats that were successfully denied on your network. These threats were matched on antivirus signatures, vulnerability signatures, and DNS signatures available through the dynamic content updates on the firewall.
Sort attributes: threats
Charts available: bar, area, column
Blocked Content
Displays the files and data that was blocked from entering the network. The content was blocked because security policy denied access based on criteria defined in a File Blocking security profile or a Data Filtering security profile.
Sort attributes: files, data
Charts available: bar, area, column
Security Policies Blocking Activity
Displays the security policy rules that blocked or restricted traffic into your network. Because this widget displays the threats, content, and URLs that were denied access into your network, you can use it to assess the effectiveness of your policy rules. This widget does not display traffic that blocked because of deny rules that you have defined in policy.
Sort attributes: threats, content, URLs
Charts available: bar, area, column

Related Documentation