Assess Network Traffic
Now that you have a basic security policy, you can review the statistics and data in the Application Command Center (ACC), traffic logs, and the threat logs to observe trends on your network. Use this information to identify where you need to create more granular security policy rules.
- In the ACC, review the most used applications and the high-risk applications on your network. The ACC graphically summarizes the log information to highlight the applications traversing the network, who is using them (with User-ID enabled), and the potential security impact of the content to help you identify what is happening on the network in real time. You can then use this information to create appropriate security policy rules that block unwanted applications, while allowing and enabling applications in a secure manner.The Compromised Hosts widget indisplays potentially compromised hosts on your network and the logs and match evidence that corroborates the events.ACCThreat Activity
- Determine what updates/modifications are required for your network security policy rules and implement the changes.For example:
- Evaluate whether to allow web content based on schedule, users, or groups.
- Allow or control certain applications or functions within an application.
- Decrypt and inspect content.
- Allow but scan for threats and exploits.
- Specifically, view the traffic and threat logs ().MonitorLogsTraffic logs are dependent on how your security policies are defined and set up to log traffic. The Application Usage widget in theACC, however, records applications and statistics regardless of policy configuration; it shows all traffic that is allowed on your network, therefore it includes the inter-zone traffic that is allowed by policy and the same zone traffic that is allowed implicitly.
- Review the AutoFocus intelligence summary for artifacts in your logs. Anartifactis an item, property, activity, or behavior associated with logged events on the firewall. The intelligence summary reveals the number of sessions and samples in which WildFire detected the artifact. Use WildFire verdict information (benign, grayware, malware) and AutoFocus matching tags to look for potential risks in your network.From the AutoFocus intelligence summary, you can start an AutoFocus search for artifacts and assess their pervasiveness within global, industry, and network contexts.
- Review the URL filtering logs to scan through alerts, denied categories/URLs. URL logs are generated when a traffic matches a security rule that has a URL filtering profile attached with an action of alert, continue, override or block.