Expected behaviour

The following is the expected behavior when you use Xshield agents and the features of Xshield available in the UI.

Xshield agents

See Expected behavior with Xshield agents and Interoperability with third-party Security solutions on Windows assets.

Cloud-monitored assets

Microsoft Azure cloud assets monitored from Xshield

  • For short-lived connections between Azure cloud-monitored assets monitored and any other private or public entities, Flow Explorer show '0' (Zero) Bytes of throughput (Bytes In = 0, Bytes Out = 0) for the first set of records of the short-lived connection (SESSION STATE = New). Xshield updates the Flow Explorer records after Azure updates the throughput in the Network Security Group (NSG) logs.

Amazon Web Services (AWS) cloud assets monitored from Xshield

  • AWS does not log ICMP traffic as composite bi-directional traffic; an ICMP request and the ICMP response associated with the request are logged as Two independent flows in the Virtual Private Network (VPC) Flow logs.

    Xshield displays traffic flows for AWS cloud-monitored assets by using the AWS VPC Flow logs. So, you will see Two independent flows for all ICMP-related traffic on Visual Explorer and other features in Xshield.

Microsegmentation and Policies

Policy Builder
The policy recommendations listed for managed groups are generated only for:

  • The first 40 Workload groups added to an instance (in the Intragroup tab in Policy Builder).

  • The first 40 Private Network groups added to the instance (in the Private Networks tab).

  • The first 35 Public Network groups and Domain groups (in total) added to the instance (in the Public Networks & Domains tab).

  • The first 40 entries of the domains in a Domain group.

  • The first 30 entries of the subnets in a Network group (private or public subnets)

Policy recommendations are not listed for the additional groups and/or entries that exceed the limits specified above. To see policy recommendations for additional groups and/or entries, you must delete unused groups and/or reorder the entries in the groups to meet the limits specified above.

Visualization

Visualizer

  • In the initial view of Visualizer with the entity groups (groups collapsed), you will see Red traffic lines between Public Networks or Public Domains and other entity groups if you turn on the Show Malicious Reputation toggle switch. However, non-malicious traffic also exists between the groups. Visualizer displays the collated reputation status of the traffic in the initial view, which is always set to 'malicious'

    To view the actual mixed traffic (malicious and non-malicious) between Public Networks or Public Domains and the groups in the entity groups, double-click and expand One of the groups, click the individual traffic lines between the groups.  

  • The user assets in the Endpoint groups display the hostname and not the email address of the user who is currently logged into the asset. 

Flow Explorer

  • For newly established sessions (both short-lived and long-lived), Flow Explorer lags by one minute. However, you can see the details of the newly established sessions on Visualizer.

  • On some computers, the Carousel feature for the Advanced filter does not work as expected. You will not be able to scroll horizontally and see all the filters in the Carousel.

  • With SNAT, when two agent devices are communicating, two different records sent by the agents are displayed in the Flow Explorer. If one of the agent devices is communicating with a public IP having an unknown source, the latest updated device name using the public IP is mapped and displayed in the Flow Explorer record. If the device name is unavailable, the corresponding hostname is displayed as UNKNOWN.

ColorTokens vulnerability scanner

  • Some older Common Vulnerability Exposures (CVEs) listed in the U.S. National Vulnerability Database (NVD) do not specify the versions of the applications affected by the exposure to vulnerabilities. ColorTokens vulnerability scanner uses NVD as the reference to list the vulnerabilities. Consequently, the ColorTokens scanner does not list the CVEs that don't specify the versions of the affected applications in the fly panel of the assets.

Alerts

Policy violation alerts

  • Policy Violation alerts related to workloads moved across Workload groups cannot be explored using Flow Explorer. Clicking the Explore in Flow-Explorer option in the 3-dot menu for such alerts does not list any traffic in the resulting Flow Explorer view.

Xaccess

  • Product Key-based installation is of Beta quality for macOS assets (both workloads and user assets). It is recommended that you install Xshield agents from the CLI of the macOS assets.

  • Currently, CT Connectors cannot be upgraded from the Xshield UI. To use the newer version of the Connector, you must deploy the upgraded image on another virtual machine/instance and register it with the instance. You can also upgrade the Xshield agent on the Connector from its CLI.

  • The precedence order for user authentication for an Xshield instance with Xaccess enabled is SAML, AD, and lastly, Local user authentication. For example, on an instance using Azure AD and AD, you have to delete and disable the SAML IdP integration to allow AD users to authenticate and join the Xaccess private network.

  • For an Azure AD integration for Xaccess, using the Test user check from the Azure portal at the time of configuring the ColorTokens ZTNA app for Azure tenant, shows the User to be active for a long duration in the Users page.

  • For Xshield instances that use secure remote access with Local users and were upgraded to the July release (with Xaccess), integrating an AD or IdP does not automatically update the Groups and Departments for users. As a workaround, you must edit the relevant Endpoint groups and add AD or IdP Groups or Departments as the grouping criteria.

  • The fly panel of an Endpoint group does not reflect the new name of an IdP or AD Group or Department if the Group or Department is renamed in the IdP or AD.

  • Enabling the Always tunnel traffic to listed domain via Xaccess only option on the Xaccess > Settings > VPN Configuration page shows that Local user assets are Remote (on the Xaccess Endpoint app on the user assets).

  • IPsec VPN data collected by running the Logcollect command on the CLI of a user asset is inaccurate. It is always recommended that you collect logs by running the Logcollect utility from the Xshield UI.

  • Xaccess Auto-Quarantine policies are not applicable if the level of access is set to Enable default remote access to internal resources in the Xshield UI (Xaccess > Settings > Advanced Configuration Settings page). So, it is recommended that you do not enable this option if you plan to use Xaccess Auto-Quarantine policies for the user assets managed from the instance.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.