Interpret traffic flows downloaded from Flow Explorer

The CSV files you download from Flow Explorer contain the traffic flows/unique sessions between the Xshield-managed assets and other private and public unmanaged entities that communicate with the assets. You can build and strengthen Policies by analyzing the sessions in the CSV files. Use Microsoft Excel and other similar tools to filter the sessions by session IDs, 5-tuples, Policy action, and so on.

Here are a couple of things you must consider when you interpret the CSV files that you download from Flow Explorer (or from the Workload groups' fly panel).

a. Microsoft Excel's limitation with displaying more than 15 digits in a cell with the default settings

Xshield generates session IDs that are up to 19 digits. These session IDs are listed in the SESSION ID column on the CSV files that you download from Flow Explorer.

With the default settings enabled, Microsoft Excel can only display a maximum of 15 digits in the cells. All additional digits are transformed to Zeros. See Last digits are changed to zeros when you type long numbers in cells of Excel for more details. The fixes listed in the Microsoft Excel documentation are only applicable when you type or copy more than 15 digits in the cells. These fixes do not work for the CSV files that you download from Flow Explorer.

Workaround: To see the actual session IDs when they are more than 15 digits long, you must do the following:

Open a blank Excel spreadsheet.
Go to Data and click From Text/CSV (in the Get & Transform Data group).
Import the CSV file downloaded from Flow Explorer.
From the Data Type Detection drop-down list, select Do not detect data types.
Click Load.

In a few seconds, Excel loads the CSV file and displays the actual session IDs.

b. Long-lived sessions/flows are tracked as multiple rows in the CSV file

Sessions between assets or assets and unmanaged Internet and private entities can be short-lived or long-lived. Xshield tracks sessions by the 'Policy action' on the sessions - Unauthorized (Observe mode), Authorized (Observe, Enforce, or Encrypt mode), and Blocked (Enforce or Encrypt mode). The Xshield agents track the status of the sessions by using the following states - New (Xshield must receive more details about the session from the agent), In Progress (the session state was captured when the session was in progress), and Closed (the session was closed/terminated by the source asset/entity). The duration of the sessions are calculated based on the first and the last packet received in the session.

For long-lived sessions, the Xshield agents are designed to capture the state of a session at periodic intervals depending on the 'Policy action' on the session. So, for CSV files that contain the details of long-lived sessions, you will find multiple rows with the same session IDs.

For sessions that were Blocked due to the Policies enforced on the destination assets, Xshield agents capture the state of the sessions every One minute on the assets.
For sessions that are Unauthorized or Authorized, Xshield agents capture the first state of the session in a little less than Two minutes or when the session was Closed, and subsequent session states every Five to Six minutes. So, in the CSV file, you see 'n/4' rows for a session that lasted 'n' minutes. For example, for a session that lasted close to 20 minutes, you see Four rows in the CSV file.

Workaround: If you want to analyze the sessions by their session IDs, retain only the last session states of the sessions in the CSV file. Use Excel Macros to remove the rows with duplicate sessions IDs (the ones other than the row that displays the last state of the session).

The data in the row that displays the last state of a session is the consolidated data for the session.

For a short-lived session, you see only row in the CSV file.

Correlate connections data in the Visual Explorer fly panel with sessions log from Flow Explorer

The connections data shown in the fly panel on Visual Explorer is the unique number of sessions (Unauthorized, Authorized, or Blocked). The related sessions log that you see and/or download from Flow Explorer is the sessions data for the related short-lived and long-lived sessions.

Visual Explorer fly panel

On the Visual Explorer page, click the SECURITY tab in the filter panel, enable Zero Trust Mode and select the type of sessions you want to see, by the 'Policy action'. For example, Blocked sessions.
Set a suitable duration in the Time filter, say Last 7 days and click SEARCH.
Click a traffic line between entities (for example, from Private networks to a Workload group) and see the inbound Connection count displayed in the fly panel.
Click the right arrow to see the filtered view of the short-lived and long-lived sessions.

Flow Explorer

On the Flow Explorer page, select Blocked as the POLICY ACTION and select the same Workload group as the DESTINATION.
Set the same time duration in the Time filter, Last 7 days and click SEARCH.

Correlate Unauthorized attempts and Prevented attempts in the Workload group fly panel with sessions log from Flow Explorer

The Unauthorized attempts detected and Prevented attempts count shown in the fly panel of a Workload group is the unique number of inbound sessions (Unauthorized or Blocked) in the last 7 days. The related sessions log that you see and/or download from Flow Explorer is the sessions data for the short-lived and long-lived sessions.

Workload group fly panel

On the Workload groups page, click a Workload group in the Enforced mode (to see Prevented attempts).
See the Prevented attempts count listed in the fly panel.
Click the Download icon to download the the sessions data for the related short-lived and long-lived sessions.

Flow Explorer

On the Flow Explorer page, select Blocked as the POLICY ACTION and select the same Workload group as the DESTINATION.
Set the same time duration in the Time filter, Last 7 days and click SEARCH.