Use Visualizer

Visualizer is built for a sky-view of the network traffic between the managed (assets) and discovered resources. Visualizer is a useful tool for a production network to get contextual visibility of the network flows and for detailed Internet traffic threat-visibility. In the Policy simulation mode, Visualizer can help you simulate the security changes forehand to minimize service disruption. Visualizer is one of the primary tools to analyze network traffic. The other tools are Flow Explorer and Policy Builder (during the Policy simulation efforts).

Prerequisites

  • In Visualizer, assets and resources are shown in Groups. So, to see the assets and resources of interest in Visualizer, you must have grouped them into Xshield groups.

  • Know the different types of filters available to filter the view and traffic in Visualizer. All filters persist for the login session.

  • For a session-level traffic analysis, you must know how to use Flow Explorer.

See Zero Trust enforcement status

Use the Zero Trust Mode Traffic view to quickly see the Xshield policy enforcement status on the network. In the Zero Trust Mode, the traffic lines are colored by the Policy action from Xshield policies. 

  • For a network currently being evaluated with Policy simulation efforts, Red traffic is the Unauthorized traffic when policies are not enforced.

  • For a Production network, Dotted Red traffic must be investigated in conjunction with the Traffic alerts. Orange lines (Mixed traffic) must also be investigated.

With effective Xshield policy enforcement and secure network usage practices, you should see fewer Dotted Green and Dotted Red traffic.

Traffic analysis

Traffic can be analyzed in all Visualizer views. In the Global and Group-level views, the traffic is aggregated for all assets in the group(s). For traffic analysis, the details are seen in the fly panel. Some of the details are services used, and throughput of the traffic flows, and the Policy action/Status

  • To see a Flow Explorer view of the traffic for all services involved, click the Flow Explorer icon (Blue).

  • For a more detailed analysis of the traffic for a service, click a row in the fly panel

    This too brings up the Flow Explorer utility view for the row. The rows in the traffic details can be clicked to see more details using the Flow Explorer utility.

  • To download the traffic flows seen in the Flow Explorer view for offline analysis, click the Download icon.

Threat analysis

Use the inputs from the Xshield Threat Intelligence service to see the Threat reputation of Internet resources. Threat reputation details displayed in the fly panel include Threat reputation (High, Suspicious, Medium, Low, or Trustworthy), hostname, IP address and geographical location, and threat type (Spam, Phishing, Scanner, Windows Exploits, and so on). For resources with a High Threat reputation, you will see a Red overlay icon.

In Visualizer, Threat reputation applies to Public Networks and Domains groups.

  1. Click the Filters icon

  2. In the Traffic tab set the Reputation toggle switch to ON

  3. (Optional) To see only High Threat reputation traffic, select Show Malicious Reputation.

  4. Double-click the Public Networks or Domains group and go to the Asset-level view.

Geo-location and Domain category views

Apart from the default views by Public Network groups, public IP addresses can also be viewed by their Geo-location. Similarly, Domain groups can be viewed by their Categories such as Social Networking, Search Engines, Personal Sites & Blogs, and Computer and Internet Info. The Geo-location and Category based groupings are based on the inputs from the Xshield Threat Intelligence service.

  1. Click the Filters icon

  2. In the View tab set the Domains toggle switch to ON

  3. Double-click the Domains group.

  4. Similarly, select the Geolocations switch for Public Networks

Group edits

Group edit operations include adding or removing workloads from Workload groups based on tags, adding or removing user assets to Endpoint groups based on IdP groups or Xshield User groups, or changing the IP subnets or domains for Network groups and Domain groups. 

  • Click the apt group in the Group-level view, make the changes in the fly panel, and click Save.

    The fly panel view is identical to the group-edit view in the Groups pages.

Asset details

You can see the details of a managed asset in the Asset-level view in the fly panel. The details are identical to the ones you see in the Asset fly panel for the asset on the Assets page.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.