Gateway Intrusion Detection and Prevention Dashboard

The Gateway IDS/IPS dashboard displays the threat details associated with the gateways with IDPS license and the hosts connected to the gateways. The Gateway IDS/IPS dashboard displays the threats detected by the traffic inspection engine in different charts and tables.

Viewing Threat Details in the Gateway IDS/IPS Dashboard

To view the Gateway IDS/IPS dashboard, complete the following steps:

  1. In the WebUI, set the filter to one of the options under groups, labels, or sites that has IDPS supported gateways.

    For all devices, set the filter to Global. The dashboard context for the selected filter is displayed.

  2. Under Manage, select Security > Gateway IDS/IPS.

    The Threats List table is displayed in the List view.

  3. (Optional) To download Threats List details in a .csv file, click . For more information, see Threats List.
  4. Click the Summary icon for a graphical view of the threats identified.

To set the charts to show data for specific duration, use the options in the time range filter. By default, the data is displayed for a duration of 3 hours. To view the graphs for different durations, click the time filter icon and select a time range of your choice.

The Gateway IDS/IPS dashboard displays the following charts and tables.

Threats Charts

The Threats charts display the number of threats detected by the traffic inspection engine for a selected duration, grouped by the type of protocol. This can be useful to identify the highest number of intrusions in the network traffic.

Time Range Filter:

The time filter allows you to set a time range to display threat details in the charts. You can set the filter to any of the following time ranges:

  • 3 Hours—The bar chart is plotted on an hourly basis to display the threat details for the past three hours.
  • 1 Day—The bar chart is plotted on an hourly basis to display the threat details for the current day.
  • 1 Week—The bar chart is plotted on a daily basis to display the threat details for the current week.
  • 1 Month—The bar chart is plotted on a daily basis to display the threat details for the current month.
  • 3 Months—The bar chart is plotted on a weekly basis to display the threat details for the past three months.

The following animation illustrates the actions available on the Threat Chart.

Trends Table

The Trends table displays the threat type, number of threats, and the percentage of change in the number of threats of each type in comparison to the previous duration. This is useful to indicate a sudden change in the number of threats of a certain type from the previous duration to help identify a threat pattern. Click a threat type to view threats for the particular type in the Threats List.

Figure 1  Trends Table

Most Affected Gateways or Hosts Chart

When you select All Devices in the filter, the chart displays the top 10 gateways with the number of threats detected in a stacked horizontal bar chart. When you hover over a horizontal stacked bar, it displays the number of threats for each type of protocol. Click a stacked horizontal bar to view threats for the particular type of protocol on the Threats List table. Click the legend for the threat type to show or hide the data for the threat type on the chart.

When you select a group or an IDPS supported gateway in the filter, the Most Affected Gateways chart is replaced by the Most Affected Hosts chart.

The following animation illustrates how to view the Trends table and the Most Affected Gateways.

When you select a group in the filter, the chart displays the number of threats detected for the top 10 hosts connected to all IDPS supported gateways within a group. When you select an IDPS supported gateway in the filter, the chart displays the number of threats detected for the top 10 hosts associated with the gateway.

The host name is displayed on the chart only if the host name is configured, otherwise the source IP address is displayed. For more about configuring host name, see Configuring or Renaming Gateway Hostname.

Figure 2  Most Affected Hosts Chart

Top Sources & Destinations Table

The Top Hosts Sources or Destinations table displays the top ten IP addresses of the source and destination hosts with the number of threats identified. Select either Sources or Destinations from the Top Hosts drop-down to view the host and corresponding threats. Click an IP address under Sources to view threats on the Threats List table for the selected source IP address. Click an IP address under Destinations to view threats in the Threats List table for the selected destination IP address.

The host name is displayed in the table only if the host name is configured, otherwise the source IP address is displayed. For more about configuring host name, see Configuring or Renaming Gateway Hostname.

Figure 3  Top Sources & Destinations Table

Threat Map

The Threat Map displays the locations of the hosts, in which threats are detected. Hover over a location to view the number of inbound, outbound, and the total number of threats detected. Inbound displays the number of threats in the incoming traffic at a specific location. Outbound displays the number of threats in the outgoing traffic at a specific location. You can zoom in, zoom out, and move the map to view the threat details for a specific location. Click a location to view threats on the Threats List table.

The following animation illustrates the actions available on the Threat Map.