Skip to main content

Live Session Explorer

The Live Session page displays detailed connection logs in a sortable format. This view is useful for gaining insight into the current activity on your network.

The Live Session Explorer is divided into six Report Views for easy access to desired log details:

  • Connections

  • Threats

  • Blocks

  • Web

  • DNS

  • TLS

Live Session Explorer

Figure 1. Live Session Explorer

To view the Live Session Explorer:

  • Select a node
  • Click on the Live Session button on the left sidebar

On the Live Session page, you can easily:

  • navigate between Report Views by clicking on the desired tab at the top of the page
  • customize the Live Session Explorer Layout
  • set the Live Session Explorer time interval
  • pause the automatic refresh of the Live Session Explorer
  • set a refresh time
  • sort the connection log information
  • apply filter(s) for the Live Session Explorer
  • block or allow a connection

Connections:#

The Connections report view is a very useful tool that can assist you with the following tasks:

  • troubleshooting a block event
  • defining a policy rule to allow/block a connection
  • determining the policy which the connection matches
  • examining the session's application name and application category
  • determining the destination hostname, IP address, and port

To view the live connection details, click on the Connections tab on the header bar of the Live Session page.

Connections Live Session Explorer

Figure 2. Connections report view

Threats:#

On the Threats report view, you can easily view the details of security events detected in your network such as phishing/hacking site visits.

To view the live threats session details, click on the Threats tab on the header bar of the Live Session page.

tip

You may block a specific threat immediately on this page if a threat has been allowed because of your current policy configuration.

Threats Live Session Explorer

Figure 3. Threats report view

Blocks:#

The Blocks report view allows you to view the details of the blocked connections in your network according to your policy rules.

To view the live blocked session details, click on the Blocks tab on the header bar of the Live Session page.

Live Blocked Sessions Explorer

Figure 4.: Blocks report view

Web:#

A web session is a sequence of continuous activities performed by a visitor on a single website within a specified time range. This might include your search engine queries, completing and submitting a form on a website, or the pages you browsed while visiting a website. Any interaction with a single website is logged as a web session.

On the Web report view, you may view the details of the web connections in your network.

To view the live web session details, click on the Web tab on the header bar of the Live Session page.

Live Web Sessions Details

Figure 5: Web report view

DNS:#

Attackers are using DNS for data theft, denial-of-service attacks, and other malicious activities. Proactive DNS monitoring can assist network administrators in promptly detecting and responding to these threats.

On the DNS report view, you may view the details of the DNS queries in your network.

To view the live DNS session details, click on the DNS tab on the header bar of the Live Session page.

Live DNS Sessions Details

Figure 6. DNS report view

TLS:#

TLS, or Transport Layer Security, is a widely used protection protocol that facilitates privacy and data security for Internet connections. Encrypting communication between online applications and servers, such as web browsers loading a webpage, is a key use case for TLS.

On the TLS report view, you can easily view the details of the TLS queries in your network.

To view the live TLS session details, click on the TLS tab on the header bar of the Live Session page.

Live TLS Sessions Details

Figure 7. TLS report view

Configuring the Live Sessions Explorer#

You can configure the Live Session report by using the configuration pane at the top of the Live Sessions page.

Live Sessions Explorer Configuration Pane

Figure 8. *Live Sessions Explorer configuration pane**

Changing the Layout or Add/Remove a Field (Column)#

You can customize the Live Sessions Explorer for each report view separately.

To add/remove a field (column) to/from the Live Session Explorer of a report view:

  1. Select the report view (Connections, Threats, etc.) that you want to customize.
  2. Click the Layout button on the configuration pane to open a scrollable list.
  3. Click on the toggle button next to the field (column) that you wish to add to or remove from the list.

Figure 9: Add or remove fields/columns

The order of the fields/columns may also be changed in the Live Session report.

To move up/down, drag and drop the move button next to the field/column that you wish to move.

Changing the order of the fields(columns) on live session report

Figure 10. Changing the order of the fields (columns)

You can view the following fields (columns) on the Live Session report.

Field NameDescription
Block StatusWhether the session is blocked or not. The green checkmark(✓) icon means pass. The red crossmark(⨯) icon means block
StartStart time of the session
EndEnd time of the session
Src HostnameSource Hostname of the session. If not resolved, the source IP address is listed.
ProtocolTCP or UDP
Src IPSource IP address of the session
Src PortSource Port number of the session
Src UsernameSource Username of the session
Dst IPDestination IP address of the session
Dst HostnameDestination Hostname of the session, If not resolved, the Destination IP address is listed
Dst PortDestination Port number of the session
Dst UsernameDestination Username of the session
App CategoryApplication Category of the session
Security CategorySecurity Category of the session
ApplicationApplication Name of the session
Packets InNumber of received packets during the session
Packets OutNumber of transmitted packets during the session
Bytes InNumber of received bytes during the session
Bytes OutNumber of transmitted bytes during the session
IfaceName of the network interface on which the session occurs
VlanVLAN ID on which the session occurs
Block MessageSubcategory information of the blocked Session
Block CategoryThe category which is blocked: Web or Application.
Block SignatureInformation about the blocked session
MethodHTTP request method (get, post, put, etc.)
StatusHTTP response status code (100-599)
VersionHTTP version (1.1, 2.0 etc.)
AAAuthoritative Answer: a response which indicates if the DNS server is authoritative for the queried hostname
RARecursion Available: a response which indicates if the replying DNS server supports recursion
RDRecursion Desired: indicates if the client requested a recursive query
TCTrunCation: indicates that the message was truncated due to excessive length
RequestDNS request
ResponseDNS query response
Query classClass code
Query typeType of RR in numeric form
QueryDNS query in the session
AnswerAnswer for the DNS query
Response CodeResponse Code for the DNS query
TTLSCount of seconds that the RR stays valid
Total answerNumber of answer for the DNS query
EncryptionThe type of encryption (SSL or TLS)
PolicyName and details of Sensei policy applied to the session
ActionsCircle with slash (/) icon: allows you to block the session - (✓)Checkmark icon: allows you to allow the session

Table 1: Field names for details of a session

Setting the Time Range#

Setting the Time Range for Live Session Explorer

Figure 11. Setting the time range

The time range for the Live Session Explorer may be set by clicking on the button in the middle of the Explorer’s configuration bar. By default, the Live Sessions Explorer is set to the last 24 hours. Available time ranges for the Live Session report are as follows:

  • Last 30 minutes
  • Last 6 hours
  • Last 12 hours
  • Last 24 hours
  • Last 72 hours
  • Last week
  • Custom range

With the custom range, you can create a report for a specified time range. To set a custom time period:

  1. Click on the button in the middle of the Explorer’s configuration bar. This will open a drop-down menu.

  2. Click on the Custom range. This will open a window to set the Start date and the End date of the report.

Setting Custom Time Range for Live Session Explorer

Figure 12. Setting a custom time range

  1. Set the Start date and the End date as you wish. You can either enter the date and time manually or select them by clicking on the related icons (calendar/clock).

Setting Start Time of theLive Session Report

Figure 13: Setting the start time of the report

Setting Start Hour/Minute of the Live Session Report

Figure 14: Setting the start hour/minute of the report

  1. Click the Apply button.

Setting the Refresh Interval#

By default, the live session is not refreshed, but you can enable the refresh option by setting a refresh interval for the report. The refresh interval options are as follows:

  • Pause
  • Refresh Now
  • 1 minute
  • 5 minutes
  • 15 minutes
  • 30 minutes
  • 1 hour

To change the refresh time interval:

  1. Click the Refresh Interval dropbox menu at the end of the Explorer configuration bar.

  2. Select one of the options.

Setting the Refresh Interval of the Live Session Report

Figure 15. Setting the refresh interval of the Live Session Explorer

Loading more Session Records#

The details of the last 100 sessions are shown by default on the Live Session Explorer. After scrolling down to the end of the list, the next 100 sessions may be displayed by clicking on the load more button.

Loading more session records

Figure 16 Loading more session records

Sorting#

You may sort the Live Session Explorer by any field. The report is sorted by Start Time in descending order by default. To change the sort type of the Live Session Explorer:

  1. Hover your mouse over the field name on the title bar that you wish to sort by. This will open a small information box stating you can sort the report.

  2. Click on the field name that you wish to sort by. This will automatically sort the report in ascending order.

Sorting Live Session Report

Figure 17. Sorting the Live Session Explorer

The sort order of Ascending or Descending may be selected for the Live Session Explorer. By default, the Explorer is sorted in descending order so that the newest information is displayed first. Clicking on the field name will change the sort order from ascending to descending or vice versa. The report will automatically be refreshed after clicking on the field name.

Changing the Sort Order of the Live Session Report

Figure 18 Changing the sort order of the Live Session Explorer

Adding a Generic Filter/Exclusion on the Live Session Explorer#

Filters may be applied to the Live Session Explorer to drill down to the data you wish to see. You can use the equals operator for filtering and the not equals operator for exclusion. Also, more than one filter may be applied to the report. These filtering/exclude parameters are displayed on the top of the reporting page.

Filtering on a Live Session Report

Figure 19. Filtering on a Live Session Explorer (Connections filtered out for Source Hostname = 172.16.41.1 and Destination Hostname = 172.16.43.12)

To apply a filter to the Live Session Explorer:

  1. Hover your mouse over a value in the field/column that you wish to apply a filter. This will display a small information box stating you can apply a filter.
  2. Click on the value in the field/column.
  3. The Live Session Explorer will be updated automatically and the applied filter will be displayed at the top of the report.

For example, if you are on the Connections tab, you can click on an IP/hostname (172.16.41.1) in Source hostname field and an IP/hostname (172.16.43.12) in Destination hostname field. This will list the sessions where the source IP equals 172.17.41.1 and the destination IP equals 172.17.43.12.

To exclude a parameter on the Live Session Explorer:

  1. Apply a filter as explained above. The applied filter parameter is displayed at the top.
  2. Click on the equals (=) sign on the applied filter parameter to change it to the not equals (!=) sign. The report will update automatically according to the exclusion parameter.

Connections filtered out for Source Hostname = 172.16.41.1 and Destination Hostname != 172.16.43.12 and Application Category !=Network Management

Figure 20. Connections filtered out for the Source Hostname = 172.16.41.1, the Destination Hostname != 172.16.43.12, and the Application Category != Network Management

Removing a Filter in the Live Session Explorer#

To remove an applied filter/exclusion in the Live Session Explorer, click on the x icon next to the filter/exclude parameter at the top of the Explorer view.

Removing An Applied Filter

Figure 21. Removing an applied filter in the Live Session Explorer

Allow/Block a Connection#

While viewing the live sessions, you may notice network traffic that you want to block or allow. You do not need to go to the policy configuration page. Instead, you can easily allow or block a connection directly from the Live Session Explorer page.

To allow/block a connection from the Live Session Explorer:

  1. Find the session in the Live Session Explorer you wish to block or allow.

  2. Click the Block button with circle with a slash icon in the Actions column to block the connection or click the Allow button with a checkmark icon in the Actions column to allow the connection. A dialog box for confirmation will be displayed.

  3. Click on the Block or Allow button to confirm to block/allow the Category, Application, or Hostname.

Last updated on