Live Session page displays detailed connection logs in a sortable format. This view is useful for gaining insight into the current activity on your network.
The Live Session Explorer is divided into six Report Views for easy access to desired log details:
Figure 1. Live Session Explorer
To view the Live Session Explorer:
- Select a node
- Click on the
Live Sessionbutton on the left sidebar
Live Session page, you can easily:
- navigate between Report Views by clicking on the desired tab at the top of the page
- customize the Live Session Explorer Layout
- set the Live Session Explorer time interval
- pause the automatic refresh of the Live Session Explorer
- set a refresh time
- sort the connection log information
- apply filter(s) for the Live Session Explorer
- block or allow a connection
Connections report view is a very useful tool that can assist you with the following tasks:
- troubleshooting a block event
- defining a policy rule to allow/block a connection
- determining the policy which the connection matches
- examining the session's application name and application category
- determining the destination hostname, IP address, and port
To view the live connection details, click on the
Connections tab on the header bar of the Live Session page.
Figure 2. Connections report view
Threats report view, you can easily view the details of security events detected in your network such as phishing/hacking site visits.
To view the live threats session details, click on the
Threats tab on the header bar of the Live Session page.
You may block a specific threat immediately on this page if a threat has been allowed because of your current policy configuration.
Figure 3. Threats report view
Blocks report view allows you to view the details of the blocked connections in your network according to your policy rules.
To view the live blocked session details, click on the
Blocks tab on the header bar of the Live Session page.
Figure 4.: Blocks report view
A web session is a sequence of continuous activities performed by a visitor on a single website within a specified time range. This might include your search engine queries, completing and submitting a form on a website, or the pages you browsed while visiting a website. Any interaction with a single website is logged as a web session.
Web report view, you may view the details of the web connections in your network.
To view the live web session details, click on the
Web tab on the header bar of the Live Session page.
Figure 5: Web report view
Attackers are using DNS for data theft, denial-of-service attacks, and other malicious activities. Proactive DNS monitoring can assist network administrators in promptly detecting and responding to these threats.
DNS report view, you may view the details of the DNS queries in your network.
To view the live DNS session details, click on the
DNS tab on the header bar of the Live Session page.
Figure 6. DNS report view
TLS, or Transport Layer Security, is a widely used protection protocol that facilitates privacy and data security for Internet connections. Encrypting communication between online applications and servers, such as web browsers loading a webpage, is a key use case for TLS.
TLS report view, you can easily view the details of the TLS queries in your network.
To view the live TLS session details, click on the
TLS tab on the header bar of the Live Session page.
Figure 7. TLS report view
You can configure the
Live Session report by using the configuration pane at the top of the
Live Sessions page.
Figure 8. *Live Sessions Explorer configuration pane**
You can customize the Live Sessions Explorer for each report view separately.
To add/remove a field (column) to/from the Live Session Explorer of a report view:
- Select the report view (Connections, Threats, etc.) that you want to customize.
- Click the
Layoutbutton on the configuration pane to open a scrollable list.
- Click on the toggle button next to the field (column) that you wish to add to or remove from the list.
Figure 9: Add or remove fields/columns
The order of the fields/columns may also be changed in the Live Session report.
To move up/down, drag and drop the move button next to the field/column that you wish to move.
Figure 10. Changing the order of the fields (columns)
You can view the following fields (columns) on the Live Session report.
|Block Status||Whether the session is blocked or not. The green checkmark(✓) icon means pass. The red crossmark(⨯) icon means block|
|Start||Start time of the session|
|End||End time of the session|
|Src Hostname||Source Hostname of the session. If not resolved, the source IP address is listed.|
|Protocol||TCP or UDP|
|Src IP||Source IP address of the session|
|Src Port||Source Port number of the session|
|Src Username||Source Username of the session|
|Dst IP||Destination IP address of the session|
|Dst Hostname||Destination Hostname of the session, If not resolved, the Destination IP address is listed|
|Dst Port||Destination Port number of the session|
|Dst Username||Destination Username of the session|
|App Category||Application Category of the session|
|Security Category||Security Category of the session|
|Application||Application Name of the session|
|Packets In||Number of received packets during the session|
|Packets Out||Number of transmitted packets during the session|
|Bytes In||Number of received bytes during the session|
|Bytes Out||Number of transmitted bytes during the session|
|Iface||Name of the network interface on which the session occurs|
|Vlan||VLAN ID on which the session occurs|
|Block Message||Subcategory information of the blocked Session|
|Block Category||The category which is blocked: Web or Application.|
|Block Signature||Information about the blocked session|
|Method||HTTP request method (get, post, put, etc.)|
|Status||HTTP response status code (100-599)|
|Version||HTTP version (1.1, 2.0 etc.)|
|AA||Authoritative Answer: a response which indicates if the DNS server is authoritative for the queried hostname|
|RA||Recursion Available: a response which indicates if the replying DNS server supports recursion|
|RD||Recursion Desired: indicates if the client requested a recursive query|
|TC||TrunCation: indicates that the message was truncated due to excessive length|
|Response||DNS query response|
|Query class||Class code|
|Query type||Type of RR in numeric form|
|Query||DNS query in the session|
|Answer||Answer for the DNS query|
|Response Code||Response Code for the DNS query|
|TTLS||Count of seconds that the RR stays valid|
|Total answer||Number of answer for the DNS query|
|Encryption||The type of encryption (SSL or TLS)|
|Policy||Name and details of Sensei policy applied to the session|
|Actions||Circle with slash (/) icon: allows you to block the session - (✓)Checkmark icon: allows you to allow the session|
Table 1: Field names for details of a session
Figure 11. Setting the time range
The time range for the Live Session Explorer may be set by clicking on the button in the middle of the Explorer’s configuration bar. By default, the Live Sessions Explorer is set to the last 24 hours. Available time ranges for the Live Session report are as follows:
- Last 30 minutes
- Last 6 hours
- Last 12 hours
- Last 24 hours
- Last 72 hours
- Last week
- Custom range
With the custom range, you can create a report for a specified time range. To set a custom time period:
Click on the button in the middle of the Explorer’s configuration bar. This will open a drop-down menu.
Click on the
Custom range. This will open a window to set the
Start dateand the
End dateof the report.
Figure 12. Setting a custom time range
- Set the
Start dateand the
End dateas you wish. You can either enter the date and time manually or select them by clicking on the related icons (calendar/clock).
Figure 13: Setting the start time of the report
Figure 14: Setting the start hour/minute of the report
- Click the
By default, the live session is not refreshed, but you can enable the refresh option by setting a refresh interval for the report. The refresh interval options are as follows:
- Refresh Now
- 1 minute
- 5 minutes
- 15 minutes
- 30 minutes
- 1 hour
To change the refresh time interval:
Refresh Intervaldropbox menu at the end of the Explorer configuration bar.
Select one of the options.
Figure 15. Setting the refresh interval of the Live Session Explorer
The details of the last 100 sessions are shown by default on the Live Session Explorer. After scrolling down to the end of the list, the next 100 sessions may be displayed by clicking on the
load more button.
Figure 16 Loading more session records
You may sort the
Live Session Explorer by any field. The report is sorted by Start Time in descending order by default. To change the sort type of the
Live Session Explorer:
Hover your mouse over the field name on the title bar that you wish to sort by. This will open a small information box stating you can sort the report.
Click on the field name that you wish to sort by. This will automatically sort the report in ascending order.
Figure 17. Sorting the Live Session Explorer
The sort order of
Descending may be selected for the Live Session Explorer. By default, the Explorer is sorted in descending order so that the newest information is displayed first. Clicking on the field name will change the sort order from ascending to descending or vice versa. The report will automatically be refreshed after clicking on the field name.
Figure 18 Changing the sort order of the Live Session Explorer
Filters may be applied to the Live Session Explorer to drill down to the data you wish to see. You can use the
equals operator for filtering and the
not equals operator for exclusion. Also, more than one filter may be applied to the report. These filtering/exclude parameters are displayed on the top of the reporting page.
Figure 19. Filtering on a Live Session Explorer (Connections filtered out for Source Hostname = 172.16.41.1 and Destination Hostname = 172.16.43.12)
To apply a filter to the Live Session Explorer:
- Hover your mouse over a value in the field/column that you wish to apply a filter. This will display a small information box stating you can apply a filter.
- Click on the value in the field/column.
- The Live Session Explorer will be updated automatically and the applied filter will be displayed at the top of the report.
For example, if you are on the
Connections tab, you can click on an IP/hostname (172.16.41.1) in
Source hostname field and an IP/hostname (172.16.43.12) in
Destination hostname field. This will list the sessions where the source IP equals 172.17.41.1 and the destination IP equals 172.17.43.12.
To exclude a parameter on the Live Session Explorer:
- Apply a filter as explained above. The applied filter parameter is displayed at the top.
- Click on the
equals (=)sign on the applied filter parameter to change it to the
not equals (!=)sign. The report will update automatically according to the exclusion parameter.
Figure 20. Connections filtered out for the Source Hostname = 172.16.41.1, the Destination Hostname != 172.16.43.12, and the Application Category != Network Management
To remove an applied filter/exclusion in the Live Session Explorer, click on the
x icon next to the filter/exclude parameter at the top of the Explorer view.
Figure 21. Removing an applied filter in the Live Session Explorer
While viewing the live sessions, you may notice network traffic that you want to block or allow. You do not need to go to the policy configuration page. Instead, you can easily allow or block a connection directly from the Live Session Explorer page.
To allow/block a connection from the Live Session Explorer:
Find the session in the Live Session Explorer you wish to block or allow.
Blockbutton with circle with a slash icon in the
Actionscolumn to block the connection or click the
Allowbutton with a checkmark icon in the
Actionscolumn to allow the connection. A dialog box for confirmation will be displayed.
Click on the
Allowbutton to confirm to block/allow the Category, Application, or Hostname.