The Threat Scan page lists all threats detected by the Intrusion Prevention System (IPS), the Virus Scanner service, and Advanced Threat Protection (ATP). For information on these features, see: Application Control. To access the Threat Scan page, click the FIREWALL tab and select the Threat Scan icon.
The information on the Threat Scan page is listed according to the security features (e.g., IPS, ATP, Virus Scanner service etc...) that are enabled on the firewall.
The columns display the following details:
- AID – The application ID.
- Action – The action performed by the IPS engine.
- Scan Type – The scan type.
- Org – The origin of the session.
- Application – The affected application.
- Protocol – The protocol used by the session.
- Application Context – The application context.
- Risk/Severity – The event severity.
- Threat Category – The event category.
- Info – Additional information (for example: IPS Warning).
- Rule – The affected firewall rule.
- Affected Operating System – The affected system.
- Count – Displays the count.
- Last – The time (h/m/s) of the last access.
- IP Proto – The IP protocol.
- Port – The affected port.
- Source – The affected source IP address.
- Destination – The affected destination IP address.
- User – The affected user.
- Interface – The affected interface.
- MAC – The MAC address of the affected system.
- Src / Dst NAT – The source / destination NAT address.
- Output-IF – The output interface.
- OutRoute – The routing details.
- Next Hop – The next hop address.
- URL Category – The URL category.
- Src / Dst Geo – Displays the source / destination geolocation.
- Src / Dst Prefix – Displays the source / destination prefix.
- More Info – Displays additional information.
Status Icons
The status of firewall connections is indicated by the following icons:
Icon | Description |
---|---|
Allow | |
Block | |
Fail (audit Log) Warning/Scan (History Threat Scan) | |
Drop | |
Box Selected (audit Log) | |
IPS Severity | |
Threat Type = App Ctrl | |
Threat Type = Virus Scan | |
Threat Type = IPS |
Filter Options
Use the filtering functions on the Threat Scan page to display specific entries.
- Click the Filter icon on the top right of the ribbon bar. The Traffic Selection section opens on top of the list.
- Expand the Traffic Selection drop-down menu and select the required check boxes:
- Forward – The traffic on the Forwarding Firewall.
- Loopback – The traffic over the loopback interface.
- Local In – The incoming traffic on the box firewall.
- Local Out – The outgoing traffic from the box firewall.
- IPv6 – IPv6 traffic.
- To define filters for specific properties:
- Click the + icon.
- Select the required criteria.
- Select or enter the value in the blank field.
Managing Threats Information
To view detailed information for a threat entry, double-click it. The Session Details window displays the ID, action, source, scan type, and destination of the threat.
To add IPS Override entries, click the Add IPS Overrides icon next to the filter on the top right of the ribbon bar. Entries will be stored in the configuration.
To access the IPS Overrides configuration, click Goto Configuration. For information on this feature, see: How to Manage Threats.