Dashboard
Dashboard is the summary of daily (last 24 hours) security events and events correlation which is helping to observe security posture of all monitored devices as well as current image resources load. Total Events and Top 10 Most Frequent Security Events could be sorted by the Number of Events field. Total Events could be sorted by Devices field as well.
Traffic Tracker
Traffic tracker is the main tool of CSLI suite. It does provide the live security events tracking as well as events history inspection. Traffic tracker consist of three main components: Filer, Toolbar and Events Grid.
Filter
Start Date- the date for events history inspection
Start Time- the start time for events history inspection (if not set then considered 00:00:00)
Severity - the filtered events severity level (0-7)
Origin - the device object (source of security events).Origin field is mandatory for any Filter operations
Action - the action which has been taken by security device in regards of logged packet
Proto - the protocol portion of logged packet (ip, tcp, udp, icmp)
Source/Destination IP - the source/destination ip portion of logged packet which could be represented by ip or device assigned alias
- Following regular expressions are available for Source/Destination IP fields:
- * - any symbol (example: 192.168.1.*)
- ! - negate (example: !192.168.1.1)
- !* - combination (example: !192.168.*)
Source/Destination Port - the source/destination port portion of logged packet which could represented only by numeric value
Rule - the device associated interface access policies which are defined in the Device tab
Info - the additional logged packet information
Toolbar
- Change the logged events sorting direction ordered by date and time. Possible values are Top | Bottom
- Numeric to name service resolution. Possible values are Services | Ports
- Grid Autorefresh manipulation. Possible values are Start | Pause
Grid
Two additional options are available in the Grid component:
- Name resolution. If there are no associated DNS records then only ip will be shown
- Whois resolution (whois requests must be allowed through the firewall)
Audit Tracker
Audit tracker provides the live audit security events tracking as well as audit events history inspection and alerting via e-mail. Audit tracker is collecting events related to authentication, authorization, threshold and security device internal events.
Filter
Start Date- the date for events history inspection
Start Time- the start time for events history inspection (if not set then considered 00:00:00)
Severity - the filtered events severity level (0-7)
Origin - the device object (source of security events).Origin field is mandatory for any Filter operations
Toolbar
- Change the logged events sorting direction ordered by date and time. Possible values are Top | Bottom
- Grid Autorefresh manipulation. Possible values are Start | Pause
VPN Tracker
VPN tracker provides the live VPN security events tracking as well as VPN events history inspection and alerting via e-mail (for the selected - high critical events). VPN tracker is collecting events related to VPN tunnel creation/termination, authentication, authorization and statistics.
Filter
Start Date- the date for events history inspection
Start Time- the start time for events history inspection (if not set then considered 00:00:00)
Severity - the filtered events severity level (0-7)
Origin - the device object (source of security events).Origin field is mandatory for any Filter operations
Toolbar
- Change the logged events sorting direction ordered by date and time. Possible values are Top | Bottom
- Grid Autorefresh manipulation. Possible values are Start | Pause
VPN Sessions
VPN Sessions provides the Remote VPN session statistics and usage (duration and traffic consumption) as well as client IP Geo Location and session termination reason.
Filter
Start Date- the date for events history inspection
Start Time- the start time for events history inspection (if not set then considered 00:00:00)
Origin - the device object (source of security events).Origin field is mandatory for any Filter operations
VPN Groups- Remote VPN group (Connection Profile) associated with connected user
VPN Users - Remote VPN authenticated user
Toolbar
- Change the logged events sorting direction ordered by date and time. Possible values are Top | Bottom
- Grid Autorefresh manipulation. Possible values are Start | Pause
Devices
Devices tab is serving for creating and managing Device objects and associated interface access policies. Devices objects are required for Reports, Traffic and Audit filtering.
Name - The device alias. The name associated with your device which you want to see in the CSLI
Type - Cisco device type (ASA or Integrated Service Router)
IP - Internal device IP which is dedicated for sending syslog messages
Description - Memo field for device description
Rules - Interface associated access policies (access-group INSIDE.ACL in interface INSIDE). Each access policy should be separated by whitespace
Reports
Reports tab provides ability to generate the different types of reports which are corresponding to security posture for the last 1/8/24 hours. All fields in the reports selection bar are mandatory.
Origin - the device object (source of security events)
Report type - the selection of predefined reports
Interval - the time interval from now to the last 1/8/24 hours for the selected report
Search depth - the amount of lines in the table portion of the selected report. The graphical part is always represents by Top 10 events
Options
Interface Settings - the browser interface settings for the current user session. Default values are defined in the /var/www/html/config/config.php. Be aware that disabling "Limited Search" will allow the full database search which might affect MySQL database performance. In case of large-size database and disabled "Limited Search" option, please consider to increase "AutoScroll Timeout" accordingly.
Mail Settings - parameters of the mail server for the alerting notifications delivery
DB Management - cleaning up MySQL databases from the old data.