Anti-Bot and Anti-Virus in SmartView Tracker
Log Sessions
Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.
To see the number of connections made during a session, see the field of the log in SmartView Tracker.
In SmartEvent the number of connections during the session is in the field of the Event Details.
Session duration for all connections that are prevented or detected in the Rule Base, is by default 10 hours. You can change this in SmartDashboard from the tab > > > .
Anti-Bot and Anti-Virus Logs
Logs from Anti-Bot and Anti-Virus are shown in SmartView Tracker. A log is generated if you set the option in a Rule Base rule to .
Viewing Logs
To open SmartView Tracker do one of these:
- Click > > .
- From the tab > Navigation Tree > link.
- From the tab > > > link.
- From the SmartDashboard toolbar of any SmartConsole application, select > or press .
Updating the Anti-Bot and Anti-Virus Rule Base
In some cases, after evaluating a log, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartView Tracker.
To update a rule in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the log entry.
- Select .
SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.
- Make related changes.
- Click to install the dedicated Anti-Bot and Anti-Virus policy.
To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:
- Right-click the log entry.
- Select .
SmartDashboard opens and shows an window in the Anti-Bot and Anti-Virus Rule Base. These details are shown:
- - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
- - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
- - Shows by default. You can use the plus sign to add gateways.
- Select an option:
- - If you want the to apply only to the related rule.
- - If you want the to apply to all rules. The exception is added to the > pane.
- Click .
The exception is added to the Rule Base. The is set to by default. Change if necessary.
- Click to install the dedicated Anti-Bot and Anti-Virus policy.
Accessing the Threat Wiki
You can open the Threat Wiki from within SmartView Tracker to get more information about a specified protection.
To open the Threat Wiki:
- Click the malware protection link in the field of a log record.
Viewing Packet Capture Data
If you set a rule with the Packet Capture track option, you can see the captures in SmartView Tracker.
To see packet captures in SmartView Tracker:
- Locate the log entry with the packet capture.
- Right-click the entry and select .
- Select and click .
The packet is shown in the Viewer Output window.
You can also use a third-party capture application by selecting and entering the application in the field.
Using Predefined Queries
There are multiple predefined queries in > > > . You can filter the queries to focus on logs of interest.
- - Shows Anti-Bot traffic (prevented and detected connections).
- - Shows Anti-Virus traffic (prevented and detected connections).
- -Shows all Anti-Bot and Anti-Virus blocked (prevented) traffic.
- - Shows all Anti-Bot and Anti-Virus traffic, including all prevented and detected connections.
|
