Application Control and URL Filtering in SmartEvent

Event Analysis in SmartEvent or SmartEvent Intro

SmartEvent and SmartEvent Intro supply advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that travel through enabled Security Gateways.

The administrator must have HTTPS Inspection permissions to see classified data in HTTPS inspected traffic.

You can filter the Application Control and URL Filtering information for fast monitoring and useful reporting on application traffic.

• Real-time and historical graphs and reports of application and site traffic.
• Graphical incident timelines for fast data retrieval.
• Easily configured custom views to quickly view specified queries.
• Incident management workflow.
• Reports to data owners on a scheduled basis

SmartEvent shows information for all Software Blades in the environment. SmartEvent Intro shows information for one SmartEvent Intro mode. If you select Application and URL Filtering as the SmartEvent Intro Mode, it shows the Application Control and URL Filtering information.

To use SmartEvent or SmartEvent Intro, you must enable it on the Security Management Server or on a dedicated machine. See the R76 SmartEvent Administration Guide.

Browse Time

The Browse Time feature keeps track of the total time that users are connected to different sites and applications. R76 and later Security Gateways calculate the cumulative connection time for each session and periodically updates this value until the session is closed.

Browse time is calculated as follows:

• Total browse time is calculated for each site from the first HTTP request to the last HTTP response. Idle time of more than two minutes is not included in the browse time.
• The minimum calculated time is two minutes. Any connection of less than two minutes is rounded up to two minutes. However, browse time for each user does not include time spent at more than one site simultaneously. For example, if a user connects to google.com and facebook.com at the same time, only one site is included in the browse time calculation.

Viewing Information in SmartEvent

To open SmartEvent do one of these:

• Click Start > Check Point > SmartEvent.
• From the Application and URL Filtering Overview pane > Detected in My Organization, click More graphs.
• From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartEvent or press Control +Shift +A.

When SmartEvent opens, go to Events > Predefined > Application and URL Filtering to use the predefined queries for Application Control and URL Filtering. Events are grouped by the number of megabytes used.

• All - Shows all Application Control and URL Filtering events, includes allowed and blocked events.
• High Risk - Shows events of Risk Levels 4 and 5.
• More > Applications - Shows all Application Control events, includes allowed and blocked events.
• More > Sites - Shows all URL Filtering events, includes allowed and blocked events.
• More > Blocked - Shows all blocked URL Filtering events.
• More > By Category - Shows events by the application/sites category.
• More > By User - Shows events according to the name of the user.
• More > By Rule Name - Shows events by the name of the Application Control or URL Filtering rule that applies to them.
• More > Social Networking - Shows events with Application Control social networking categories. By default, these include: Facebook widgets, LinkedIn widgets, MySpace widgets, Ning.com widgets, Orkut widgets, and Social Networking.
• More > HTTPS Inspection - Shows Application Control and URL Filtering events that passed through HTTPS inspection.

See the R76 SmartEvent Administration Guide.

Viewing Information in SmartEvent Intro

To open SmartEvent Intro:

1. From the SmartDashboard toolbar, select Window > SmartEvent Intro or press Control +Shift +E.
2. Select Application and URL Filtering.

All of the information in SmartEvent Intro is based on Application Control and URL Filtering events. See the different tabs for detailed information.

The SmartEvent Intro Overview Page

The Overview page shows a quick understandable overview of the Application Control and URL Filtering traffic in your environment. Double-click on data in any of the sections in the Overview tab to open the associated list of events to investigate issues down to the individual event level.

The Overview page includes these panes:

• Timeline View
• Top Users by Traffic
• Top Application / Site by Traffic
• Top Applications Categories by Traffic
• Newly Detected Applications
• Status

Application Control and URL Filtering Event Queries

See detailed event queries in the Events tab. Events are grouped by the number of megabytes used.

• All - Shows all Application Control and URL Filtering events, includes allowed and blocked events.
• High Risk - Shows events of Risk Levels 4 and 5.
• More > Applications - Shows all Application Control events, includes allowed and blocked events.
• More > Sites - Shows all URL Filtering events, includes allowed and blocked events.
• More > Blocked - Shows all blocked URL Filtering events.
• More > By Category - Shows events by the application/sites category.
• More > By User - Shows events according to the name of the user.
• More > By Rule Name - Shows events by the name of the Application Control or URL Filtering rule that applies to them.
• More > Social Networking - Shows events with Application Control social networking categories. By default, these include: Facebook widgets, LinkedIn widgets, MySpace widgets, Ning.com widgets, Orkut widgets, and Social Networking.
• More > HTTPS Inspection - Shows Application Control and URL Filtering events that passed through HTTPS inspection.

See the R76 SmartEvent Intro Administration Guide.