Monitoring Threat Prevention with SmartView Tracker

In This Section:

Log Sessions

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

To see the number of connections made during a session, see the Suppressed Logs field of the log in SmartView Tracker.

In SmartEvent the number of connections during the session is in the Total Connections field of the Event Details.

Session duration for all connections that are prevented or detected in the Rule Base, is by default 10 hours. You can change this in SmartDashboard from the Threat Prevention tab > Advanced > Engine Settings > Session Timeout.

Threat Prevention Logs

Logs from Anti-Bot, Threat Emulation and Anti-Virus are shown in SmartView Tracker. A log is generated if you set the Track option in a Rule Base rule to Log.

Viewing Logs

To open SmartView Tracker:

From the Threat Prevention tab > Navigation Tree > Track Logs link
From the SmartDashboard menu bar, select SmartConsole > SmartView Tracker

Updating the Anti-Bot and Anti-Virus Rule Base

In some cases, after evaluating a log, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartView Tracker.

To update a rule in the Anti-Bot and Anti-Virus Rule Base:

Right-click the log entry.
Select Go to Rule.
SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.
Make related changes.
Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.
The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.

You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.

To install the Anti-Bot and Anti-Virus policy:
1. From the Threat Prevention tab > Policy pane, click Install Policy.
2. Select the relevant options:
  - Install Threat Prevention Policy on all gateways - Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
  - Install Threat Prevention Policy on selected gateways - Select the applicable Security Gateways.
  - Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
    If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
  - Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
3. Click OK.

To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:

Right-click the log entry.
Select Add Exception to the Rule.
SmartDashboard opens and shows an Add Exception window in the Threat Prevention Rule Base. These details are shown:
- Protection - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
- Scope - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
- Install On - Shows All by default. You can use the plus sign to add gateways.
Select an Exception Scope option:
- Apply Exception to rule number X - If you want the exception to apply only to the related rule.
- Apply Exception to all rules - If you want the exception to apply to all rules. The exception is added to the Exception Groups > Global Exceptions pane.
Click OK.
The exception is added to the Rule Base. The Action is set to Detect by default. Change if necessary.
Click Install Policy to install the Anti-Bot, Threat Emulation, and Anti-Virus policy.
The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.

You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.

To install the Anti-Bot and Anti-Virus policy:
1. From the Threat Prevention tab > Policy pane, click Install Policy.
2. Select the relevant options:
  - Install Threat Prevention Policy on all gateways - Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
  - Install Threat Prevention Policy on selected gateways - Select the applicable Security Gateways.
  - Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.
    If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.
  - Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
3. Click OK.

Accessing the Threat Wiki

You can open the Threat Wiki from within SmartView Tracker to get more information about a specified protection.

To open the Threat Wiki:

Click the malware protection link in the Protection Name field of a log record.

Viewing Packet Capture Data

If you set a rule with the Packet Capture track option, you can see the captures in SmartView Tracker.

To see packet captures in SmartView Tracker:

Locate the log entry with the packet capture.
Right-click the entry and select View packet capture.
Select Internal Viewer and click OK.
The packet is shown in the Viewer Output window.

You can also use a third-party capture application by selecting Choose Program and entering the application in the Program Name field.

Using Predefined Queries

There are multiple predefined queries in Network and Endpoint Queries > Predefined > Network Security Blades > Anti-Bot & Anti-Virus. You can filter the queries to focus on logs of interest.

All - Shows all Anti-Bot and Anti-Virus traffic, including all prevented and detected connections
Anti-Bot - Shows Anti-Bot traffic (prevented and detected connections)
Anti-Virus - Shows Anti-Virus traffic (prevented and detected connections)
Blocked Incidents - Shows all Anti-Bot and Anti-Virus blocked (prevented) traffic
Threat Emulation - Shows all traffic that are sent to ThreatCloud or Emulation appliance for emulation
Malware Detected - Shows files that Threat Emulation identified as malware
System - Shows updates and installed policies for Threat Emulation

Top of Page

Download PDF

Send Feedback