36. Reports » IP Addresses & Groups¶
This chapter describes how to generate detailed traffic reports for any IP address, block or group included in Configuration » Network & Policy » [IP Zone] .
Reports » IP Addresses allows you to quickly generate traffic reports for IP addresses and blocks, either entered manually on the upper side of the panel, or selected from the expandable tree below.
Reports » IP Groups lists IP groups defined in IP Zones. Select an IP group to generate a traffic report for all IP blocks belonging to it. To search for a specific IP group, enter a sub-string contained in its name on the upper side of the panel.
The traffic report tab includes a few sub-tabs located on the lower side of the window. All sub-tabs share the following common toolbar fields:
● Sensor Interfaces – Select the Sensor Interfaces you are interested in. Administrators can restrict the Sensors accessible by guest accounts● Time Range – Select a predefined time range, or select “Custom…” to enter a specific time interval
36.1. IP Dashboard¶
Here you can group the most relevant data collected for the selected Sensor Interfaces and for the selected IP address, block or group. The configuration of this dashboard does not apply to a particular IP address, block or group, so the changes you make will be visible for other IP dashboards as well. The operation of dashboards is described in the “Reports » Dashboards” chapter.
36.2. IP Graphs¶
You can generate IP graphs only for the IP addresses, blocks and groups specifically defined in your IP Zone(s), or that belong to a subnet having the IP Graphing parameter set to “Yes”.
● Decoders & Data Unit – Select the decoders and data unit you are interested in● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for “Auto”, no title for “None”, or you can enter your own text to be rendered as a title● Legend – Select the detail of the graph’s legend● Consolidation – If you are interested in spikes, choose the MAXIMUM aggregation type. If you are interested in average values, choose the AVERAGE aggregation type. | If you are interested in low values, choose the MINIMUM aggregation type● Direction – Generates a graph for both directions, swap inbound (+ Y axis) with outbound (- Y axis), or show only inbound or outbound traffic● Grouping◦ Sensor Interfaces – Generates a single graph for the selected Sensor Interfaces◦ Subnet IPs – Uncheck this option if you want a different traffic graph displayed for every IP address contained in the selected IP block or IP group. Do not uncheck this option on large subnets● Stacking◦ Decoders – Select to view the summed up, stacked values for the selected decoders◦ Sensor Interfaces – Select to view the summed up, stacked values for multiple Sensor Interfaces● Permissions◦ Decoder Conflict – If decoders can be included one within the other (e.g. IP contains TCP which contains HTTP and HTTPS), the graph will display stacked decoders to show the most specific ones. This generates both accurate and intuitive traffic graphs. In the example above, IP will be displayed as IP OTHER and TCP as TCP OTHER. However, when you select TCP, HTTP and TCP+SYN as decoders, the TCP+SYN decoder can be included in both TCP and HTTP, thus generating a decoder conflict. Check this option to stop detection of conflicting decoders, in order to generate more intuitive but potentially inaccurate traffic graphs◦ Use Per-IP Data – Creates a subnet graph by aggregating the IP graph data generated for every IP address contained in the selected IP block or group. This option will increase the load of the server if used frequently on large subnets. Use this option carefully, only when the IP block or group is not explicitly defined in the IP Zone but it is included in a larger subnet defined with the IP Graphing parameter set to “Yes”
The decoders, data units, and aggregation types can be modified in Configuration » General Settings » Graphs & Storage.
36.3. IP Accounting¶
You can generate IP accounting reports only for the IP addresses, blocks and groups specifically defined in your IP Zone(s), or that belong to a subnet that has the IP Accounting parameter set to “Yes”.
● Decoders & Data Unit – Select the decoders and data unit that you are interested in● Report Interval – Select the minimum interval used to aggregate the accounting data: Daily, Weekly, Monthly, Yearly. The minimum accuracy of traffic accounting reports is 24 hours, therefore when you select a shorter time range you will still see the accounting data collected for the whole day● Direction – Show both directions or only a single one● Group Sensor Interfaces – Generates a single traffic accounting report for multiple Sensor Interfaces● Show IPs – Check this option for the traffic accounting report to display each IP address contained in the selected IP block or group. Selecting this option also enables the option below● Use Per-IP Data – Creates a traffic accounting report by aggregating the IP accounting data generated for every IP address contained in the selected IP block or group. This option will increase the load of the server if used frequently on large subnets. Use this option carefully, only when the selected IP block or group is not explicitly defined in the IP Zone but it is included in a larger subnet defined with the IP Accounting parameter set to “Yes”● Display Raw Values – Check this option to avoid displaying values with metric prefixes
The decoders can be modified in Configuration » General Settings » Graphs & Storage.
36.4. Anomaly Overview¶
Here you can generate a report with trends and summarizations of traffic anomalies sent or received by the selected IP address, block or group.
36.5. Profile Graphs¶
Here you can view traffic profiling graphs generated for the selected IP block or host. Traffic profiling can be globally disabled from Configuration » General Settings » Anomaly Detection. Sensor generates traffic profiling graphs only for IP blocks or hosts that have the Profiling Data parameter in the IP Zone set to “Subnet”, “IPs” or “Subnet + IPs”.