40. Reports » IP Addresses & Groups¶
This chapter describes how to generate detailed traffic reports for any IP address, block, or group included in Network & Policy » [IP Zone].
Reports » IP Addresses allows you to quickly generate traffic reports for IP addresses and blocks, which can be entered manually on the upper side of the panel or selected from the expandable tree below.
Reports » IP Groups lists IP groups defined in IP Zones. Select an IP group to generate a traffic report for all IP blocks belonging to it. To search for a specific IP group, enter a sub-string contained in its name on the upper side of the panel.
The traffic report tab includes a few sub-tabs located on the lower side of the window. Every sub-tab shares the following common toolbar fields:
● Sensor Interfaces – Select the Sensor Interfaces that interests you. Administrators can restrict the Sensors accessible by guest accounts● Time Range – Select a predefined time range, or select Custom… to enter a specific time interval
40.1. IP Dashboard¶
Here you can group the most relevant data collected for the selected Sensor Interfaces and the selected IP address, block, or group. The configuration of this dashboard does not apply to a particular IP address, block, or group, so the changes you make will be visible for other IP dashboards as well. The operation of dashboards is described in the Reports » Dashboards chapter.
40.2. IP Graphs¶
You can generate IP graphs only for the IP addresses, blocks, and groups explicitly defined in your IP Zone(s) or that belong to a subnet with the IP Graphing parameter enabled.
● Decoders & Data Unit – Select the decoders and data unit you are interested in● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for Auto, no title for None, or you can enter your own text to be rendered as a title● Legend – Select the detail of the graph legend● Consolidation – If you are interested in spikes, choose the MAXIMUM aggregation type. If you are interested in average values, AVERAGE. If you are interested in low values, choose the MINIMUM aggregation type● Direction – Generates a graph for both directions, swap inbound (+ Y axis) with outbound (- Y axis), or show only inbound or outbound traffic● Grouping• Sensor Interfaces – Generates a single graph for the selected Sensor Interfaces• Subnet IPs – Uncheck this option if you want a different traffic graph displayed for every IP address contained in the selected IP block or IP group. Do not uncheck this option on large subnets● Stacking• Decoders – Select to view the summed up, stacked values for the selected decoders• Sensor Interfaces – Select to view the summed up, stacked values for multiple Sensor Interfaces● Permissions• Decoder Conflict – If decoders can be included one within the other (e.g., IP contains TCP, which contains HTTP and HTTPS), the graph will display stacked decoders to show the most specific ones. This generates both accurate and intuitive traffic graphs. In the example above, IP will be displayed as IP OTHER and TCP as TCP OTHER. However, when you select TCP, HTTP, and TCP+SYN as decoders, the TCP+SYN decoder can be included in both TCP and HTTP, thus generating a decoder conflict. Check this option to stop the detection of conflicting decoders in order to generate more intuitive but potentially inaccurate traffic graphs• Use Per-IP Data – Creates a subnet graph by aggregating the IP graph data generated for every IP address contained in the selected IP block or group. If used frequently on large subnets, this option will increase the server’s load. Use this option carefully, only when the IP block or group is not explicitly defined in the IP Zone but it is included in a larger subnet defined with the IP Graphing parameter enabled
You can modify the decoders, data units, and aggregation types in General Settings » Graphs & Storage.
40.3. IP Accounting¶
You can generate IP accounting reports only for the IP addresses, blocks, and groups explicitly defined in your IP Zone(s), or that belong to a subnet with the IP Accounting parameter enabled.
● Decoders & Data Unit – Select the decoders and data unit that you are interested in● Report Interval – Select the minimum interval used to aggregate the accounting data: Daily, Weekly, Monthly, Yearly. The minimum accuracy of traffic accounting reports is 24 hours. Therefore, when you select a shorter time range, you will still see the accounting data collected for the whole day● Direction – Show both directions or only a single one● Group Sensor Interfaces – Generates a single traffic accounting report for multiple Sensor Interfaces● Show IPs – Check this option for the traffic accounting report to display each IP address contained in the selected IP block or group. Selecting this option also enables the option below● Use Per-IP Data – Creates a traffic accounting report by aggregating the IP accounting data generated for every IP address contained in the selected IP block or group. If used frequently on large subnets, this option will increase the server’s load. Use this option carefully, only when the selected IP block or group is not explicitly defined in the IP Zone but it is included in a larger subnet defined with the IP Accounting parameter enabled● Display Raw Values – Check this option to avoid displaying values with metric prefixes
The decoders can be modified in General Settings » Graphs & Storage.
40.4. Anomaly Overview¶
Here you can generate a report with trends and summarizations of traffic anomalies sent or received by the selected IP address, block or group.
40.5. Profile Graphs¶
Here you can view traffic profiling graphs generated for the selected IP block or host. Traffic profiling can be globally disabled from General Settings » Anomaly Detection. Sensor generates traffic profiling graphs only for IP blocks or hosts that have the Profiling Data parameter in the IP Zone set to Subnet, IPs, or Subnet + IPs.
40.6. Flow Records¶
You can list and filter the flow data collected for the selected Flow Sensor Interfaces and IP block, host, or group. The options are described in the Reports » Tools » Flows chapter. This sub-tab is visible only when at least one Flow Sensor is in use.