Visibility, Traffic Analytics, and Monitoring

The Elisity Microsegmentation platform provides rich policy and traffic telemetry while also offering effective search and filtering functionality for day two operations.

With Elisity, an administrator can monitor log-on/log-off events, visualize user/device/application traffic flows, troubleshoot policy consumption and violations, and quickly analyze system events and logs.

Cloud Control Center Overview

 

The overview page is a dashboard populated with visibility widgets such as current users, devices, policies, sites, policies, and more. This interactive overview offers a centralized view of the network environment. Designed for clarity and ease of use, it presents essential data points and metrics, allowing users to understand and navigate their network's current status swiftly.

An administrator might the overview page helpful in how it indicates how many new users, devices, sites, policies, or Virtual Edges have been discovered/created using the green ( +n ) tile indicators, in addition to showcasing high-level statistics focused on deployed policies, sites, and VENs.

 

Components of the Overview Page:

  1. Count Metrics: At the top, users can see a clear count of users, devices, sites, and policies. Additionally, any newly added users, devices, policies, sites, or Virtual Edges from the last 24 hours are indicated, providing a quick understanding of recent network changes.

  2. Device Breakdown: This section lists devices and allows users to filter the list by type or vendor. This makes it easier to view and categorize the variety of devices in the environment.

  3. Site Analysis: Users can view a list of top sites. The list is filterable, providing options to organize by the number of devices or users present at each site.

  4. Virtual Edge Nodes Overview: Here, the top Virtual Edge Nodes, which are critical policy enforcement points in the network, are displayed.

  5. Policy Group Metrics: The page presents a breakdown of the top policy groups. Users can filter this section either by the number of devices associated with each group or by the number of policies.

  6. Interactive Filtering: A notable functionality of the page is its dynamic filtering. When one section is filtered, the other sections adjust to display data relevant to the applied filter.

 

Take a Virtual Tour of the Overview Page

 

Cloud Control Center Analytics

When it is time to drive deeper into the telemetry collected by Cloud Control Center, an administrator can navigate to the Analytics page to discover an abundance of data presented in an easily digestible format.

 

Analytics Dashboard Overview

The Analytics Dashboard in the Elisity Cloud Control Center provides powerful tools to visualize and analyze network traffic flows. This article explains the main sections of the dashboard, enabling you to effectively monitor and filter traffic data.

 

1. View Toggle

Use this toggle to switch between:

  • Traffic Flow: A visualized view of network traffic flows, represented in a Sankey chart for easy flow analysis.
  • Flow Records: A list view of individual network flows, offering a detailed, record-by-record analysis.

 

2. Policy Action Filter

This filter allows you to narrow down traffic flows based on the policy action applied:

  • Allow: Shows permitted traffic flows.
  • Deny: Displays denied traffic flows.

 

3. Source and Destination Filters

Displays the currently applied Source and Destination filters. These filters let you focus on specific Policy Groups, helping you analyze traffic between defined source and destination groups.


4. Traffic Flow Filters

Located at the top of the dashboard, this panel provides further customization options for analyzing traffic:

  • Filters: Open a panel to apply additional filters based on traffic criteria.
  • Top Talkers: Select from the top 10, 20, or 30 most active sources or destinations to view high-volume traffic.
  • Time Range: Choose a time frame (Last Hour, Last 24 Hours, Last 7 Days, Last Month) to analyze recent or historical traffic patterns.

 

5. Traffic Flow Toolbar

This toolbar, located on the right side of the chart, provides quick actions to enhance your view and analysis:

  • Toggle Asset View: Switch between different asset groupings in the visualization.
  • Show/Hide Internet Traffic: Enable or disable the display of traffic flows involving internet-based endpoints. This button automatically applies a NOT internet filter to source and destination filters.
  • Fullscreen Mode: View the dashboard in fullscreen for a more comprehensive analysis experience.
  • Toggle Sankey Chart Legend: Show or hide the legend, which provides additional context on flow types in the Sankey chart.

 

Traffic Flow View

The Traffic Flow visualization in our analytics suite offers a powerful and interactive way to understand the movement of traffic within your network. The interface uses a Sankey diagram to represent the source and destination of traffic flows, along with the protocols and ports involved.

Here's how to interact with the Traffic Flow view to gain deeper insights:

 

PG (Policy Group) View

  • Hovering Over PG Names: When you hover your cursor over the name of a Policy Group (PG) in the Traffic Flow diagram, a tooltip will appear. This tooltip displays the full name of the PG and the count of assets contained within that PG, providing a quick snapshot of the group’s scope.

  • Clicking PG Names: Clicking on a PG name located on either the left or right side of the flow chart will navigate you to the PG details page. This page provides an in-depth view of the specific PG, including its configuration and the assets it contains.

  • Interacting with the Colored Bar Adjacent to PG Names: If you click the colored bar next to a PG name, the system automatically creates a filter for the traffic Source or Destination based on the side of the flow chart you clicked. This action refines the Traffic Flow view to display a more detailed breakdown of the ports and protocols associated with that PG.

  • Clicking on a Flow Segment: Clicking on a highlighted section of traffic flow automatically generates filters for both the source and destination PGs. The detailed view that follows will reveal the ports and protocols involved in the traffic flow between these two PGs.

  • Clicking on an observed traffic flow or port: Clicking on an onserved port or service name on the Sankey chart will automatically apply a filter for the selected port or service.

Asset View

Asset view is toggled by clicking the asset icon in the bottom right. This shows direct traffic between assets, and if filtering is applied, shows associated assets or policy groups within the current filter by toggling this button.

  • Hovering Over Asset Names/IPs: Moving your cursor over an asset name or IP address in the Traffic Flow diagram will display a tooltip. This tooltip provides the full name of the asset and pertinent details, such as its identity attributes. This quick reference can help identify key characteristics of individual assets in your network.

  • Clicking Asset Names/IPs: Clicking on an asset name or IP address will take you to the device info view. This specific device view offers detailed information about the asset, including its security posture and activity logs.

  • Interacting with the Colored Bar Adjacent to Asset Names/IPs: Similar to the PG view, clicking the colored bar next to an asset name or IP address creates a SOURCE or DEST filter. This filter corresponds to the asset, refining the view to show a detailed analysis of the ports and protocols traffic for that particular asset.

  • Clicking on a Highlighted Flow: By clicking on a section of the traffic flow that is highlighted, the interface will automatically apply filters for the source and destination Asset name/IP. This will bring up a detailed view of the ports and protocols data related to the traffic flow between the source and destination assets.

Remember, these interactions are designed to make your network traffic flows transparent and your security posture actionable. Leverage these tools to enhance your network analysis and policy optimization.

 

Filtering Analytics from the User, Device, and Policy Dashboards

Elisity offers several methods for filtering traffic flows such as click-though analytics for assets and Policy Group intersections, and manually-created filters. In this section, let's cover some of the ways to view analytics data by "clicking through" various components of the Elisity platform.

 

Creating and Saving Custom Filters

Apply savable custom filters directly from the Analytics page by clicking the "Filters" button in the top right. 

Different filtering options for Source and Destination are available depending on which Analytics view you are using. Select your view in the top right of the Analytics Page.

  • In Policy Groups view, you can filter by Policy Group or Site Label.
  • In Assets view, you can filter by Policy Group or Site Label, in addition to IP Address, Device Type, Device Class, Device Genre, Device ID, Hostname, and User Account Name.

 

First, select your source and destination filters as seen below.


 

 

Next, apply additional filters on the traffic between groups, such as Service Names or Ports.

 

Once filter criteria is created, simply click SAVE FILTER in the bottom left of the filter window. Give you custom filter a name, and you can now reuse this filter by navigating to Saved Filters.

 

From the User Dashboard

Go to Settings > Active Directory > Users and click on the assets next to the user of interest. 

 

Click "View Device Details" to see the IdentityGraph view of one of the specific devices.

This takes you to the device details view, where you can follow the process below to see analytics for the selected device.

 

From the Device Dashboard

Navigate to the Device section in Cloud Control Center and find a device of interest. Open up the Asset Details view by clicking on the name of the device. Here, in the left column under Identity Graph, we can see our Analytics view options. View Denied Flows, events such as network attachments, and importantly Traffic Analytics. 

From the Traffic Analytics view, we can see the same Sankey chart visible from various other views within the platform, clearly showing what assets this particular device has been talking to on our network, and the details of those traffic flows. 

 

Clicking "Change Flow Direction" swaps the source and destination, showing flows from the top 20 assets to the selected device.

 

Again, clicking "Show Analytics" in the top right takes you to the full analytics dashboard with the appropriate filter applied. 

 

In the bottom right menu, clicking Hide Asset View swaps to the Policy Group view, which shows traffic between the Policy Groups that these assets are associated with.

 

Traffic Flow Details View from the Policy Matrix

To view detailed analytics between Policy Groups, you can navigate to the Policy Matrix, click "Show Traffic Flows," click any cell, and click "Show Analytics." This will again take you to the analytics page with a pre-generated filter that shows only flows between your source and destination PGs. Again, you can use this as a starting point and add additional filters to narrow down search results to exactly what flows you are investigating. Here we can see observed traffic flows including which protocol was observed and the number of flows, traffic flows blocked by policy, and what policy is in place, if any. (In these screenshots, no policies are configured.)

 

The Traffic Flow Details view provides an in-depth look at network traffic between specified source and destination groups, with the example in the screenshot displaying traffic data between the groups "VMs Server Appliances and Storage Devices" and "Desktop Laptop Computers." Key data points in this view include:

  • Protocol: Lists the protocol used for communication, such as TCP or UDP.
  • Status: Indicates the policy action applied to the traffic (e.g., Permit or Deny).
  • Service: Shows the application or service associated with the traffic, such as SSH or an unidentified service labeled "Unknown."
  • Policy Status: Displays whether the policy is active or simulated for the given traffic flow.
  • Traffic Flow %: Represents the percentage of total traffic from the source to the destination that the specific protocol or service contributes.
  • No. of Bytes: Displays the amount of data transferred for each traffic flow, measured in bytes or kilobytes.
  • Destination Port: Shows the specific port number used for the destination, providing more granularity in identifying service use.

In this example, there is permitted TCP traffic on port 22 for SSH, contributing 17.94% of the traffic flow with 15.72KB transferred. Several UDP flows with unknown services show smaller percentages, providing insight into low-volume traffic patterns.

 

In the Traffic Flow Details view, users have the ability to create custom filters to refine the displayed data. This functionality allows for better visibility into specific traffic patterns or policies by narrowing down the results based on various parameters. The General Filter section provides several options to filter traffic, including:

  1. Protocol: Filter traffic based on the communication protocol (e.g., TCP, UDP).
  2. Status: Select to view traffic with either Allow or Deny actions applied.
  3. Service: Filter by the specific service being used in the communication (e.g., ldap, ms-do).
  4. Traffic Flow %: Filter based on the percentage of traffic flow.
  5. No. of Bytes: Refine data by the amount of data (in bytes) transferred.
  6. Destination Port: Specify a port number to filter traffic targeting that port.

Users can select an operator, such as "contains," "equals," or "greater than," to apply precise logic to each filter. Once configured, the filter can be applied instantly to the traffic flow view for real-time analysis. Additionally, there is an option to save filters, allowing users to quickly reapply frequently used filtering criteria without manually reconfiguring them each time.

Users can also filter traffic flows by various time frames: the last hour, last 24 hours, last 7 days, or last month.

 

Clicking Show Analytics from the traffic details view takes you to the Analytics dashboard with the appropriate filters applied.

 

Flow Records Table

Flow Records represents traffic analytics in a categorical, real-time table aimed at providing critical details about flow records as they happen. You can apply custom filters similar to Traffic Flow view to narrow down Flow Records to Source or Destination Policy Groups, and whether the flow was allowed or denied by a policy. 

 

Exporting Flow Records

Admins in Cloud Control Center can export flow records from the Flow Records pane by clicking on the Export data button at the top right of the table. Options are available for exporting all flow records, or exporting records using the currently applied filter. Note that a maximum of 50,000 records can be exported into the downloaded CSV file.


 

Behavior for "Unknown" and "Unassigned" Policy Groups in Analytics (CCC 16.4+)

Starting with CCC 16.4+, traffic in Analytics is categorized based on the following updated behavior:

Unassigned Policy Group:

  • Includes only devices discovered within the Elisity framework that cannot be matched to any Policy Group.
  • Appears in both the Policy Matrix and Analytics views.

Unknown:

  • Represents traffic destined to or originating from devices outside the Elisity framework that do not fall into any static (network-based) Policy Group.
  • Only visible in the Analytics view under the "Unknown" filter.
  • Does not appear in the Policy Matrix as "Unknown" is not a Policy Group in the system, but rather a logical grouping for analytics purposes.

This differentiation ensures better visibility into traffic patterns and simplifies the identification of unmanaged or external assets within the Analytics view.

Cloud Control Center Monitoring Dashboard

The Monitoring dashboard in Cloud Control Center gives visibility into all system activity and administrative events that occur in Cloud Control Center and Elisity Infrastructure. From user login, to Policy Group modifications, to Policy deployments or deletions, this is where you can find a log of all activity in Cloud Control Center. This includes system activity and events, as well as infrastructure alerts. See the list below for a categorical view of all monitoring views available.

Audit logs show changes made by any user in Cloud Control Center such as configuration changes, policy modifications, and so on. This provides customers with industry standard, exportable audit logs required by most compliance regulations.

Events shows system actions and events that occurred that were not necessarily the result of user configuration such as device Policy Group assignments, Virtual Edge registrations, and so on. Events records many of the events that are also found in Activity Logs and Events - see the list below for the VE/VEN related events that are recorded.

  • Virtual Edge Activity: Heartbeat Missed
  • Virtual Edge Activity: Registered
  • Virtual Edge Node Activity: Heartbeat Missed
  • Virtual Edge Node Activity: Registered
  • Virtual Edge Node Activity: Reinitialized
  • Virtual Edge Activity: Online (Also found in Alerts)
  • Virtual Edge Activity: Offline (Also found in Alerts)
  • Virtual Edge Node Activity: Online (Also found in Alerts)
  • Virtual Edge Node Activity: Offline (Also found in Alerts)
  • Virtual Edge Node Activity: Degraded (Also found in Alerts)
  • Virtual Edge Node Activity: Healthy (Also found in Alerts)

This list only contains VE/VEN events - many other events are recorded related to Policy Group assignment, Security Profile and Policy deployment, System Initializations, and more.

 

Activity Logs shows all infrastructure related activity such as VE/VEN onboarding, decommissioning, and recommissioning. This corresponds directly with the Activity column in the notifications pane

Alerts provides status alerting of Elisity infrastructure such as Virtual Edge and Virtual Edge Node Online, Offline, Degraded, and Healthy status changes. The Alerts view enables quick and easy monitoring of the status of your Elisity Infrastructure. As mentioned, these alerts are also recorded in the Events view. This corresponds directly with the Alerts column in the notifications pane

 

Custom filtering can be applied and saved for each of these views, giving Administrators the ability to export filtered (or unfiltered) data for auditing or compliance checks. Logs can also be filtered by the last hour, 24 hours, week or month - layered with additional filters - to filter down to specific types of events that occured within a given time frame.

 

 

From the Device Details View

The Elisity platform offers a sophisticated device event monitoring system, as seen above, that provides administrators with a clear and comprehensive view of all device activities on their network. This system is designed with the user in mind, focusing on simplicity and effectiveness.

 

External Policy Logging

Security Profiles in Elisity include the ability to log policy events. This feature allows you to gain deeper insights into network activity and is particularly useful for monitoring and analyzing security-related events. Lets look at how to enable logging in Security Profiles and provide important information about its usage.

 

Policy Logging is a Global setting that cannot be turned off once enabled. To enable Policy Logging, navigate to Settings > System > Advanced and click the button to enable this setting. 

 

 

Per-Rule Logging

You can now enable logging on a per-rule basis within Security Profiles that can be sent to a syslog server for the purpose of monitoring policy enforcement interactions for any security profile you choose.  This means that you can choose to log specific rules while leaving others unaffected. This level of granularity allows you to focus on the rules that are most critical for your security monitoring needs. Note that by enabling logging for a Security Profile, logging will be enabled for every policy that uses this specific Security Profile.

 

To enable logging for specific rules:

  1. Access the Security Profile: Navigate to the Security Profile you want to modify.

  2. Edit the Rule: Locate the rule you want to enable logging for and click on it to edit its settings.

  3. Enable Logging: In the rule settings, you will find a "Log" option. Turn this option on to enable syslog generation for that specific rule.

  4. Save Changes: Make sure to save your changes to apply the logging configuration to the rule.

 

Final Policy Action Logging

In addition to per-rule logging, you can enable logging on the Final Policy Action. This allows you to capture logs about the ultimate outcome of the Final Policy Action. You can use this feature to ensure that you have a record of what happens to traffic that doesn't match any specific rule. This is enabled per policy rather than at the security profile. 

To enable logging for the Final Policy Action on a policy:

  1. Access the Policy: Navigate to the Policy you want to modify.

  2. Enable Logging: At the bottom near the Final Policy Action section, you will find an option to enable logging. Turn this option on to log the final policy action.

  3. Save Changes: Remember to save your changes to activate logging for the Final Policy Action.

 

Viewing Policy Logging Status in Security Profile and Policy Dashboards

Policy Logging status is available in both the Security Profile dashboard and the Policies List View, allowing users to quickly see the logging status and filter Policies and Policy Groups by this attribute.

 

Security Profile Dashboard

Policy Logging status (Enabled or Disabled) can be viewed in the Security Profiles Dashboard by using the Policy Logging column. This column, as all other columns, can be moved, enabled, disabled, and filtered.

 

Policies Dashboard

Policy Logging status (Enabled or Disabled) can be viewed in the Policies List View as well, by using the same Policy Logging column. This column, as all other columns, can be moved, enabled, disabled, and filtered.

 

Performance Considerations

Enabling logging, especially at a high volume, can cause increased CPU utilization on the VENs (Virtual Enforcement Nodes) due to the generation of syslog messages. It is crucial to monitor the performance of VENs when enabling logging and consider potential mitigations if high CPU usage becomes an issue.

 By providing options for per-rule logging and Final Policy Action logging, as well as an acceptance function for performance risks, we aim to empower you with the tools needed to optimize your security posture effectively.

Note: Default Policy

Logging for the Default Policy is not required and is not impacted by the settings mentioned above. The "Default" Policy is designed to handle traffic that doesn't match any Policy Group in Cloud Control Center.

Was this article helpful?
0 out of 0 found this helpful