Visibility and Traffic Analytics

The Elisity Microsegmentation platform provides rich policy and traffic telemetry while also offering effective search and filtering functionality for day two operations.

With Elisity, an administrator can monitor log-on/log-off events, visualize user/device/application traffic flows, troubleshoot policy consumption and violations, and quickly analyze system events and logs.

Cloud Control Center Overview

The overview page is a dashboard populated with visibility widgets such as current users, devices, policies, sites, policies, and more. This interactive overview offers a centralized view of the network environment. Designed for clarity and ease of use, it presents essential data points and metrics, allowing users to understand and navigate their network's current status swiftly.

An administrator might the overview page helpful in how it indicates how many new users, devices, sites have been discovered/created, in addition to showcasing high-level statistics focused on deployed policies, sites, and VENs.

 

Components of the Overview Page:

  1. Count Metrics: At the top, users can see a clear count of users, devices, sites, and policies. Additionally, any newly added users or devices from the last 24 hours are indicated, providing a quick understanding of recent network changes.

  2. Device Breakdown: This section lists devices and allows users to filter the list by type or vendor. This makes it easier to view and categorize the variety of devices in the environment.

  3. Site Analysis: Users can view a list of top sites. The list is filterable, providing options to organize by the number of devices or users present at each site.

  4. Virtual Edge Nodes Overview: Here, the top Virtual Edge Nodes, which are critical policy enforcement points in the network, are displayed.

  5. Policy Group Metrics: The page presents a breakdown of the top policy groups. Users can filter this section either by the number of devices associated with each group or by the number of policies.

  6. Interactive Filtering: A notable functionality of the page is its dynamic filtering. When one section is filtered, the other sections adjust to display data relevant to the applied filter.

Purpose and Usefulness:

The interactive overview page serves as an informational hub for those managing or monitoring the network. It aims to:

  • Provide Quick Updates: With clear counts and indications of new users or devices, users receive immediate updates on the network's status. Click on the + new tile under Devices to see all new devices.

  • Facilitate Navigation: Filtering options across sections allow for more manageable and targeted navigation. For example, if a user wants data related to a specific device type, the dynamic filtering ensures other sections display only relevant information.

  • Offer Clear Breakdowns: The different sections, whether it's device breakdown or site analysis, offer clear, structured views of the network components, making it easier to interpret and understand the data.

In a nutshell, the Elisity platform's overview page acts as a transparent, comprehensive window into the network environment, facilitating a more informed and efficient management process.

 

Take a Virtual Tour of the Overview Page

 

Cloud Control Center Analytics

When it is time to drive deeper into the telemetry collected by Cloud Control Center, an administrator can navigate to the Analytics page to discover an abundance of data presented in an easily digestible format.

Traffic Flow View





The Traffic Flow visualization in our analytics suite offers a powerful and interactive way to understand the movement of traffic within your network. The interface uses a Sankey diagram to represent the source and destination of traffic flows, along with the protocols and ports involved. Here's how to interact with the Traffic Flow view to gain deeper insights:

 

PG (Policy Group) View:

ee0b1bad-50dd-419c-9794-03c824a00ebe.png

  • Hovering Over PG Names: When you hover your cursor over the name of a Policy Group (PG) in the Traffic Flow diagram, a tooltip will appear. This tooltip displays the full name of the PG and the count of assets contained within that PG, providing a quick snapshot of the group’s scope.

  • Clicking PG Names: Clicking on a PG name located on either the left or right side of the flow chart will navigate you to the PG details page. This page provides an in-depth view of the specific PG, including its configuration and the assets it contains.

  • Interacting with the Colored Bar Adjacent to PG Names: If you click the colored bar next to a PG name, the system automatically creates a filter for the traffic Source or Destination based on the side of the flow chart you clicked. This action refines the Traffic Flow view to display a more detailed breakdown of the ports and protocols associated with that PG.

  • Clicking on a Flow Segment: Clicking on a highlighted section of traffic flow automatically generates filters for both the source and destination PGs. The detailed view that follows will reveal the ports and protocols involved in the traffic flow between these two PGs.

Asset View:

b6ace671-84c5-4bc0-8c13-672482d7e1db.png

  • Hovering Over Asset Names/IPs: Moving your cursor over an asset name or IP address in the Traffic Flow diagram will display a tooltip. This tooltip provides the full name of the asset and pertinent details, such as its identity attributes. This quick reference can help identify key characteristics of individual assets in your network.

  • Clicking Asset Names/IPs: Clicking on an asset name or IP address will take you to the device info view. This specific device view offers detailed information about the asset, including its security posture and activity logs.

  • Interacting with the Colored Bar Adjacent to Asset Names/IPs: Similar to the PG view, clicking the colored bar next to an asset name or IP address creates a SOURCE or DEST filter. This filter corresponds to the asset, refining the view to show a detailed analysis of the ports and protocols traffic for that particular asset.

  • Clicking on a Highlighted Flow: By clicking on a section of the traffic flow that is highlighted, the interface will automatically apply filters for the source and destination Asset name/IP. This will bring up a detailed view of the ports and protocols data related to the traffic flow between the source and destination assets.

Remember, these interactions are designed to make your network traffic flows transparent and your security posture actionable. Leverage these tools to enhance your network analysis and policy optimization.

 

Filtering Analytics from the User, Device, and Policy Dashboards

Elisity offers several methods for filtering traffic flows such as click-though analytics for assets and Policy Group intersections, and manually-created filters. In this section, let's cover some of the ways to view analytics data by "clicking through" various components of the Elisity platform.

 

From the User Dashboard

Find the User group of interest, and click on the user's name. Below the primary user data, we can see several menus for Denied Flows and Communication Peers. Clicking on the "Peers" tab shows a chart of what other assets this user has communicated with, and from what device these communications took place. Optionally, you can view the details of the device associated with this user, and view traffic flows from this specific device.

Screenshot 2023-12-22 at 6.59.48 PM.png

By clicking "Show Analytics" you can open up a full screen interactive view of this chart to dive deeper into the communication flows and peers that this user has communicated with.

 

analytics1.png

From the Device Dashboard

Navigate to the Device section in Cloud Control Center and find a device of interest. Open up the Asset Details view by clicking on the name of the device. Here, in the left column under Identity Graph, we can see our Analytics view options. View Denied Flows, events such as network attachments, and importantly Traffic Analytics. 

From the Traffic Analytics view, we can see the same Sankey chart visible from various other views within the platform, clearly showing what assets this particular device has been talking to on our network, and the details of those traffic flows. 

Screenshot 2023-12-22 at 7.11.30 PM.png

Again, clicking "Show Analytics" in the top right takes you to the full analytics dashboard with the appropriate filter applied. 

analytics2.png

 

From the Policy Matrix

To view detailed analytics between Policy Groups, you can navigate to the Policy Matrix, click "Show Traffic Flows," click any cell, and click "Show Analytics." This will again take you to the analytics page with a pre-generated filter that shows only flows between your source and destination PGs. Again, you can use this as a starting point and add additional filters to narrow down search results to exactly what flows you are investigating. Here we can see observed traffic flows including which protocol was observed and the number of flows, traffic flows blocked by policy, and what policy is in place, if any. 

Clicking on any observed traffic shows the specific traffic flows that have been observed, and clicking add policy will automatically create a policy for the protocols that were observed which you can then customize to create a very granular policy.

 

Clicking on "Show Analytics" in the top right takes you to the analytics page where traffic flows are filtered to the specific source and destination PGs, as seen below in the example image.

analytics3.png

 

 

Flow Records

Flow Records represents traffic analytics in a categorical, real-time table aimed at providing critical details about flow records as they happen. You can apply custom filters to this table view to narrow down Flow Records to Source or Destination Policy Groups, and whether the flow was allowed or denied by a policy. 

analytics4.png

 

 

Cloud Control Center Events and Logs

The Events and Logs dashboard in Cloud Control Center gives visibility into all administrative events that occur in Cloud Control Center. From user login, to Policy Group modifications, to Policy deployments or deletions, this is where you can find a log of all activity in Cloud Control Center.
Audit logs show changes made by any user in Cloud Control Center such as configuration changes, policy modifications, and so on.
Event logs show system actions and events that occurred that were not necessarily the result of user configuration, such as device attachments or or asset classifications.

 

 

 

 

Screenshot 2023-12-05 153203.png

The Elisity platform offers a sophisticated device event monitoring system, as seen above, that provides administrators with a clear and comprehensive view of all device activities on their network. This system is designed with the user in mind, focusing on simplicity and effectiveness.

 

 

Enabling External Logging in Security Profiles

Security Profiles in Elisity have been enhanced to include the ability to log policy events. This feature allows you to gain deeper insights into network activity and is particularly useful for monitoring and analyzing security-related events. Lets look at how to enable logging in Security Profiles and provide important information about its usage.

 

Policy Logging is a Global setting that cannot be turned off once enabled. To enable Policy Logging, navigate to Settings > System > Advanced and click the button to enable this setting. 

 

 

Per-Rule Logging

You can now enable logging on a per-rule basis within Security Profiles that can be sent to a syslog server for the purpose of monitoring policy enforcement interactions for any security profile you choose.  This means that you can choose to log specific rules while leaving others unaffected. This level of granularity allows you to focus on the rules that are most critical for your security monitoring needs. Note that by enabling logging for a Security Profile, logging will be enabled for every policy that uses this specific Security Profile.

 

To enable logging for specific rules:

  1. Access the Security Profile: Navigate to the Security Profile you want to modify.

  2. Edit the Rule: Locate the rule you want to enable logging for and click on it to edit its settings.

  3. Enable Logging: In the rule settings, you will find a "Log" option. Turn this option on to enable syslog generation for that specific rule.

  4. Save Changes: Make sure to save your changes to apply the logging configuration to the rule.

 

Final Policy Action Logging

In addition to per-rule logging, you can enable logging on the Final Policy Action. This allows you to capture logs about the ultimate outcome of the Final Policy Action. You can use this feature to ensure that you have a record of what happens to traffic that doesn't match any specific rule. This is enabled per policy rather than at the security profile. 

To enable logging for the Final Policy Action on a policy:

  1. Access the Policy: Navigate to the Policy you want to modify.

  2. Enable Logging: At the bottom near the Final Policy Action section, you will find an option to enable logging. Turn this option on to log the final policy action.

  3. Save Changes: Remember to save your changes to activate logging for the Final Policy Action.

 

Performance Considerations

Enabling logging, especially at a high volume, can cause increased CPU utilization on the VENs (Virtual Enforcement Nodes) due to the generation of syslog messages. It is crucial to monitor the performance of VENs when enabling logging and consider potential mitigations if high CPU usage becomes an issue.

 By providing options for per-rule logging and Final Policy Action logging, as well as an acceptance function for performance risks, we aim to empower you with the tools needed to optimize your security posture effectively.

Note: Default Policy

Logging for the Default Policy is not required and is not impacted by the settings mentioned above. The "Default" Policy is designed to handle traffic that doesn't match any Policy Group in Cloud Control Center.

Was this article helpful?
0 out of 0 found this helpful