Tips & Tricks: ACC FAQ
Correlation events on the ACC don't happen all the time, but the Community's questions do. You've watched the videos, and read the articles. Check out some QA from the Community! Jamie, our Product Manager, has helped answer some FAQs. Take a look at our aggregated questions and content.
This week’s Tips & Tricks features frequently asked questions (FAQ) on the ACC (Application Command Center) for PAN-OS 7.0 and later. Over the last few weeks, we've featured the ACC for Tips & Tricks, as well as a recent Video Tutorial, and now we are addressing some common questions about the ACC. Also, a big thank you to Jamie Fitz-Gerald for his help!
Q: What has changed in the ACC with PAN-OS 7.0 and beyond?
A: The new ACC offers a fully-redesigned layout that enhances the visualization of threats and improves response time, thanks to a highly interactive and customizable dashboard that provides easily understood, actionable threat information with simple drill down capabilities, trending information, device group segmentation, and correlation events.
User interface layout and design elements
Q: Why a widget-based design?
A: A widget-based design allows for easy customization and improved the visibility of data. Widgets improve the action-ability of data by displaying only desired content, thus making the UI more user-friendly and improving response times.
Q: What do the icons in the top right of each widget mean?
A: There are 4 icons in the blue shaded area in the top right of each widget:
- “Maximize Widget” Icon: Clicking on the icon with the diagonal arrow maximizes the view of the current widget and shows more detailed data.
- “Custom Filter” Icon: Click on the icon with the funnel to create a custom filter that will remain active even when all Global Filters get deleted.
- “Jump to Log” Icon: Click on the icon with the bulleted list to jump to the log data associated with the particular widget.
- “Print/Export” Icon: Click on this icon to export or print a particular widget. In most cases, data will be exported as a PDF. From the maximized view, you can also export data as a CSV file.
- “Graph Selection” Icons: There are two more icons in the white area. These are the graph type icons. Click on these icons to select the appropriate graph to display the widget in a way best suited for your needs.
Q: How can I customize the ACC to my needs?
A: You can modify the default views (Application, Threat Activity, and Blocked Activity tabs) by clicking on the "pencil" icon on every tab to edit, but you can’t delete them. You can create any number of custom tabs for custom views by using the "+" tab.
Q: How can I change the graph type?
A: In the top right of each widget there are different graph types you can select for each widget. The available graph types vary by widget. Click on the icon that displays the desired graph type and the widget will automatically display the selected graph.
Shortcuts and tips & tricks
Q: What are the different ways to promote an item as a Global Filter?
A: Look for the left pointing arrow.…<-| There are a few different ways you can promote any item as a global filter.
- The easiest way is to click on the left pointing arrow behind the item’s name, which will immediately promote the item as a global filter.
- If you have a widget-specific filter in any widget, the filter string appears in the top of that widget. You can click on the left pointing arrow behind any item in that string and promote the local filter as a global filter.
- You can do a step-by-step promotion by clicking on any item in the table, and do a local promotion first and then select the item from the filter string above to do a global promotion.
Q: No “compromised host” (correlation event) shows up in the Threat tab. How can I trigger a correlation event to demonstrate the correlation engine?
A: Correlation events don’t happen all the time. Check the time frame of your demo. It is most likely set at “1 hour.” If you extend the time frame to “12 hours,” or even “24 hours,” correlation events should show up. Please note that if you are trying to do this in a POC environment, the customer may not have any threat licenses, and correlation object may not be triggered.
Q: How do I create a custom tab that monitors an individual user?
A: First, create a new tab and select the desired widgets for this tab from the drop down list. Next, use the filter in the top right of each widget to add the filter criteria (in this case the criteria is the name of the user). Note, creating a custom filter like just described is the best way to generate a permanent customized filter. If you only decide to promote the filter in each widget to get the same result, the filter will be eliminated the next time someone removes all Global Filters.
Q: How do I zoom in on a specific timeframe within the trending graphs?
A: If you look at a trending graph and notice a particularly interesting time period within the graph you can zoom in by highlighting the desired timeframe inside the graph. This will automatically create a custom time period and the graph will be re-built with the highlighted time period (zoomed-in view). Please ensure you highlight an area that goes beyond the desired time frame, since the zoomed in view will display a time frame from the start of the highlighted area to just before the highlighted area (less than the latest time frame selected).
Q: How do I promote a time from a zoomed-in graph?
A: After you have selected the desired time frame inside the trending graph, the selected time zone shows up as a custom time frame on the filter string on top of the widget. To promote this time zone as a global filter, simply click on the left-pointing arrow behind the custom time zone, which will automatically promote the item as a global filter.
Q: What export options do I have?
A: You can export or print individual widgets or all widgets on a given tab. You can export in PDF, and in maximized views you can also export data in CSV format.
Q: How can I drill down from a maximized view?
A: If you are in a maximized view on a specific widget you can promote each item on the list as a global filter in the same way you usually promote a filter. Click on the left-pointing arrow behind the item.
Q: How can I see the log data associated with a threat highlighted in the ACC?
A: In the top right of each widget there is an icon that says “Jump to logs." Click on the “Jump to logs” icon and you will be taken automatically to the log data associated with the selected threat.
Q: Why can’t I change the “data source” on top of the UI?
A: This selection criterion is only active once all devices in the configuration have been moved to PAN OS 7.0 and later. Then you can select different data sources for display in the ACC.
Q: What is the definition of aggregated content in the widgets?
A: Aggregated content is an accumulated view of all file transfers and data pattern matches we have seen.
This concludes this week’s FAQ. I hope this has helped you understand the ACC better.
As always, if you have any questions, comments or suggestions, please comment below.