Palo Alto Networks Knowledgebase: Tips & Tricks: How to Use the Application Command Center (ACC)

Tips & Tricks: How to Use the Application Command Center (ACC)

18265
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
URL Filtering
Resolution

This week's Tips & Tricks looks at the Application Command Center, (ACC), which provides visibility into the network traffic passing through your firewall. The ACC is sometimes overlooked inside the WebGUI, but it is a very powerful tool to help you manage and see the traffic flowing through your network.

 

Note: I'll be showing you about the ACC on PAN-OS 5.0, 6.0 and 6.1. PAN-OS 7.0 changes the look and feel of the interface, which I will cover in a different segment of Tips & Tricks.

 

In order to learn more about the ACC, we'll explore the following areas:

  • What is the Application Command Center (ACC)?
  • Parts of the Application Command Center (ACC) and how to get more information from the ACC

 

What is the Application Command Center (ACC)?

The Application Command Center (ACC) page visually depicts trends and a historic view of traffic on your network. It displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame.


Risk levels (1=lowest to 5=highest) indicate the application’s relative security risk, based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls.


Parts of the Application Command Center (ACC) and how to get more information from the ACC

 

We will start with the Dashboard tab:

 

ACC Risk Factor
Inside the WebGUI, on the Dashboard tab, you'll see ACC Risk Factor.

2015-10-27 tnt 1.jpg

This information shows the risk factor over the last 60 minutes based upon information inside the ACC tab.

 
This is a general 'threat temperature' of the traffic. If you find it higher than normal, then you can use the main ACC to drill down and investigate what is causing the temperature to be higher than normal.

 

If you'd like to see this, and it is not being displayed on your Dashboard page, enable it from the Dashboard > Widgets > Application > ACC Risk Factor.

 

Top Applications
You also will see the 'Top Applications' if you have enabled this widget.

2015-10-27 tnt 2.jpg

This widget displays the applications with the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk—from green (lowest) to red (highest). Click an application to view its application information, as well as a full breakdown where that application has been seen inside the ACC page.

 


This is a great way to see the applications in use at a glance.
If you would like to see this, it can be enabled from the Dashboard > Widgets > Application > Top Applications.
2015-10-27 tnt 3.jpg

 

Now let's move on to the ACC tab:
On the ACC tab, you will see the following sections that make up the Application Command Center:

  1. Time/Sort By/Top (at the top of the window)
  2. Application 
  3. URL Filtering
  4. Threat Prevention
  5. Data Filtering
  6. HIP Matches

 

1. Time/Sort By/Top

At the top of the window, you'll see the Time/Sort By/Top options.
2015-10-27 tnt 4.jpg

This controls the all the display options inside the ACC.

 

  • TimeYou have options for the time that range from the last 15 minutes until the Last Calendar Month and even a Custom option. The default is Last Hour.
  • Sort ByYou can sort the charts in descending order by number of sessions, bytes, or threats. The default is by number of sessions.
  • TopYou have an option for the 'Top' number to be displayed per section. This ranges from 5 up to 500. The Default is 25.
  • Press the green arrow to make your selection take effect.
  • Lastly, the green plus sign is a Set Filter option you can apply that allows you to filter bt Application, Source or Destination IP, Source or Destination User, Machine Name, HIP, Source or Destination Zone, Risk and URL Category.

Note: There are 2 other parts of the ACC that I didn't document with a screen shot—they are as follows:

  • Virtual SystemIf virtual systems are defined, you can select it from this drop down.
  • Data Source (for Panorama only)Select the Data Source that is used to generate the graphical display on traffic trends.The default Data Source for new installations is Panorama; Panorama uses the logs forwarded by the managed devices. To fetch and display an aggregated view of the data from the managed devices, you now have to switch the source from Panorama to Remote Device Data. 
    On an upgrade, the default data source is Remote Device Data.

Adding a filter comes in handy if you are looking for specific traffic.

 

Note: You'll also see the same ACC Risk Factor in the upper right, as well as a set of 5 icons.
2015-10-27 tnt 4a.jpg

 

The icons are shortcuts to logs, in the following order:

  • Traffic Log
  • Threat Logs
  • URL Filtering Log
  • Data Filtering Log
  • HIP Match Log


These shortcuts come in handy when you would like to jump straight to the Threat logs, but do not want to click on Monitor > Threat logs.

 

2. Application

 

The first section you'll see is the Application section.

2015-10-27 tnt 5.jpg

 

This section displays information organized according to the menu selection. Information includes the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable.

2015-10-27 tnt 6.jpg
The following subcategories are available by using the drop-down on the right side:

  • Applications
  • High Risk Applications
  • Categories
  • Sub Categories
  • Technology
  • Risk


This is the section where you can start to investigate questionable traffic as it passes through your network, in or out. By clicking on the Application name, or using the drop-down to look at the Application data differently.

 

For example, let's say that 'msrpc' traffic is high, and you want to know more about this traffic. Simply click on msrpc and you will see the following:
2015-10-27 tnt 7.jpg

  • Application Informationgeneral information about the application, including its Name, Description, and all other information specifically for this application and how it communicates.
  • Top Applications—shows session and bytes information
  • Top Sources
  • Top Destinations
  • Top Source Countries
  • Top Destination Countries
  • Top Security Rules
  • Top Ingress Zones
  • Top Egress Zones
  • URL Filtering
  • Threat Prevention
  • Data Filtering


You can continue to click on each area to get more detailed information. Sometimes the information you need is only one click down—more involved investigations might take make more drill-downs to get the information you need.

 

3. URL Filtering

2015-10-27 tnt 8.jpg
Displays information organized according to the menu selection. Information includes the URL, URL category, repeat count (number of times access was attempted, as applicable).

  • URL Categories
  • URLs
  • Blocked URL Categories
  • Blocked URLs


This is a great way to see what URL filtering categories are being used.

 

4. Threat Prevention

2015-10-27 tnt 9.jpg
Displays information organized according to the menu selection. Information includes threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable.

The following sections are available:

  • Threats
  • Types
  • Spyware
  • Spyware Phone Home
  • Spyware Download
  • Vulnerabilities
  • Viruses


If you want to know about Threat Prevention, you'll really appreciate this section and the information it can show you.

 

5. Data Filtering

2015-10-27 tnt 10.jpg
Displays data from the data filtering policy that has been created.

The following sections are available:

  • Content/File Types
  • Types
  • File Names

If you use data filtering, this comes in handy to quickly show how many files are created and the repeat count of each type.

 

6. HIP Matches

2015-10-27 tnt 11.jpg
This area displays Host Information Protocol information gathered from GlobalProtect.

The following sections are available:
• HIP Objects
• HIP Profiles

 

If you're using HIP with GlobalProtect, then this area can prove very helpful. 

 

 

I hope this Tips & Tricks article has helped you understand the Application Command Center better, as well as provide you with some insight into better ways to access and use the information in the ACC.

 

As always, we welcome all feedback and suggestions and we're happy to take requests for future Tips &

Tricks—leave a comment below.

 

Stay secure,
Joe Delio

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcvCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language