Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Submitting a Question

 

You submit a question to determine the associated risk. You can also determine the time that is required to run a question and the amount of data that is queried.

When you submit a question, the resulting information depends on the data that is queried; assets or devices and rules.

After a Policy Monitor question is submitted, you can view how long the question takes to run. The time that is required to run the policy also indicates how much data is queried. For example, if the execution time is 3 hours then there is 3 hours of data. You can view the time in the Policy Execution Time column to determine an efficient interval frequency to set for the questions that you want to monitor. For example, if the policy execution time is 3 hours, then the policy evaluation interval must be greater than 3 hours.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. Select the question that you want to submit.
  4. Click Submit Question.

Asset Question Results

Asset results display after you submit a policy monitor question.

The Risk Score indicates the level of risk that is associated with the question. The Risk Score calculation is based on the importance factor assigned to the question, and the number of results returned for the question.

The parameters for asset results are described in the following table.

Table 1: Asset Results

Parameter

Description

IP

The IP address of the asset.

Name

The name of the asset, as obtained from the asset profile.

For more information about asset profiles, see the Juniper Secure Analytics Users Guide.

Vlan

The name of the VLAN associated with the asset.

Weight

The weight of the asset, as obtained from the asset profile.

Destination Port(s)

The list of destination ports associated with this asset, in context of the question tests. If there are multiple ports associated with this asset and question, this field indicates Multiple and the number of multiple ports. The list of ports is obtained by filtering the connections associated with this question to obtain all unique ports where the asset has either been the source, destination, or the connection.

Click Multiple (N) to view the connections. This display provides the aggregated connections by port, filtered by the asset IP address, and based on the time interval specified in the question.

Protocol(s)

The list of protocols associated with this asset, in context of the question tests. If there are multiple protocols associated with this asset and question, this field indicates Multiple and the number of protocols. The list of protocols is obtained by filtering the connections associated with this question to obtain all unique protocols where the asset has either been the source, destination, or the connection.

Click Multiple (N) to view the Connections. This display provides the aggregated connections by protocol, filtered by the asset IP address, and based on the time interval specified in the question.

Flow App(s)

The list of applications associated with this asset, in context of the question tests. If there are multiple applications associated with this asset and question, this field indicates Multiple and the number of applications. The list of applications is obtained by filtering the connections associated with this question to obtain all unique applications where the asset has either been the source, destination, or the connection.

Click Multiple (N) to view the Connections. This display provides the aggregated connections by application, filtered by the asset IP address, and based on the time interval specified in the question.

Vuln(s)

The list of vulnerabilities associated with this asset, in context of the question tests. If there are multiple vulnerabilities associated with this asset and question, this field indicates Multiple and the number of vulnerabilities.

The list of vulnerabilities is obtained using a list of all vulnerabilities compiled from relevant tests and using this list to filter the vulnerabilities detected on this asset. If no vulnerabilities are specified for this question, then all vulnerabilities on the asset are used to compile this list.

Click Multiple (N) to view the Assets. This display provides the aggregated connections by vulnerability, filtered by the asset IP address, and based on the time interval specified in the question.

Flow Count

The total flow count associated with this asset, in context of the question tests.

The flow count is determined by filtering the connections associated with this question to obtain the flow count total, where asset has either been the source, destination, or the connection.

Source(s)

The list of source IP addresses associated with this asset, in context of the question tests. If there are multiple source IP addresses associated with this asset and question, this field indicates Multiple and the number of source IP addresses. The list of source IP addresses is obtained by filtering the connections associated with this question to obtain all unique source IP addresses where the asset is the destination of the connection.

Click Multiple (N) to view the Connections. This display provides the aggregated connections by source IP address filtered by the asset IP address based on the time interval specified in the question.

Destination(s)

The list of destination IP addresses associated with this asset, in context of the question tests. If there are multiple destination IP addresses associated with this asset and question, this field indicates Multiple and the number of destination IP addresses. The list of destination IP addresses is obtained by filtering the connections associated with this question to obtain all unique destination IP addresses where the asset is the source of the connection.

Click Multiple (N) to view the Connections. This display provides the aggregated connections by destination IP address filtered by the asset IP address based on the time interval specified in the question.

Flow Source Bytes

The total source bytes associated with this asset, in context of the question test.

The source bytes is determined by filtering the connections associated with this question to obtain the source byte total where asset is the source of the connection.

Flow Destination Bytes

The total destination bytes associated with this asset, in context of the question test.

The destination bytes is determined by filtering the connections associated with this question to obtain the destination byte total where asset is the destination of the connection.

Device/Rule Question Results

Device/Rule results display after you submit a policy monitor question.

The Risk Score displayed indicates the level of risk that is associated with the question. The Risk Score calculation is based on the importance factor assigned to the question, and the number of results returned for the question.

The parameters for devices and rules results are described in the following table.

Table 2: Devices and Rules Results

Parameter

Description

Device IP

The IP address of the device.

Device Name

The name of the device, as obtained from the configuration monitor.

Device Type

The type of device, as obtained from the asset profile.

For more information about asset profiles, see the Juniper Secure Analytics Users Guide.

List

The name of the rule from the device.

Entry

The entry number of the rule.

Action

The action associated with the relevant rule from the device. The options are: permit, deny, or NA.

Source(s)

The source network associated with this asset.

Sources with a hyperlink indicate an object group reference. Click the link to view detailed information about the object group reference(s).

Source Service(s)

The source ports and the comparison associated with the relevant rule from the device in the following format:

<comparison>:<port>

Where

<comparison>

could include one of the following options:

eq - Equal

ne - Not equal

lt - Less than

gt - Greater than

For example, if the parameter indicates ne:80, any port other than 80 applies to this source service. If the parameter indicates lt:80, the range of applicable ports is 0 to 79.

This parameter displays the source port for the device rule. If no port exists for this device rule, the term NA is displayed.

Source services with a hyperlink indicate an object group reference. Click the link to view detailed information about the object group reference(s).

Destination(s)

The destination network associated with the relevant rule from the device.

Destinations with a hyperlink indicate an object group reference. Click the link to view detailed information about the object group reference(s).

Destination Service(s)

The destination ports and the comparison associated with the relevant rule from the device is displayed in the following format:

<comparison>:<port>

Where

<comparison>

might include one of the following options:

eq - Equal

ne - Not equal

lt - Less than

gt - Greater than

For example, if the parameter indicates ne:80, any port other than 80 applies to this destination service. If the parameter indicates lt:80, the range of applicable ports is 0 to 79.

This parameter displays the destination port for the device rule. If no port exists for this device rule, the term NA is displayed.

Destination services with a hyperlink indicate an object group reference. Click the link to view detailed information about the object group reference(s).

User(s)Group(s)

The users or groups associated with the relevant rule from the device.

Protocol(s)

The protocol or group of protocols associated with the relevant rule from the device.

Signature(s)

The signature for this device, which is only displayed for a device rule on an IP device.

Applications

The applications that are associated with the relevant rule from the device.