Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents  

Monitor IPS Events

You are here: Monitor > Events > IPS.

Use the monitoring functionality to view the IPS page.

Using the time-range slider, you can quickly focus on the time and area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.

You can select either the Grid View tab or the Chart View tab to view your data:

Table 32: IPS—Fields on the Grid View Page

Field

Description

The filter list that is displayed above the grids.

Options available in the filter list are:

  • Event Name—Displays the event name of the log.

  • Source Address—Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names.

  • Destination Address—Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book.

  • Application—Displays the application name from which the events or logs are generated.

  • Rule Name—Displays the rule name of the log.

  • Threat Severity—Displays the severity level of the threat.

  • Attack Name—Displays the attack name of the log.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter list.

Note: In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or parameter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:Event-Name = rt_flow_session_close & Event-Name = rt_flow_session_create

WRONG USAGE:Event-Name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the filter list if you selected event-name as the parameter, the text box displays Event-Name =. If you add IDP_ATTACK_LOG_EVENT to see only IPS events then the text box displays Event-Name = IDP_ATTACK_LOG_EVENT.

Go

Executes the filter statement that is displayed in the text box.

X

Clears the filters.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

Threat Severity

Displays the severity level of the threat.

Event Name

Displays the event name of the log.

Description

Displays the description of the log.

Attack Name

Displays the attack name of the log.

UTM Category or Virus Name

Displays the UTM category or name of the virus.

Event Category

Displays the event category of the log.

Source Country

Displays the source country of the log.

Source IP

Displays the source IP address from where the event occurred.

Source Port

Displays the source port of the event.

Destination Country

Displays the destination country of the log.

Destination IP

Displays the destination IP address of the event.

Destination Port

Displays the destination port of the event.

Application

Displays the application name from which the events or logs are generated.

User name

Displays the user name from whom the log is generated.

Hostname

The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Protocol ID

Displays the protocol ID in the log.

Policy name

Displays the policy name in the log.

Source Zone

User traffic received from the zone.

Destination Zone

Displays the destination zone of the log.

Nested Application

Displays the nested application in the log.

Roles

Role names associated with the event.

Reason

Displays the reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

NAT Source Port

Displays the translated source port.

NAT Destination Port

Displays the translated destination port.

NAT Source Rule Name

Displays the NAT source rule name.

NAT Destination Rule Name

Displays the NAT destination rule name.

NAT Source IP

Displays the translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

Displays the translated (also called natted) destination IP address.

Traffic Session ID

Displays the traffic session ID of the log.

URL

Displays the accessed URL name that triggered the event.

Object Name

Displays the object name of the log.

Path Name

Displays the path name of the log.

Logical System Name

Displays the name of the logical system.

Rule Name

Displays the rule name of the log.

Action

Displays the action taken for the event: warning, allow, and block.

Profile Name

Displays the profile name in the log.

Time

Displays the time when the log was received.

Table 33: IPS—Widgets on the Chart View Page

Field

Description

Top Sources

Displays the top five source IP addresses of the network traffic; sorted by event count.

Top Destinations

Displays the top five destination IP addresses of the network traffic; sorted by event count.

Top IPS Attacks

Displays the top five IPS attacks; sorted by event count.

IPS Severities

Displays the Donut chart which shows the percentage of IPS events based on their severity levels. The colors are blue, black, green, and amber representing high, info, critical, and medium IPS events respectively

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit