Understanding AppTrack
AppTrack, an application tracking tool, provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility.
AppTrack messages are similar to session logs and use syslog or structured syslog formats. The message also includes an application field for the session. If AppTrack identifies a custom-defined application and returns an appropriate name, the custom application name is included in the log message. (If the application identification process fails or has not yet completed when an update message is triggered, the message specifies none in the application field.)
If you enable AppTrack for a zone and specify a session-update-interval time, whenever a packet is received, AppTrack checks whether the time since the start of the session or since the last update is greater than the update interval. If so, AppTrack updates the counts and sends an update message to the host. If a short-lived session starts and ends within the update interval, AppTrack generates a message only at session close.
When you want the initial update message to be sent earlier than the specified update interval, use the first-update-interval. The first-update-interval lets you enter a shorter interval for the first update only. Alternatively, you can generate the initial update message at session start by using the first-update option.
![]() | Note: If you specify both the first-update option and the first-update-interval option, AppTrack sends an update message when the session begins. In this case, the first-update-interval value is ignored, and a second message is sent when the next full update interval has elapsed. |
The close message updates the statistics for the last time and provides an explanation for the session closure. The following codes are used:
- TCP RST
RST received from either end.
- TCP FIN
FIN received from either end.
- Response received
Response received for a packet request (such as icmp req-reply).
- ICMP error
ICMP error received (such as dest unreachable).
- Aged out
Session aged out.
- ALG
ALG closed the session.
- IDP
IDP closed the session.
- Parent closed
Parent session closed.
- CLI
Session cleared by a CLI statement.
- Policy delete
Policy marked for deletion.
Hide Navigation Pane
Show Navigation Pane
Download
SHA1
