Encrypted Traffic Insights Details
To access this page, navigate to Monitor > Encrypted Traffic. Click on the any of the External Server IP address link.
Use Encrypted Traffic Insights Details page to view analysis information and a threat summary for the external server. The following information is displayed for each server:
Total Hits
Threat Summary (Location, Category, Time last seen)
Ports and protocols used
The encrypted traffic insights details page is divided into several sections:
Table 1 lists the actions that you can perform on this page. You can perform these actions using the options that are available on the upper right corner of page.
Button/Link |
Purpose |
---|---|
Select Option > Add to Whitelist |
Choose this option to allowlist the server from encrypted traffic insights based detections. Note:
You can also allowlist the servers from the Configure > Whitelists > ETA page. |
Select Option > Report False Positive |
Choose this option to send a report to Juniper Networks, informing Juniper of a false positive. Juniper will investigate the report; however, this does not change the verdict. |
Under Time Range is a graph displaying the frequency of events over time. An event occurs when a host communicates to the external server IP address (either sending or receiving data). You can filter this information by clicking on the timeframe links: 1 day, 1 week, 1 month, Custom (select your own time-frame).
Hosts is a list of hosts that have contacted the external server. Table 2 lists the information provided in this section.
Field |
Definition |
---|---|
Client Host |
The name of the host in contact with the external server. |
Client IP Address |
The IP address of the host in contact with the external server. (Click through to the Host Details page for this host IP address.) |
Threat Level at Time |
The threat level of the external server as determined by an analysis of actions and behaviors at the time of the event. |
Status |
The action taken by the device on the communication (whether it was permitted or blocked). Note:
At this point of time, encrypted traffic insights only detects malicious threats but does not block it. Actions such as blocking is handled by features such as infected hosts based on the host threat score and customer policies. |
Protocol |
The protocol (https) the external server used to attempt communication. |
Source Port |
The port the external server used to attempt communication. |
Uploaded |
Number of bytes uploaded to the server. |
Downloaded |
Number of bytes downloaded from the server. |
Device Name |
The name of the SRX Series Firewall in contact with the external server. |
Date/Time Seen |
The date and time of the most recent external server hit. |
Username |
The name of the host user in contact with the external server. |
Select a client host and click Download packet to download the packet capture details and view more information about the network/SSL traffic.
Domains is a list of domains that the IP address has previously used at the time of suspicious events. If an external IP address is seen changing its DNS/domain name to evade detection, a list of the various names used will be listed along with the dates in which they were seen.
Field |
Definition |
---|---|
C&C Host |
This is a list of domains the destination IP addresses in the external server events resolved to. |
Last Seen |
The date and time of the most recent external server hit. |
Signatures is a list of the threat indicators associated with the IP address.
Field |
Definition |
---|---|
Name |
The name or type of detected malware. |
Category |
Description of the malware and way in which it may have compromised a resource or resources. |
Date |
The date the malware was seen. |
Certificates is a list of certificates associated with the external server. Click View Certificate and Download Certificate
Field |
Definition |
---|---|
Subject |
Specifies the IP address of the external server. |
Issuer |
Specifies the authority that issued the certificate. |
SHA1 |
SHA1 hash of the server certificate. |
Date/Time Seen |
The date and time when the SHA1 file was last updated. |