ON THIS PAGE
About the Screen Events Page
Use this page to view information about screen events that occur as a result of the screen options configured on SRX Series or vSRX Virtual Firewall security devices. Screen options are a detection and defense mechanism configured to filter the connection attempts bound towards a security zone. Screen options are used to prevent attacks, such as IP address sweeps, port scans, denial of service (DOS) attacks, Internet Control Message Protocol (ICMP), UDP, and SYN (Synchronize) floods.
You can view information related to screen events, including ICMP screening, IP screening, TCP screening, and UDP screening.
Using the time-range slider, you can quickly focus on the time and area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.
There are two ways to view your data. You can select either the Summary View tab or the Detail View tab.
Tasks You Can Perform
You can perform the following tasks from this page:
View a brief summary of all the screen events in your network. See Summary View.
View the comprehensive details of events in a tabular format that includes sortable columns. See Detail View.
Summary View
The top of the page has a swim lane graph of all the screen events. You can use the widgets at the bottom of the page to view critical information such as, top sources, top source countries, top destinations, and top destination countries.
Table 1 describes the widgets on the Detail View page.
Field |
Description |
|---|---|
Top Sources |
Top five source IP addresses with highest network traffic. |
Top Destinations |
Top five destination IP addresses with highest network traffic. |
Top Source Countries |
Top five countries from which the traffic that triggered the highest number of events originated and the number of events per country. |
Top Destination Countries |
Top five countries to which the traffic that triggered the highest number events was sent and the number of events per country. |
Detail View
You can group the events using the Group By option. For example, you can group the events based on source country. The table includes information such as the event name, Content Security category, source IP address, source country, and so on.
Table 2 describes the fields on the Detail View page.
Fields |
Description |
|---|---|
Log Generated Time |
Time when the event occurred. |
Log Received Time |
Time the log was received at the log collector. |
Site |
Name of the tenant site from which the event originated. |
Event Name |
Name of the device event in the log. |
Source Country |
Country from which the traffic that triggered the event originated. |
Source IP |
Source IP address for the traffic that triggered the event (IPv4 or IPv6). |
Destination Country |
Country to which the traffic that triggered the event was sent. |
Destination IP |
Destination IP address for the traffic that triggered the event (IPv4 or IPv6). |
Source Port |
Source TCP/UDP port number of the traffic that triggered the event. |
Destination Port |
Destination TCP/UDP port number of the traffic that triggered the event. |
Attack Name |
Name of the attack in the log for threat event. For example, trojan, worm, virus, and so on. |
Description |
Brief description of the event. |
Threat Severity |
Level of severity of the threat. For example, minor, major, critical, and so on. |
Policy Name |
Name of the policy which generates the log. The policy is configured on the SRX Series or vSRX Virtual Firewall device. |
Virus Name |
This field is not applicable for screen events. |
URL |
Accessed URL that triggered the event. |
Event Category |
Event category in the log. For example, screen. |
User Name |
User name identified by the SRX Series or vSRX Virtual Firewall device, if user identity is enabled on the device. |
Argument |
Type of traffic. For example, FTP and HTTP. |
Action |
Action taken for the event. For example, warning, allow, and block. |
Log Source |
IP address of the device where the log is received (IPv4 or IPv6). |
Application |
Name of the application associated with the traffic that triggered the event. |
Host Name |
Hostname of the device where the log was generated. |
Service Name |
Name of the application service used for the traffic that triggered the event. For example, FTP, HTTP, SSH, and so on. |
Nested Application |
Nested application associated with the traffic that triggered the event. |
Source Zone |
Source security zone of the traffic that triggered the event. |
Destination Zone |
Destination security zone of the traffic that triggered the event. |
Protocol ID |
Protocol ID of the traffic that triggered the event. |
Roles |
Roles of the user as defined in the Active Directory, if available. |
Reason |
Reason for the log generation. For example, unrestricted access. |
NAT Source Port |
Translated source port. |
NAT Destination Port |
Translated destination port. |
NAT Source Rule Name |
NAT source rule name configured on the SRX Series or vSRX Virtual Firewall device. |
NAT Destination Rule Name |
NAT destination rule name configured on the SRX Series or vSRX Virtual Firewall device. |
NAT Source IP |
Translated source IP address for the traffic that triggered the event (IPv4 or IPv6). |
NAT Destination IP |
Translated destination IP address for the traffic that triggered the event (IPv4 or IPv6). |
Traffic Session ID |
Traffic session ID of the log. |
Path Name |
This field is not applicable for screen events. |
Logical System Name |
Name of the logical system which received the log. |
Rule Name |
Name of the rule which generates the log. This rule is configured on the SRX Series or vSRX Virtual Firewall device. |
Profile Name |
Name of the profile which filters the traffic that triggered the event. |
Client Host Name |
Hostname of the client associated with the traffic that triggered the event. For example, if a specific computer is infected, the name of that computer is displayed. |
Malware info |
Information about the malware causing the event. |