Flow Inspection Levels
SUMMARY The flow inspection level determines how much data is analyzed and extracted from the network flows.
By default, the flow inspection level is a global setting that is configured in the System Settings on the Admin tab. It applies to all appliances in your deployment. You can override the global setting by configuring a custom flow inspection level for each appliance.
In a stacked configuration, each stack can have a different inspection level, but all appliances within a stack must have the same inspection level.
Basic Inspection Level
The Basic level is the lowest level of flow inspection. This level supports the highest bandwidth, but generates the least amount of flow information.
The attributes that Network Insights captures using the basic flow inspection level are similar to what you get out of a router or network switch that does not perform deep packet inspection, and include the following types of information:
- Source and destination information
- Network protocol
- Application ID
- Byte and packet counters
- Time of first and last packets
- Quality of service
- VLAN tags
At the Basic inspection level, Network Insights creates a data flow that captures information about the network communication. The data flow includes payload samples, and shows the byte and packet size counters. The Basic inspection level collects the same information as the QFlow process.
Enriched Inspection Level
With the enriched inspection level, each flow is identified and inspected by one of the protocol or domain inspectors, and many kinds of attributes can be generated from that inspection.
- Usernames, email addresses, chat IDs
- Search arguments
- Host information
- HTTP, FTP, SMTP, SSL and TLS fields
- DNS queries and responses
- File name, type, size, hash, and entropy
- Last proxy, XFF, True Client IP
- Suspect content
- Web categories
- Configurable content-based suspect content (YARA rules)
At the Enriched and Advanced inspection levels, Network Insights creates both data flows and content flows. The content flow shows what was found inside the data flow with the deeper level of inspection. Content flows do not include payload samples, and all byte and packet counters appear as zero. They are linked to the data flow by the Flow ID field.
You can identify content flows in the following ways:
- In the Flow Information window, the Flow Type field shows Standard Flow (Content Flow).
- On the Network Activity tab, the tooltip for the Flow Type icon shows Standard Flow (Content Flow).
Advanced Inspection Level
Advanced inspection is the highest level of inspection, and it is the default setting for new installations. Through comprehensive analysis of the application content, it builds on the flow attributes that are extracted at the Enriched inspection level.
- Content extraction
- Personal information detection
- Confidential data detection
- Embedded scripts
- Redirects
- Extra file metadata
The advanced inspection level also performs content analysis, which can yield more suspect content values than the Enriched level. For example, when set to the Advanced inspection level, Network Insights looks deep within files to identify suspect content such as embedded scripts in PDF or Microsoft documents.
Similar to the enriched level, a content flow is created to show what Network Insights found while doing the deeper level of inspection of the data flow.