Network Connections Overview
SUMMARY A connection is a recording of a communication, including denied communications, between two unique IP addresses to a specific destination port, as detected over a specific time interval.
If two IP addresses communicate on a port many times within a specific time interval, only one communication is recorded. The total number of bytes that are communicated and the number of flows are included in the connection information. The connection information is stored in the database for each time interval.
Bidirectional Flow Traffic
Connections data from unidirectional flows is not recorded. Connections from bidirectional flow traffic that is from a flow source and from firewall or router deny events is recorded in these situations:
- The destination is remote, which means that it is outside of your network hierarchy. The connection is local to remote, not remote to remote.
- The destination is local, which means that it is inside your network hierarchy. The destination IP address and port that are contained in the flow record are in the asset database and the destination port is open.
Investigating Network Connections
You can monitor and investigate network device connections or do advanced searches. Complete the following tasks on the Connections page.
- Search connections.
- Search a subset of connections.
- Mark search results as false positives to prevent false positive events from creating offenses.
- View connection information grouped by various options.
- Export connections in XML or CSV format.
- Use the interactive graph to view connections in your network.