Live Session Explorer
The Live Session page displays detailed connection logs in a sortable format. This view is useful for gaining insight into the current activity on your network.
The Live Session Explorer is divided into six Report Views for easy access to desired log details:
-
Connections
-
Threats
-
Blocks
-
Web
-
DNS
-
TLS
Figure 1. Live Session Explorer
To view the Live Session Explorer you may follow next steps:
-
Select a node on Zenconsole.
-
Click on the Live Session button on the left sidebar.
On the Live Session page, you can easily perform the following tasks:
-
navigate between Report Views by clicking on the desired tab at the top of the page
-
customize the Live Session Explorer Layout
-
set the Live Session Explorer time interval
-
pause the automatic refresh of the Live Session Explorer
-
set a refresh time
-
sort the connection log information
-
apply filter(s) for the Live Session Explorer
-
block or allow a connection
-
view device details
Connections
The Connections report view is a very useful tool that can assist you with the following tasks:
-
troubleshooting a block event
-
defining a policy rule to allow/block a connection
-
determining the policy which the connection matches
-
examining the session's application name and application category
-
determining the destination hostname, IP address, and port
To view the live connection details, click on the Connections tab on the header bar of the Live Session page.
Figure 2. Connections report view
Threats
On the Threats report view, you can easily view the details of security events detected in your network such as phishing/hacking site visits.
To view the live threats session details, click on the Threats tab on the header bar of the Live Session page.
You may block a specific threat immediately on this page if a threat has been allowed because of your current policy configuration.
Figure 3. Threats report view
Blocks
The Blocks report view allows you to view the details of the blocked connections in your network according to your policy rules.
To view the live blocked session details, click on the Blocks tab on the header bar of the Live Session page.
Figure 4. Blocks report view
Web
A web session is a sequence of continuous activities performed by a visitor on a single website within a specified time range. This might include your search engine queries, completing and submitting a form on a website, or the pages you browsed while visiting a website. Any interaction with a single website is logged as a web session.
On the Web report view, you may view the details of the web connections in your network.
To view the live web session details, click on the Web tab on the header bar of the Live Session page.
Figure 5. Web report view
DNS
Attackers are using DNS for data theft, denial-of-service attacks, and other malicious activities. Proactive DNS monitoring can assist network administrators in promptly detecting and responding to these threats.
On the DNS report view, you may view the details of the DNS queries in your network.
To view the live DNS session details, click on the DNS tab on the header bar of the Live Session page.
Figure 6. DNS report view
TLS
TLS, or Transport Layer Security, is a widely used protection protocol that facilitates privacy and data security for Internet connections. Encrypting communication between online applications and servers, such as web browsers loading a webpage, is a key use case for TLS.
On the TLS report view, you can easily view the details of the TLS queries in your network.
To view the live TLS session details, click on the TLS tab on the header bar of the Live Session page.
Figure 7. TLS report view
Configuring the Live Sessions Explorer
You can configure the Live Session report by using the configuration bar at the top of the Live Sessions page.
Figure 8. Live Sessions Explorer configuration bar
Changing the Layout or Add/Remove a Field (Column)
You can customize the Live Sessions Explorer for each report view separately.
To add/remove a field (column) to/from the Live Session Explorer of a report view:
-
Select the report view (Connections, Threats, etc.) that you want to customize.
-
Click the Layout button on the configuration pane to open a scrollable list.
-
Click on the toggle button next to the field (column) that you wish to add to or remove from the list.
Figure 9. Add or remove fields/columns
The order of the fields/columns may also be changed in the Live Session report.
To move up/down, drag and drop the move button 
next to the field/column that you wish to move.
Figure 10. Changing the order of the fields (columns)
You can view the following fields (columns) on the Live Session report.
| Field Name | Description |
|---|---|
| Block Status | Whether the session is blocked or not. The green checkmark(?) icon means pass. The red crossmark(?) icon means block |
| Start | Start time of the session |
| End | End time of the session |
| Src Hostname | Source Hostname of the session. If not resolved, the source IP address is listed. |
| Protocol | TCP or UDP |
| Device | Name of the device from which the session originates |
| Device Category | Type of the device from which the session originates |
| Src IP | Source IP address of the session |
| Src Port | Source Port number of the session |
| Src Username | Source Username of the session |
| Dst IP | Destination IP address of the session |
| Dst Hostname | Destination Hostname of the session, If not resolved, the Destination IP address is listed |
| Dst Port | Destination Port number of the session |
| Dst Username | Destination Username of the session |
| App Category | Application Category of the session |
| Security Category | Security Category of the session |
| Application | Application Name of the session |
| Packets In | Number of received packets during the session |
| Packets Out | Number of transmitted packets during the session |
| Bytes In | Number of received bytes during the session |
| Bytes Out | Number of transmitted bytes during the session |
| Iface | Name of the network interface on which the session occurs |
| Vlan | VLAN ID on which the session occurs |
| Block Message | Subcategory information of the blocked Session |
| Block Category | The category which is blocked: Web or Application. |
| Block Signature | Information about the blocked session |
| Method | HTTP request method (get, post, put, etc.) |
| Status | HTTP response status code (100-599) |
| Version | HTTP version (1.1, 2.0 etc.) |
| AA | Authoritative Answer: a response which indicates if the DNS server is authoritative for the queried hostname |
| RA | Recursion Available: a response which indicates if the replying DNS server supports recursion |
| RD | Recursion Desired: indicates if the client requested a recursive query |
| TC | TrunCation: indicates that the message was truncated due to excessive length |
| Request | DNS request |
| Response | DNS query response |
| Query class | Class code |
| Query type | Type of RR in numeric form |
| Query | DNS query in the session |
| Answer | Answer for the DNS query |
| Response Code | Response Code for the DNS query |
| TTLS | Count of seconds that the RR stays valid |
| Total answer | Number of answer for the DNS query |
| Encryption | Encryption status (Clear, TLS-Inspected or TLS-Encrypted) |
| TLS Handshake | TLS Handshake status (None, Success, Client Failed, Server Failed) |
| Community ID | Community ID flow hashing value of the session |
| Connection UUID | Connection UUID value of the session |
| Policy | Name and details of Zenarmor® policy applied to the session |
| Actions | Circle with slash (/) icon: allows you to block the session - (?)Checkmark icon: allows you to allow the session |
Table 1. Field names for details of a session
Setting the Time Range
The time range for the Live Session Explorer may be set by clicking on the button in the middle of the Explorer's configuration bar. By default, the Live Sessions Explorer is set to the last 24 hours. Available time ranges for the Live Session report are as follows:
-
Last 30 minutes
-
Last 6 hours
-
Last 12 hours
-
Last 24 hours
-
Last 72 hours
-
Last week
-
Custom range
Figure 11. Setting the time range
With the custom range, you can create a report for a specified time range. To set a custom time period you may follow next steps:
-
Click on the button in the middle of the Explorer's configuration bar. This will open a drop-down menu.
-
Click on the
Custom range. This will open a window to set theStart dateand theEnd dateof the report.
Figure 12. Setting a custom time range
-
Set the
Start dateand theEnd dateas you wish. You can either enter the date and time manually or select them by clicking on the related icons (calendar/clock).
Figure 13. Setting the start time of the report
Figure 14. Setting the start hour/minute of the report
-
Click the
Applybutton.
Setting the Refresh Interval
By default, the live session is not refreshed, but you can enable the refresh option by setting a refresh interval for the report. The refresh interval options are as follows:
-
Pause
-
1 minute
-
5 minutes
-
15 minutes
-
30 minutes
-
1 hour
To change the refresh time interval you may follow next steps:
-
Click the Refresh Interval dropbox menu at the end of the Explorer configuration bar.
-
Select one of the options.
Figure 15. Setting the refresh interval of the Live Session Explorer
To refresh the reporting page immediately, you may click on the Refresh button at the top right corner of the screen.
Setting Row Count
By default, live sessions are displayed in 100 rows. To change the row size in live session explorers you may select on of the available options via Row Count drop-down menu on the configuration bar. Available row count options are as follows:
-
25 Rows
-
100 Rows
-
500 Rows
-
1000 Rows
-
Custom
Figure 16. Setting Row Count of the Live Session Explorer
You may also set a custom row size by following next steps:
-
Click on the Row Count drop-down menu on the configuration bar. Available row count options will be listed.
-
Select Custom.
-
Type the number of lines that you want to see in a live session explorer.
-
Click Set button to activate the settings.
Figure 17. Setting Custom Row Count of the Live Session Explorer
Setting Time Format
You may quickly select a time format that you want to apply to Live Session Explorer by clicking on the settings icon on the configuration bar. You may apply 24h or 12h format.
You may also view Timezone settings for Zenarmor reports.
Figure 18. Setting Time Format of the Live Session Explorer
Loading more Session Records
The details of the last 100 sessions are shown by default on the Live Session Explorer. After scrolling down to the end of the list, the next 100 sessions may be displayed by clicking on the load more button.
Figure 19. Loading more session records
Sorting
You may sort the Live Session Explorer by any field. The report is sorted by Start Time in descending order by default. To change the sort type of the Live Session Explorer you may follow next steps:
-
Hover your mouse over the field name on the title bar that you wish to sort by. This will open a small information box stating you can sort the report.
-
Click on the field name that you wish to sort by. This will automatically sort the report in ascending order.
Figure 20. Sorting the Live Session Explorer
The sort order of Ascending or Descending may be selected for the Live Session Explorer. By default, the Explorer is sorted in descending order so that the newest information is displayed first. Clicking on the field name will change the sort order from ascending to descending or vice versa. The report will automatically be refreshed after clicking on the field name.
Figure 21. Changing the sort order of the Live Session Explorer
Adding a Generic Filter/Exclusion on the Live Session Explorer
Filters may be applied to the Live Session Explorer to drill down to the data you wish to see. You can use the equals operator for filtering and the not equals operator for exclusion. Also, contains and does not contain parameters are available for more flexible filtering. You may apply more than one filter to the report. These filtering/exclude parameters are displayed on the top of the reporting page.
Figure 22. Filtering on a Live Session Explorer (Connections filtered out for Source Hostname and Destination Hostname)
To apply a filter to the Live Session Explorer you may follow next steps:
-
Click on a value in the field/column that you wish to apply a filter. This will display a drop-down menu with available filtering options, Filter and Exclude.
Figure 23. Applying Filters via Live Session Explorer
-
Click on Filter or Exclude depending on your needs.
-
The Live Session Explorer will be updated automatically and the applied filter will be displayed at the top of the report.
For example, if you are on the Connections tab, you can click on an IP/hostname (172.16.41.1) in Source hostname field and an IP/hostname (172.16.43.12) in Destination hostname field. This will list the sessions where the source IP equals 172.17.41.1 and the destination IP equals 172.17.43.12.
Alternatively you may exclude a parameter on the Live Session Explorer by following the next steps:
-
Apply a filter as explained above. The applied filter parameter is displayed at the top.
-
Click on the
equals (=)sign on the applied filter parameter to change it to thenot equals (!=)sign. The report will update automatically according to the exclusion parameter.
Figure 24. Connections filtered out for the Source Hostname = 172.16.41.1, the Destination Hostname != 172.16.43.12, and the Application Category != Network Management
You may apply a filter on the live session explorer by using the Filter button on the configuration bar. For more information, please refer to filtering on configuration bar.
Removing a Filter in the Live Session Explorer
To remove an applied filter/exclusion in the Live Session Explorer, click on the x icon next to the filter/exclude parameter at the top of the Explorer view.
Figure 25. Removing an applied filter in the Live Session Explorer
Also, by clicking on the Reset All Filters button you may clear all defined report filtering settings.
Allow/Block a Connection
While viewing the live sessions, you may notice network traffic that you want to block or allow. You do not need to go to the policy configuration page. Instead, you can easily allow or block a connection directly from the Live Session Explorer page.
To allow/block a connection from the Live Session Explorer you may follow the next steps:
-
Find the session in the Live Session Explorer you wish to block or allow.
-
Click the Block button with circle with a slash icon in the Actions column to block the connection or click the Allow button with a checkmark icon in the Actions column to allow the connection. A dialog box for exclusion settings will be displayed.
-
Select one of the available options, such as Allow/Block Hostname, Allow/Block Security Category, Allow/Block Web Category or Allow/Block Application.
-
You may type a Description.
-
When you select Allow/Block Hostname option, you may disable Allow/Block this hostname globally setting. If you click this toggle bar, Allow this hostname for policy option appears listing existing policies for your selection. Select the policy that you want to add an exclusion.
-
Click on the Block or Allow button to confirm to block/allow the Category, Application, or Hostname.
Figure 26. Adding Exclusion via Live Session Explorer
Querying Whois Record
To query whois data for a connection in the Live Session Explorer you may follow the next steps:
-
Go to the Actions column of a session.
-
Click on the Query Whois icon. This will popup new window which has two options for querying the destination domain name or the destination IP address.
-
Select one of the available query options.
Figure 27. Querying Whois
-
Click on the Query button. This will display the Whois record.
Figure 28. Displaying Whois Record
Excluding From TLS Inspection
Zenconsole allows you to exclude a domain from TLS inspection through Live Sessions by following the next steps:
-
Go to the Actions column of a session.
-
Click on the TLS Exclude icon.
-
You may update Hostname field. Generally, you may prefer to set a base domain instead of a subdomain.
-
Click on the Exclude button.
Figure 29. Excluding Domain From TLS Inspection
Pin/Unpin a Session Record
Zenconsole allows you to pin a session record for better traffic analysis and threat hunting. By clicking on the pin 
icon in the first column of the session, you can easily pin a session record to the top of the Live Session Explorer page.
To unpin the session from the 'Live Session Explorer' page, click on the pin 
icon in the first column of the pinned session.
Figure 30. Pin/Unpin a Session Record
Viewing Session Details
You can quickly and easily view the session details by clicking on the magnifying glass 
icon in the first column of the session.
Figure 31. Viewing Session Details
Here is a video that will guide you through drilling down into the traffic details on Zenarmor:
Viewing Device Details
You can quickly and easily view the device details via Live Sessions Explorer by following next steps:
-
Click on the device name that you want to see in the Device column. This will open a drop-down menu.
-
Click on the Device Details to view the device information.
Figure 32. Viewing Device Details
Copy a Session Record
Zenconsole allows you to copy a session record to the clipboard. To copy the session record, click on the copy 
icon in the first column of the session.
Figure 33. Copying a Session Record
Exporting CSV
You can export the Live Session Details Report to a CSV file easily by following the next steps:
- Click the Download button at the top right of the Live Sessions page. This will open a drop-down menu.
- Click CSV button to export Live Sessions.
Export CSV Feature is not available for Free Edition. To benefit from the custom report feature, you must have one of the paid Zenarmor subscriptions. For more information about plans & pricing.
Figure 34. Exporting CSV