Skip to main content

Live Sessions Overview

Published on:
.
2 min read

Live Sessions provides real-time visibility into network activity across your Zenarmor deployment. It enables administrators to monitor active and recent traffic, investigate security events, analyze connection details, and perform operational actions directly from the session table.

Figure 1. Live Sessions

Live Sessions can be accessed in two different modes:

  • Centralized Live Sessions
  • Gateway Live Sessions

Both views provide the same monitoring, investigation, and analysis capabilities while offering different scopes of visibility.

Centralized Live Sessions

Centralized Live Sessions displays session records from monitored devices across the entire deployment. This view enables administrators to monitor and investigate network activity across the organization from a single interface.

To access Centralized Live Sessions:

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to Live Sessions.

  4. Select Centralized Live Sessions.

    Figure 2. Centralized Live Sessions

Gateway Live Sessions

Gateway Live Sessions displays session records associated with a selected gateway. This view is useful for investigating traffic, security events, and connection details associated with a specific gateway.

To access Gateway Live Sessions:

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to Live Sessions.

  4. Select Gateway Live Sessions.

  5. Choose the desired gateway from the gateway list.

    Figure 3. Gateway Live Sessions

Unlike Centralized Live Sessions, this view displays records only for the selected gateway.

At the top of the page, a gateway information bar provides quick visibility into the selected gateway, including:

  • Gateway name
  • Geographic location
  • Hostname
  • Operating system
  • Zenarmor version
  • Deployment mode
  • Packet Engine status
  • Bypass status

This information helps administrators verify the operational state of the selected gateway before analyzing session data.

The Packet Engine status indicates whether traffic inspection is currently active on the gateway. The Bypass status indicates whether network traffic is being processed normally or bypassing inspection. These indicators provide immediate visibility into the gateway's current operating state and can help administrators identify configuration or troubleshooting issues before investigating report data.

Below the gateway information bar, Live Sessions view provide visibility into traffic, security events, blocked connections, web activity, DNS activity, and TLS communications observed by the gateway.

Figure 4. Gateway Information Bar

Understanding the Live Sessions Interface

The Live Sessions interface is organized into multiple session views, each focusing on a different type of traffic and security activity.

Available session views include:

  • Connections
  • Threats
  • Blocks
  • Web
  • DNS
  • TLS

You can switch between session views using the tabs displayed at the top of the page.

Figure 5. Centralized Live Sessions Interface

Although the Centralized Live Sessions and Gateway Live Sessions interfaces share the same overall layout and session views, certain controls and information are available only in Gateway Live Sessions. For example, Gateway Live Sessions includes a gateway information bar and gateway-specific controls, such as Pause and Bypass.

Figure 6. Gateway Live Sessions Interface

Each session view contains detailed records that provide visibility into network communications, security events, web activity, DNS queries, and encrypted traffic. Administrators can use these views to investigate traffic patterns, analyze security events, troubleshoot connectivity issues, and monitor network activity across the deployment.

On the Live Sessions page, you can also:

  • Customize the table layout
  • Configure filters
  • Select a time range
  • Set the number of displayed rows
  • Bookmark frequently used views
  • Refresh session data
  • Download session records
  • Perform actions directly on session entries

The following sections describe each session view in detail.

Connections

The Connections view displays detailed information about network connections observed across your deployment. It provides visibility into communication between source and destination endpoints, helping administrators investigate traffic patterns, analyze network activity, and troubleshoot connectivity issues.

Administrators can use the Connections view to:

  • Investigate connection activity
  • Troubleshoot blocked or unexpected traffic
  • Determine which policy was applied to a connection
  • Analyze application usage
  • Review communication between devices and external destinations

To view the live connection details, click on the Connections tab on the top of the Live Session page.

Figure 7. Connections Live Session Explorer

Threats

The Threats view displays security events detected across your deployment. It provides visibility into potentially malicious activities, security policy violations, and threat intelligence findings.

Administrators can use this view to investigate suspicious traffic, review detected threats, and identify security events that may require immediate attention.

To view threat records, click the Threats tab at the top of the Live Sessions page.

If a threat is allowed due to the current policy configuration, administrators can take immediate action directly from the session record.

tip

You may block a specific threat immediately on this page if a threat has been allowed because of your current policy configuration.

Figure 8. Threats Live Session Explorer

Blocks

The Blocks view displays sessions that have been blocked by Zenarmor security policies.

This view helps administrators understand which policies are actively preventing traffic and why specific sessions were denied.

Administrators can use this view to:

  • Verify policy enforcement
  • Troubleshoot access issues
  • Review blocked traffic
  • Investigate security-related events

To view blocked session records, click the Blocks tab at the top of the Live Sessions page.

Figure 9. Blocks Live Session Explorer

Web

The Web view displays web activity observed across your deployment. It provides visibility into website access, browsing behavior, web categories, and policy enforcement actions related to web traffic.

Administrators can use this view to analyze web usage patterns, investigate website access requests, and review web filtering decisions.

To view web session records, click the Web tab at the top of the Live Sessions page.

Figure 10. Web Live Session Explorer

DNS

The DNS view displays DNS queries generated by monitored devices across your deployment. Monitoring DNS activity can help administrators investigate connectivity issues, identify suspicious domain lookups, and detect potential security threats.

Administrators can use this view to:

  • Investigate domain resolution activity
  • Troubleshoot DNS-related issues
  • Identify suspicious or malicious domains
  • Analyze DNS traffic patterns

To view DNS session records, click the DNS tab at the top of the Live Sessions page.

Figure 11. DNS Live Session Explorer

TLS

The TLS view displays Transport Layer Security (TLS) session information observed across your deployment. It provides visibility into encrypted communications and related connection details.

Administrators can use this view to review TLS session activity, investigate certificate-related issues, and analyze encrypted traffic.

To view TLS session records, click the TLS tab at the top of the Live Sessions page.

Figure 12. TLS Live Session Explorer

The Live Sessions views provide detailed visibility into network activity, security events, and session data across your deployment. In addition to viewing and analyzing session records, you can customize the Live Sessions interface to better suit your monitoring and investigation workflows.

For information about customizing the interface, configuring filters, managing bookmarks, exporting session data, and other interface options, see Configuring the Live Sessions.