Live Sessions Overview
Live Sessions provides real-time visibility into network activity across your Zenarmor deployment. It enables administrators to monitor active and recent traffic, investigate security events, analyze connection details, and perform operational actions directly from the session table.
Figure 1. Live Sessions
Live Sessions can be accessed in two different modes:
- Centralized Live Sessions
- Gateway Live Sessions
Both views provide the same monitoring, investigation, and analysis capabilities while offering different scopes of visibility.
Centralized Live Sessions
Centralized Live Sessions displays session records from monitored devices across the entire deployment. This view enables administrators to monitor and investigate network activity across the organization from a single interface.
To access Centralized Live Sessions:
-
Login Zenconsole.
-
Select the organization you want to manage.
-
Navigate to Live Sessions.
-
Select Centralized Live Sessions.
Figure 2. Centralized Live Sessions
Gateway Live Sessions
Gateway Live Sessions displays session records associated with a selected gateway. This view is useful for investigating traffic, security events, and connection details associated with a specific gateway.
To access Gateway Live Sessions:
-
Login Zenconsole.
-
Select the organization you want to manage.
-
Navigate to Live Sessions.
-
Select Gateway Live Sessions.
-
Choose the desired gateway from the gateway list.
Figure 3. Gateway Live Sessions
Unlike Centralized Live Sessions, this view displays records only for the selected gateway.
At the top of the page, a gateway information bar provides quick visibility into the selected gateway, including:
- Gateway name
- Geographic location
- Hostname
- Operating system
- Zenarmor version
- Deployment mode
- Packet Engine status
- Bypass status
This information helps administrators verify the operational state of the selected gateway before analyzing session data.
The Packet Engine status indicates whether traffic inspection is currently active on the gateway. The Bypass status indicates whether network traffic is being processed normally or bypassing inspection. These indicators provide immediate visibility into the gateway's current operating state and can help administrators identify configuration or troubleshooting issues before investigating report data.
Below the gateway information bar, Live Sessions view provide visibility into traffic, security events, blocked connections, web activity, DNS activity, and TLS communications observed by the gateway.
Figure 4. Gateway Information Bar
Understanding the Live Sessions Interface
The Live Sessions interface is organized into multiple session views, each focusing on a different type of traffic and security activity.
Available session views include:
- Connections
- Threats
- Blocks
- Web
- DNS
- TLS
You can switch between session views using the tabs displayed at the top of the page.
Figure 5. Centralized Live Sessions Interface
Although the Centralized Live Sessions and Gateway Live Sessions interfaces share the same overall layout and session views, certain controls and information are available only in Gateway Live Sessions. For example, Gateway Live Sessions includes a gateway information bar and gateway-specific controls, such as Pause and Bypass.
Figure 6. Gateway Live Sessions Interface
Each session view contains detailed records that provide visibility into network communications, security events, web activity, DNS queries, and encrypted traffic. Administrators can use these views to investigate traffic patterns, analyze security events, troubleshoot connectivity issues, and monitor network activity across the deployment.
On the Live Sessions page, you can also:
- Customize the table layout
- Configure filters
- Select a time range
- Set the number of displayed rows
- Bookmark frequently used views
- Refresh session data
- Download session records
- Perform actions directly on session entries
The following sections describe each session view in detail.
Connections
The Connections view displays detailed information about network connections observed across your deployment. It provides visibility into communication between source and destination endpoints, helping administrators investigate traffic patterns, analyze network activity, and troubleshoot connectivity issues.
Administrators can use the Connections view to:
- Investigate connection activity
- Troubleshoot blocked or unexpected traffic
- Determine which policy was applied to a connection
- Analyze application usage
- Review communication between devices and external destinations
To view the live connection details, click on the Connections tab on the top of the Live Session page.
Figure 7. Connections Live Session Explorer
Threats
The Threats view displays security events detected across your deployment. It provides visibility into potentially malicious activities, security policy violations, and threat intelligence findings.
Administrators can use this view to investigate suspicious traffic, review detected threats, and identify security events that may require immediate attention.
To view threat records, click the Threats tab at the top of the Live Sessions page.
If a threat is allowed due to the current policy configuration, administrators can take immediate action directly from the session record.
You may block a specific threat immediately on this page if a threat has been allowed because of your current policy configuration.
Figure 8. Threats Live Session Explorer
Blocks
The Blocks view displays sessions that have been blocked by Zenarmor security policies.
This view helps administrators understand which policies are actively preventing traffic and why specific sessions were denied.
Administrators can use this view to:
- Verify policy enforcement
- Troubleshoot access issues
- Review blocked traffic
- Investigate security-related events
To view blocked session records, click the Blocks tab at the top of the Live Sessions page.
Figure 9. Blocks Live Session Explorer
Web
The Web view displays web activity observed across your deployment. It provides visibility into website access, browsing behavior, web categories, and policy enforcement actions related to web traffic.
Administrators can use this view to analyze web usage patterns, investigate website access requests, and review web filtering decisions.
To view web session records, click the Web tab at the top of the Live Sessions page.
Figure 10. Web Live Session Explorer
DNS
The DNS view displays DNS queries generated by monitored devices across your deployment. Monitoring DNS activity can help administrators investigate connectivity issues, identify suspicious domain lookups, and detect potential security threats.
Administrators can use this view to:
- Investigate domain resolution activity
- Troubleshoot DNS-related issues
- Identify suspicious or malicious domains
- Analyze DNS traffic patterns
To view DNS session records, click the DNS tab at the top of the Live Sessions page.
Figure 11. DNS Live Session Explorer
TLS
The TLS view displays Transport Layer Security (TLS) session information observed across your deployment. It provides visibility into encrypted communications and related connection details.
Administrators can use this view to review TLS session activity, investigate certificate-related issues, and analyze encrypted traffic.
To view TLS session records, click the TLS tab at the top of the Live Sessions page.
Figure 12. TLS Live Session Explorer
The Live Sessions views provide detailed visibility into network activity, security events, and session data across your deployment. In addition to viewing and analyzing session records, you can customize the Live Sessions interface to better suit your monitoring and investigation workflows.
For information about customizing the interface, configuring filters, managing bookmarks, exporting session data, and other interface options, see Configuring the Live Sessions.