Ivanti Neurons for Zero Trust Access (nZTA)
provides visibility of user activity and service usage across your
enterprise through network activity analytics, gateway performance
graphs, application usage metrics, and stored activity logs.
Through the nZTA menu, use the Insights
menu icon to:
View the common analytics charts/tables of nZTA and nSA on a new unified landing page, see Consolidated Landing Page.
View a top-down overview of your application infrastructure, providing an opportunity to monitor user and nZTA Gateway activity, and to identify problems and compliance issues as they occur, see Reviewing Your Network Activity
nZTA provides both a light theme and a dark theme for the UI
display. To learn more, see Changing the UI Theme.
No analytics data will be displayed on any dashboards when nZTA Gateway is bypassed.
Using
Filters and Selectors to Monitor Specific Services
Each page in the Insights menu allows data filtering through
the filter bar (see Using the Filter Bar), enabling you to observe and
monitor only the analytics and log data you want. Filters fall broadly
into two categories, and are applied as applicable to the page you are
viewing:
Summary page filters: high-level filters and selectors such
as time period and Gateway, user, or application, that apply across both
summary and detail insights pages. Filters applied here can
affect the data on all Insights pages that you visit. For
example, the same selected time period remains in place across every
page.
Detail page filters: filters that are applied at a chart
detail page view that are applied to the log data constituting the chart
being interrogated. For more details, see Viewing Detailed Logs for a Chart.
The Logs page uses a separate time period selection
filter from other Insights pages. A time period selected here
is not applied elsewhere, and vice versa, yet is retained across login
sessions in the same way.
Filters and selection criteria are persistent across all relevant
Insights pages, and are retained across login sessions. When
you log back in, the same selection criteria remain applied. Settings
are stored per admin user, such that each admin maintains their own view
of the analytics data.
You can remove applied filters and return to the default setting
through the reset option in most filter controls. For
example:
Resetting your selected time period filter (indicated) back to the
default "Last Hour" active data view
Or in the case of each chart detail or log page, the log filter bar
typically includes a reset icon. For example:
Using the Reset icon (indicated) to reset log filters to their
default state
Information on the filters and data selection options available on
each page is provided throughout this guide. Refer to the page-specific
help and documentation for more details.
To perform a global reset of all applied filters and selection
criteria on all pages, in a single action, use the
Settings menu Reset Filters option. To learn
more, see Resetting All Filters and Selections.
Consolidated Landing Page
After you log in to the Tenant Admin Portal following successful
completion of the Onboarding Wizard, nZTA displays the
Home page. This page presents the common analytics charts/tables and sankey chart of nZTA and nSA on a new unified landing page. Use the drop-down selection option to view nZTA only, ICS only, or nZTA+ICS charts.
Understanding the Display
The primary components of the My Home page are the following:
•Filter bar, allowing the selection of active or historic data. For details, see Using the Filter Bar.
•Summary ribbon, showing totals for active Users, Devices, Gateways, Applications and Non Compliances. Click on numbers which opens table view. In the table view, click the appropriate button to navigate to the respective analytics page, for example click on Go to ZTA Gateways opens Gateways Overview page.
•Bar Charts showing top usage data for Users, Applications and Devices.
•Radar Charts showing Devices by Location and Gateway Health.
•Sankey Chart showing the flow across Users, Devices, Gateways and Applications. It supports filtering based on selected entries such as User Group, Device Type, Gateway Name, and Application.
With each chart, click the View Details link or click on any bar in the chart or number beside the bar to view detailed log records for that category.
In this page:
•Where a specific data item in the event table is truncated due to the column width, hover your pointer over the item to view a tooltip containing a full-length description. You can also re-size the width of any column by dragging the column.
•Select the name of a column to apply a sort by that criteria. The adjacent arrow shows either ascending or descending sort order, or no sort - select again to switch between each view.
•To move a column, click the header of the column and drag it to a desired new position.
•To copy a log's column content, double click on the column content and press ctrl-c. If the content has multiple words, for example log message column, then triple click and press ctrl-c. To paste the content elsewhere, press ctrl-v.
Reviewing Your Network Activity
The Network Overview page shows real-time analytics data for
your application infrastructure, providing a one-page dashboard of
activity across your organization.
An overview of Network activity across your enterprise
From the nZTA menu, click the Insights icon, then select Overview.
The Network Overview page appears.
To return to the Network Overview page at any time,
select Insights > Overview from the left-hand menu.
Alternatively, select the Ivanti banner at the top.
Understanding the Display
The primary components of the Network Overview page
are the following:
Filter bar, allowing the selection of active or
historic data. For details, see Using the Filter Bar.
Summary ribbon, showing totals for All Gateways, Active Gateways, Users,
Devices, Applications,
Compliance Failures, and Anomalies.
For more details, see Using the Summary Ribbon.
Switchable World Map and Sankey Chart views, showing
active Gateway or user locations. Sankey chart view is the default view.
In the world map view, each indicated location provides a summary of
the activity observed there. For more details, see Using the World Map.
In the Sankey chart view, you can view the relationships between
user groups, device types, nZTA Gateways, and applications. For
more details, see Using the Sankey Chart View.
The data in this page refreshes automatically every 5 minutes.
With each chart, click the View all link to view a
page of detailed log records for that category. To learn more about
using the chart detail page, see Viewing Detailed Logs for a Chart.
The following principles apply to all elements of the page:
A user can have one or more devices.
Each device can have only one active secure access session.
One session can connect to multiple applications.
One session can be associated with multiple nZTA
Gateways.
One nZTA Gateway can have multiple applications registered
with it.
One application instance can be registered with only one nZTA
Gateway.
Using the Filter Bar
nZTA uses the top part of the display on all
Insights data analysis pages to show the current page
title, the selected time period and timezone, and options to:
Select the date and time period for which data is displayed
Manually refresh the data
View analytics data for a selected user or application
To configure the default timezone for the data displayed in this
admin login account, see Setting the Timezone.
By default, analytics data on all pages is shown for the last hour.
To select a previous or specified time period, select the date-time
display (indicated):
Selecting a date and time range
In the date-time selection dialog, choose from the following
predefined time period options:
Last hour: Data observed for the previous 60
minutes.
Last <X> hours: Data observed so far in the
current day, up to the last hour (in GMT).
Previous day: Data observed for the previous full
day.
Previous Week: Data observed for the previous
calendar week (for the previous full Sunday-to-Saturday week).
Custom: Data observed for a chosen time period. If
you select this option, nZTA enables you to select a custom
time period using the From and To
date/time calendar controls.
The date/time calendar controls are enabled for only the
Custom option. However, the calendar continues to
identify the applicable start and end date-time for all predefined time
periods.
To reset the selected time period back to the default (Last
Hour) view, select Reset. To return to the current
page without making any changes, select Cancel.
To apply your changes, select Apply. The selected
time period is displayed in the filter bar and data across all
Insights pages is updated accordingly.
The data in the display refreshes automatically at 5 minute
intervals. To manually refresh the data, click the circular arrow:
Refreshing the data
nZTA provides the ability to show focused metrics for
individual users or applications. To select a specific user or
application, use the following icon:
Selecting a specific user or application
Then, from the drop-down menu, select one of the available
options:
Select Set User to view data for a selected
user. In the search box provided, start typing a user ID. nZTA
auto-completes any matching user IDs. Next, select View
User.
Select Set Application to view usage metrics for
a selected application. In the search box provided, start typing an
application name. nZTA auto-completes any matching names. Next,
select View Application.
You can also access data for individual users or applications by
selecting the name of a user or application from the corresponding
info-panel, activated through the Summary Ribbon. For more details, see
Using the Summary Ribbon.
nZTA also provides the ability to set a Gateway filter on
all Network Overview, User, Application, and
Policy Failure analytics pages in the Insights
section. Applying a Gateway filter means that all dashboards are updated
to show only activity relating to the chosen nZTA Gateway. In
other words, nZTA shows only analytics for applications that
were accessed from that specific nZTA Gateway, along with
nZTA Gateway activity for users and devices being active in the
selected time period. This filter is persistent across all pages, and
remains in place for the duration of the current login session.
By default, the filter is inactive and shows data for All
Gateways, as indicated in the title of all pages.
To set a Gateway filter, select the Gateway filter icon:
Filtering analytics data by nZTA Gateway
Then, from the Gateway selection panel, choose your nZTA
Gateway from the drop-down list:
Using the Gateway filter panel
To set the Gateway filter, select Apply.
To remove a filter and return to viewing analytics for all
gateways, select Clear All.
On detailed log pages for individual charts (see Viewing Detailed Logs for a Chart.) you
cannot set a Gateway filter directly. Instead, set the Gateway filter on
the parent page before you click through to the individual chart
logs.
Using the Summary Ribbon
The Summary Ribbon at the top of the page shows data totals for the
selected time filter:
Viewing the summary ribbon
The ribbon indicates the totals accrued for each category during the
displayed time period, as indicated adjacent to the category name.
The following categories are provided in the ribbon:
Total Number of Gateways (All Gateways). The count of all gateways added to the controller, regardless of their status (registered, unregistered, offline, or online).
Active View: Captures the count of gateways added on the controller.
Historic View: Captures the count of gateways from where the health status such as memory, CPU etc. are received in the selected timeframe.
The number of Active Gateways. The count of gateways through which there is user traffic within the selected window, regardless of the current status of the notification channel.
The number of active Users.
The number of active Devices.
The number of in-use Applications.
The number of Non-compliances. In other words,
non-compliant attempts to access your applications. For the default time
period filter, non-compliance totals shown here are for 24 hours. For
other selected time periods, the number reflect the total for that
period.
The number of Anomalies detected by nZTA.
That is, the total number of geographic and business hours anomalies.
For the default time period filter, anomaly totals shown here are for
the previous 30 days, and include only unacknowledged anomalies. For
other selected time periods, this total includes both acknowledged and
unacknowledged anomalies.
Compliance and anomaly counters use the following color scheme to
reflect status:
Black: No geographic anomalies or compliance
failures are reported
Red:
Non-compliance: if the count is non-zero
Anomalies: if the count is non-zero
If you are currently viewing data for the last hour, each
category in the ribbon includes a trend graph (highlighted, top) showing
the changes in data during the hour. Also included is a change value
(highlighted, bottom) based on the previous hour:
Data trends for this hour versus the previous hour
In the default last hour view, while data for Active
Gateways, Users, Devices, and Applications is shown as such,
non-compliances are shown for the previous 24 hours and anomalies are
shown for the previous 30 days. This is as indicated against the
Category name.
Additional trend indicators are present for the last hour
time period only. All other time periods show only the main data totals
for each category.
If you click on any of the categories in the ribbon, nZTA
displays a sliding info-panel dialog showing more details for that
category. For example, if you click on the Active
Gateways category, a panel appears showing the list of active
nZTA Gateways. In this case, a summary box is displayed for each
ZTA Gateway showing statistics relevant to that instance, such
as instance health (disk, CPU, and memory utilization), the number of
active users, applications, active devices, non-compliance events.
Viewing the Gateways info-panel
The following color scheme is used in the icon adjacent to the item
listed in the panel:
Black / Green: No issues are
reported for the item shown in the info-panel
Red:
Users info-panel: The user has anomalies reported
against them in the selected duration
Gateways info-panel: The Gateway is reporting
critical issues
When displaying active Gateway data, all non-compliance and
unacknowledged anomaly totals are displayed for the previous 24
hours.
The Gateways info-panel displays the following details for
each Gateway in your deployment:
Location name and number of Gateways: The
descriptor for this location and the number of Gateway instances
deployed there.
Warning/Critical Issues: A list of warnings or
critical issue messages reported by the Gateways at this location.
Gateway Health: Health indicators for the Gateways
at this location.
Active Users: The number of unique users accessing
applications through Gateways at the location (as also indicated in the
location counter)
Active Applications: The number of applications
accessed through Gateways at the location
Active Devices: The number of unique devices used
to access applications through Gateways at the location
Non-Compliant: The number of non-compliant access
attempts to applications configured for Gateways at the location (note
that attempts by the same device to access two applications for which it
does not meet compliance requirements increment this total by two)
This version of the info-panel shows details for all Gateway
locations. To view an info-panel for a single nZTA Gateway
location, click the Gateway location counter in the world map. For more
details, see Using the World Map.
Use the View Gateway by Status drop-down list to
change the type of Gateways displayed in the panel. Choose from:
All Gateways: All nZTA Gateways regardless
of status.
Active Gateways: All active nZTA Gateways.
That is, only those nZTA Gateways that are responsive,
irrespective of health status, and have observed application accesses
during the selected time period. This is the default view.
Offline Gateways: All offline nZTA
Gateways. That is, only those nZTA Gateways that are
unresponsive.
Online Gateways: All online nZTA Gateways.
That is, only those nZTA Gateways that are responsive but have
not observed any application accesses.
Unregistered Gateways: All currently unregistered
nZTA Gateways. That is, only those nZTA Gateways that
are deployed but not yet registered with the Controller.
The number of instances of each type is given in brackets.
For example, by selecting Offline Gateways, the panel
updates as follows:
Viewing all offline nZTA Gateways in the Gateways
info-panel
Use the Search bar at the top to filter the results
list. For example, to show only those nZTA Gateways that match a
search string. To clear your search, click CLEAR SEARCH
RESULTS.
Hover your pointer over the instance health indicators to display a
tooltip showing more specific details and values.
Click on any Critical or Warning notification banner to display a
drop-down summary of the issues:
Viewing critical issues
You can click on each entry to obtain more details and logs
concerning the issue.
For the Active Users info-panel, nZTA
displays an average UEBA Threat score. To learn more about UEBA
Threat scores, see Showing Activity for a Specific User.
For Non-Compliance and Anomalies info-panels, summaries are displayed
on a per-user basis, with the reason for the event shown.
To change the sort order of the items displayed in the info-panel,
use the Sorting controls at the top:
Changing the info-panel sort order
Use the dots icon to select the sort criteria, then use the
arrow icon to toggle between ascending and descending order.
The sort criteria varies depending on the category chosen, and is based
on the statistics shown for each item. For example, by selecting the
Gateways info-panel, you can choose the display order
for your nZTA Gateways based on the following statistics:
Active Users
Apps Accessed
Non-compliances
Active Devices
Number of Issues
Gateway Name
City Name
A tick identifies the currently chosen criteria.
For Anomalies, the info-panel provides additional
functionality to enable you to:
Acknowledge individual anomalies and remove them from the active
total.
Filter on acknowledged, unacknowledged (active), or all
anomalies.
Terminate the corresponding active user session, if applicable.
Viewing the Anomalies info panel
Each box in the info-panel lists a user and the active anomalies
connected to them. For each user, click ACKNOWLEDGE to
remove this anomaly from the list. Alternatively, use the tick
icon and check boxes adjacent to each user name to acknowledge multiple,
or all, anomalies in a single action. Note that when the default
"active" time period filter is selected, the anomalies count in the
summary ribbon decreases by 1 for each acknowledgment. To terminate the
active session for this user with immediate effect, click END
SESSION. Session termination is available only for admin users
with full access permissions.
For other selected time period filters, the anomalies total includes
both acknowledged and unacknowledged anomalies.
For each version of the info-panel, you can click the name of an item
listed in the panel to access further pages that provide usage metrics
or configuration details for that item:
For Non-compliances, the info-panel provides additional
functionality to enable you to:
Acknowledge individual non-compliance and remove them from the active
total.
Filter on acknowledged, unacknowledged (active), or all
non-compliances.
Viewing the Non-compliances info panel
Each box in the info-panel lists a user and the active non-compliances
connected to them. For each user, click ACKNOWLEDGE to
remove this non-compliance from the list. Alternatively, use the tick
icon and check boxes adjacent to each user name to acknowledge multiple,
or all, non-compliances in a single action. Note that when the default
"active" time period filter is selected, the non-compliances count in the
summary ribbon decreases by 1 for each acknowledgment.
For other selected time period filters, the non-compliances total includes
both acknowledged and unacknowledged non-compliances.
For each version of the info-panel, you can click the name of an item
listed in the panel to access further pages that provide usage metrics
or configuration details for that item:
For the Users info-panel, click a user name to
access the corresponding Users analytics page. For more
details, see Showing Activity for a Specific User.
For the Devices info-panel, click a device type to
access the Device Configuration page, filtered by that device
type. For more details, see Viewing Currently Enrolled User Devices.
For the Applications info-panel, click an
application name to access the corresponding Application
analytics page. For more details, see Showing Usage Data for a Specific Application.
For the Non-compliances and
Anomalies info-panels, click a user name to access the
corresponding Users analytics page. For more details, see Showing Activity for a Specific User.
Using the World Map
The world map provides a geographically-positioned view of
your Gateway or user locations, selected through the switcher at the top
of the panel:
Select Gateways (the default setting -
indicated) to display your Gateway locations on the map as a series of
geographically-placed counters.
Viewing Gateway locations on the world map
Each counter shows the status of the services held there and the
number of active user connections. Gateway status is indicated by the
color scheme shown in the legend:
Good (Green): All Gateways are functioning
normally.
Warning (Amber): One or more of the Gateways at
that location is experiencing a warning scenario. This status
is triggered by the occurrence of any one of the following conditions:
Gateway device CPU usage is within the range 80% - 90%
Gateway device swap memory usage is within 10% - 50%
Gateway device disk usage is within the range 80% - 90%
Critical (Red): One or more of the Gateways at that
location is experiencing an critical alert scenario. This
status is triggered by the occurrence of any one of the following
conditions:
Gateway device swap memory usage is greater than 50%
Gateway device disk usage is greater than 90%
At least 1 critical error has been reported
Offline (Gray): One or more of the Gateways at that
location is offline and/or unresponsive, or is not yet registered with
the nZTA Controller.
Hover your pointer over a counter to view a visual representation of
the users currently connected to the Gateways at that location. The
greater the number of users at an originating location, the larger the
indicator on the map:
Viewing connected users for a selected Gateway
In this view, a red connecting line between a user location and a Gateway location indicates non-compliances exist for those user devices.
In addition, use the Show Details switch to toggle on or off a tooltip summary panel for the Gateway location that overlays the display:
Viewing a location status tooltip panel for Gateways
This panel indicates the status of the Gateways at that location and provides metrics concerning the status of the services at that location:
•Active Users: The number of unique users accessing applications through Gateways at the location (as also indicated in the location counter)
•Active Applications: The number of applications accessed through Gateways at the location
•Active Devices: The number of unique devices used to access applications through Gateways at the location
•Non-Compliances: The number of non-compliant access attempts to applications configured for Gateways at the location (note that attempts by the same device to access two applications for which it does not meet compliance requirements increment this total by two)
Select a counter to show the Gateways info-panel for the individual location. For more information, see Using the Summary Ribbon.
This view of the info-panel displays data for a single Gateway location. To view an info-panel showing data for all Gateway locations, click the Gateways category in the Summary Ribbon. To learn more, see Using the Summary Ribbon.
•Select Users (indicated) to display your user locations on the map:
Viewing user locations on the world map
In this view, each counter shows the number of users at a geographic
location that are connected to your Gateways. Gateway status is
indicated by the color scheme shown in the legend:
No Risk (Green): All users at this location have a
UEBA Threat score that does not exceed the threshold for zero risk.
Low (Amber): One or more users at this location
have a UEBA Threat score that falls in the range defined as a low
risk.
Moderate (Orange): One or more users at this
location have a UEBA Threat score that falls in the range defined as a
moderate risk.
High (Red): One or more users at this location have
a UEBA Threat score that falls in the range defined as a high risk.
Hover your pointer over a counter to show a tooltip panel containing
the UEBA Threat score summary for those users:
Viewing user locations on the world map
Viewing a location status tooltip panel for users
Select a counter in this view to show the Users info-panel.
For more information, see Using the Summary Ribbon.
In both views, use the Plus (+) and Minus (-) controls to zoom in and
out of the world map, allowing you to select the desired level of
detail. Alternatively, use your pointer to manipulate the map display.
Double-click/tap an open area of the map to zoom in, or reposition the
map display through drag and drop.
To toggle between the Map view and Sankey chart view, use the icons
at the top-right:
Toggle between Map view and Sankey chart view
The data shown is representative of the currently-selected time
period, and by default shows active data (for the previous 1
hour). To learn more about setting time periods for the displayed data,
see Using the Filter Bar.
To expand the current view, click the Full Screen icon:
Expand the current view
Click the Full Screen icon again to return to the standard view.
Using the Sankey Chart View
The Network Sankey chart provides an alternate visualization of your
services, showing directed flow between related objects. The width of
each stream in the flow is proportional to the utilization of the object
the flow passes through, allowing an administrator to view significant
usage and relationships across your user base and application
infrastructure.
To activate the Sankey chart view, use the toggle icons at the
top-right:
Toggle between Map view and Sankey chart view
By clicking the toggle display icon, the Sankey chart replaces the
world map in the display. All other components remain unchanged.
Displaying the Network Overview Sankey Chart View
The nZTA Sankey chart maps User Groups >
Device Types > Gateways >
Applications. By hovering your pointer over a flow of
interest, nZTA displays a tooltip confirming the scale of the
activity between the two objects connected by the flow.
To focus the display on a specific flow, or to identify related
objects that interact with this flow, click the chart at a point of
interest. nZTA provides highlighting to all flows that pass
through the point selected.
Using the Active Anomaly, Connected Clients Version, and Non-Compliance Charts
The Network Overview page includes bar charts to
provide a breakdown of Active Anomalies,
Connected Clients Version, and
Non-compliance events.
Viewing a breakdown of Active Anomalies, Connected Clients Versions,
and Non-compliance
The Active Anomalies chart provides totals for the
number of Geolocation anomalies and Business Hours
anomalies. That is, application accesses that took place from an
unexpected geographic location, or that took place outside of normal
business hours. Hover your pointer over a particular bar to view a
tooltip showing the label and total.
To view a detailed list of events that contributed to the totals in
this chart, click View all:
Viewing event logs for Active Anomalies
The Connected Clients Version chart shows totals for
Ivanti Secure Access Client instances that have a current
session on the Controller, broken down by device operating
system type. Where more than one Ivanti Secure Access Client
version is detected for a specific operating system, the bar is
color-coded and relatively sized to represent each identified version
and the number of clients using that version. Hover your pointer over a
particular bar segment to view a tooltip showing the label and
total.
If the currently selected time period is set to "Last Hour", this
graph includes a drop-down control to filter the displayed data
between:
Active Users: Connected users during the last
hour.
All Users: Users that connected to the
Controller in the last 30 days.
In all other time period views, the graph shows only data for all
users connected during that time period.
To view a detailed list of events that contributed to the totals in
this chart, click View all:
Viewing event logs for Connected Clients Versions
The Non-compliance chart provides a breakdown of
non-compliant device activity that contravened a configured device
policy. Totals are given for the highest policy contraventions recorded
during the period.
To view a detailed list of events that contributed to the totals in
this chart, click View all:
The radar charts at the bottom of the page show a breakdown
of Gateways, User Locations, and
Applications across your organization. Each chart shows
the top active items in each category.
Viewing the Breakdown Radar Charts
Hover your pointer over a particular element to view a tooltip
showing the label and total. To view more details and a set of log
entries that constitute the date in the a chart, click the corresponding
View all link. To learn more about using the chart
detail page, see Viewing Detailed Logs for a Chart.
Viewing Detailed Logs for a
Chart
When you select the View all link for any of the
charts or graphs displayed within the Insights pages, the
Tenant Admin portal displays a detail page containing a larger version
of the selected chart, together with a table showing the event or log
records that constitute the data points in the chart.
For example:
Viewing event logs for Active Anomalies
In this page:
Hover your pointer over a specific bar in the chart to view a
tooltip showing a numeric total for that category.
Where a specific data item in the event table is truncated due to
the column width, hover your pointer over the item to view a tooltip
containing a full-length description. You can also re-size the width of any column by dragging the column.
Select the name of a column to apply a sort by that criteria. The
adjacent arrow shows either ascending or descending sort order, or no
sort - select again to switch between each view.
To move a column, click the header of the column and drag it to a desired new position.
To copy a log's column content, double click on the column content and press ctrl-c. If the content has multiple words, for example log message column, then triple click and press ctrl-c. To paste the content elsewhere, press ctrl-v.
To view a single log entry in a dedicated panel, click the corresponding three dot to activate the info-panel view. For example:
Viewing the Anomalies info panel
In the info-panel, use the Previous and
Next icons to cycle through each event entry in
turn.
Use the date-time display at the top of the page (indicated) to
apply a specific time period for the displayed data:
Selecting a date and time range
From the dialog, select the desired time period. Choose from the
following predefined time period options:
Last hour: Data observed for the previous 60
minutes.
Last <X> hours: Data observed so far in the
current day, up to the last hour (in GMT).
Previous day: Data observed for the previous full
day.
Previous Week: Data observed for the previous
calendar week (for the previous full Sunday-to-Saturday week).
Custom: Data observed for a chosen time period. If
you select this option, nZTA enables you to select a custom
time period using the From and To
date/time calendar controls.
The date/time calendar controls are enabled for only the
Custom option. However, the calendar continues to
identify the applicable start and end date-time for all predefined time
periods.
To reset the selected time period back to the default (Last
Hour) view, select Reset. To return to the current
page without making any changes, select Cancel.
To apply your changes, select Apply. The selected
time period is displayed in the filter bar and data across all
Insights pages is updated accordingly.
To manually refresh the display, select the following icon:
Page refresh
To search for a term in the displayed event data, select the
following field:
Search term highlighting
nZTA highlights all matches in the event display.
To trigger the advanced filter selection, use the following
icon:
To change the fields displayed for each event line, select the
following icon:
Show or hide event fields
In the field selector, select a field name to toggle between show or
hide. A tick icon indicates a displayed field. After you are
finished, select the field selector icon to close the selector.
To apply grouping to the event records, select the following
icon:
Group event records by selected
criteria
This feature applies grouping to a selected field, such that event
records are accumulated and grouped together under each unique data item
identified in that field. Through grouping, an admin can quickly view
the number of records of a particular type.
The criteria available for grouping depends on the chart being
viewed, and reflects the field headings in that event table. For
example, when viewing the Top Active Applications
detail page (as shown above), you can choose to group by the
following:
Ungrouped
User Name
User Group
Device Type
Device ID
Gateway Name
Device Location City
App Name
By selecting App Name, the event table is reconfigured to
show a summary bar for each unique application identified in the
logs.
Viewing Top Active Application events with grouping by application
name applied
In this view, each application is identified together with a count of
the number of event lines (in brackets) recorded against it. The event
table field headers also adjust to reflect the summary counts recorded
for each identified application.
To observe the event records in each grouping, select the arrow icon
(indicated) adjacent to each application name in the table:
Viewing the grouped event records for a single named application
With grouping applied, the info-panel view adapts to reflect whether
you selected a group header or an individual event record, such that the
panel displays either the group totals or event details.
If you apply a grouping to the event data in this page, the page
controls at the bottom (number of records per page and page navigation)
have no effect.
To remove any applied filters from the data set, select the
following icon:
Remove any applied filters from the
data
•Use the page controls at the bottom of the window to select the number of event
records/rows per page:
Setting the number of event rows per page
Choose from:
•50
•100 (default)
•200
•To cycle through the event pages, use the page controls at the
bottom-right.
Reviewing User Activity
User activity is available for all users, or for a specific user.
The Users Overview page shows activity relating to all users
in your nZTA deployment.
Top access trends, showing a timeline chart of
application access. For more details, see Viewing Top Access Trends.
Activity charts, showing charts for Top active
users, Top login locations, and Top authentication
failures by login location. For more details, see Viewing User Activity Charts.
Each chart on this page includes a View all link. To
learn more about using the chart detail page, see Viewing Detailed Logs for a Chart.
The Summary Ribbon at the top of the Users Overview page
shows activity totals for the selected time filter:
Viewing the summary ribbon
The ribbon indicates the totals accrued for each category during the
displayed time period, as indicated adjacent to the category name. Hover
your pointer over the category elements to show a descriptive
tooltip.
Licensed Users: The total number of licensed
users.
Active Users: The number of active users during the
selected time period.
Applications: The number of in-use
applications.
Gateways: The number of active ZTA
Gateways.
Devices: The number of active devices.
Auth failures: The number of authentication
failures.
By default, the data presented in the ribbon corresponds to the last
hour. To change the time period, use the filter bar (see Using the Filter Bar).
If you are currently viewing data for the last hour, each
category in the ribbon includes a trend graph (highlighted, top) showing
the changes in data during the hour. Also included is a change value
(highlighted, bottom) based on the previous hour:
Data trends for last full hour versus the previous hour
If you select a historic time period in the filter bar, the ribbon
displays only the main data totals for each category. Trend data is
hidden.
Viewing
a Summary of UEBA Threat Scores for your Users
On the Insights > All Users page, the User
Group UEBA Threat data panel displays information concerning UEBA
Threat factors across your user base:
Viewing user group UEBA Threat data
The panel provides:
A breakdown of UEBA Threat by user group.
The average UEBA Threat score across all users.
The top-10 users scoring highest for UEBA Threat.
A break-down of UEBA Threat types.
The policies with highest non-compliance.
A user's UEBA Threat score is calculated from a combination of three
factors:
Application access attempts originating from anomalous geographic
locations or outside of normal business hours.
Non-compliant user devices that attempted to access your
applications.
Activity Deviations.
Each additional incident increments a user's overall UEBA Threat
score.
The No. of users chart provides a visual indication of the
number of users that fall into each of the UEBA Threat categories. These
categories are shown as percentage ratios of the overall UEBA Threat
score and number of users. The upper and lower bands for each category
are shown in brackets. The categories are:
No risk (20%)
Low (30%)
Moderate (30%)
High (20%)
Where a particular UEBA Threat category matches no users for the
selected time period, that category label is not shown.
Below this chart, nZTA displays the Average UEBA
Threat score for all users on a scale between zero UEBA Threat
and the highest UEBA Threat score measured at the end of the current
time period.
The maximum value shown in the chart corresponds to the highest UEBA
Threat score for all users as they stand at the end of the time period,
not the highest they have been within that period.
The Top 10 Users by UEBA Threat chart shows the top-10 users
with the highest cumulative UEBA Threat score across the selected time
period. Hover your pointer over each bar in the chart to see the name of
the corresponding user. Where you have configured a UEBA Threat score
action trigger (see Actions), this chart also contains a dotted line
to indicate the UEBA Threat score threshold set in the action.
The UEBA Threat Type chart provides a breakdown of all
geolocation anomalies, business hours deviations, and non-compliances
that occurred during the selected time period.
The Top Policies with Non-compliances chart shows the device
policies that recorded the highest number of non-compliances during the
selected time period. Hover your pointer over each bar in the chart to
see the name of the corresponding policy.
Viewing Top Access Trends
nZTA uses this section to show application access trends
that occurred during the selected time period:
Viewing top access trends
You can choose to display this information through line and bar
charts (as shown), or in an Sankey chart. Use the toggle icon at the
top-right to select the required view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Expand the current view
In line/bar chart view, the display is split into two segments:
A line chart showing the number of application accesses by each user
group during each hourly period of the day
A bar chart showing one of four data types, selected using the
Filter Bar Chart By drop-down control:
•Unique User Count
•Unique Device Count
•Unique Location Count
•Anomalies
If you set a Time Period filter than spans more than one
day, the data values shown in each hour period are cumulative totals for
the same hour in each day during the time period.
In this chart, hover your pointer over each hourly interval to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full 24 hour period, click the
zoom out icon:
Zoom out from a selected time period
To toggle on or off the data for a particular user group, click the
name of the group in the legend. Or, to view only the data for a
specific user group, click the corresponding line in the graph.
In the Sankey chart view, nZTA provides an alternate
visualization of application access activity, showing directed flow
between related objects.
User Access Trends Sankey chart
The chart maps User Groups >
Devices > Gateways >
Applications. By hovering your pointer over a flow of
interest, nZTA displays a tooltip confirming the scale of the
activity between the two objects connected by the flow.
To focus the display on a specific flow, or to identify related
objects that interact with this flow, click the chart at a point of
interest. nZTA provides highlighting to all flows that pass
through the point selected.
Viewing User Activity
Charts
nZTA provides charts to represent user activity:
Top Active Users: a grid showing users that accrued
the highest number of successful accesses to your deployed applications.
Tooltips show the number of accesses by a user for that
application.
Top Login Locations: a chart of the most active
user locations per user group. Tooltips show a count of users active in
that user group.
Top Authentication Failure by Location: a chart
showing totals for authentication failures observed per user
location.
Top Risky Applications: a chart showing the total
users count for each of the top risky applications.
Hover your pointer over a particular element to view a tooltip
showing the label and total.
Click View All to see the detailed metrics.
Top risky application details
Showing Activity for a
Specific User
To view activity for a specific user, use the Set
User option in the filter menu:
Activating the Set User option
Alternatively, from the Network Overview page,
access specific user activity from the Users info-panel
view. For more details, see Using the Summary Ribbon.
nZTA displays the Users page, showing activity for
the selected user:
Viewing activity for a specific user
Understanding the Display
The Users page contains the following components:
Filter bar, allowing the selection of active or
historic data. For details, see Using the Filter Bar.
Summary ribbon, showing activity metrics for the
current user. For more details, see Using the Summary Ribbon.
User UEBA Threat data, showing the User UEBA Threat
Score and UEBA Threat Score Rank. For more details, see
Access trend, showing application accesses,
non-compliance, and authentication failures by this user over time.
Activity charts, showing top user access locations
and application activity.
Each chart on this page includes a View all link.
This link provides access to a detail view showing logs for the
corresponding chart. For example:
Viewing User UEBA Threat Score detailed logs
Each detail view shows logs for the corresponding chart or category.
To learn more about using the chart detail page, see Viewing Detailed Logs for a Chart.
Using the Summary Ribbon
The Summary Ribbon at the top of the Users page shows
activity totals for the user during the selected time filter:
Viewing the summary ribbon
The ribbon indicates totals accrued for the selected user during the
displayed time period. The summary ribbon provides the following
metrics:
Non-compliances: The number of non-compliant access
attempts by this user during the period.
Geo Location Anomalies: The number of application
accesses attempted from anomalous geographic login locations by this
user during the period.
Business Hours Anomalies: The number of application
accesses attempted outside of normal business hours by this user during
the period.
Auth failures: The number of authentication
failures experienced by this user during the period.
User groups: The user groups of which this user is
a member. Click the name of a group to access the user groups
page.
Viewing UEBA
Threat Data for the Selected User
The User UEBA Threat Data panel displays information
concerning UEBA Threat for the selected user:
Viewing UEBA Threat data for a user
The panel provides:
The selected user's UEBA Threat score, as calculated at
the end of the selected time period.
The UEBA Threat score is shown as an indicator on a linear scale of
no risk up to the highest recorded score during the time period. To
learn more about a user's UEBA Threat score, see Viewing a Summary of UEBA Threat Scores for your Users.
The selected user's UEBA Threat Score rank, as
calculated at the end of the selected time period.
A user's UEBA Threat Score rank is the UEBA Threat score as measured
against other active users in the organization, displayed on a linear
scale. As a user increases their UEBA Threat score, the more the rank
position (the indicator) decreases towards 1 out of the total of active
users (the value at the start of the scale). A rank of "1" means that a
user ranks highest for risk out of all active users.
A link to reset the selected user's UEBA Threat score
Viewing Access
Trends for the Selected User
nZTA uses this section to show access trends for the
selected user that occurred during the selected time period.
You can choose to display this information through line and bar
charts, or in a Sankey chart. Use the toggle icon at the top-right to
select the required view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Expand the current view
The line and bar chart shows user access trends through each hourly
interval of the day:
Viewing hourly access trends for a user
The horizontal axis reflects the 24 hourly intervals in a day, with
the vertical axis showing the number of accesses. As a user interacts
with your nZTA infrastructure, access attempts are recorded and
shown in this chart according to the hour in which they occurred. This
in turn provides an overview of the daily access trends for the
user.
The bars denote the number of accesses made, with the lines charting
the number of applications accessed, and the moving average over 30
days.
Anomalies, non-compliances, and authentication failures detected in
the hour are marked as per the legend.
Hover your pointer over an hour interval to see a tooltip summary of
data points for that hour:
The User Access Sankey chart provides an alternate visualization of
your selected user's activity, showing directed flow between related
objects. The width of each stream in the flow is proportional to the
utilization of the object the flow passes through, allowing an
administrator to view significant usage trends for the selected user and
your application infrastructure.
To toggle between the User UEBA Threat Score chart and the User
Access Sankey chart, use the icons at the top-right:
Toggle between User UEBA Threat Score view and User Access Sankey
chart view
By clicking the toggle display icon, the User Access Sankey chart
replaces the User UEBA Threat Score graph in the display. All other
components remain unchanged.
Displaying the User Activity Sankey Chart View
The nZTA User Activity Sankey chart maps
Locations > Devices >
Gateways > Applications for the
selected user. By hovering your pointer over a flow of interest,
nZTA displays a tooltip confirming the scale of the activity
between the two objects connected by the flow.
To focus the display on a specific flow, or to identify related
objects that interact with this flow, click the chart at a point of
interest. nZTA provides highlighting to all flows that pass
through the point selected.
To activate the User Non-Compliances Sankey chart view, use the
toggle icons at the bottom of the chart:
Toggle between User Access Sankey chart view and the User
Non-Compliances Sankey chart view
Use this toggle to switch the Sankey chart between displaying User
Application Access or User Non-Compliances flows.
Displaying the User Non-Compliance Sankey Chart View
Viewing User Activity Charts
The Top User Locations and Top User
Activity charts show the top locations and applications the
user is active with at different times of the day. Each chart provides a
visual breakdown of normal activity across the day, with anomalies
highlighted when they occur.
Viewing and Terminating
User Sessions
To view the list of currently active user sessions:
From the nZTA menu, click the Insights
icon, then select Users > Active Sessions.
The Active Sessions page appears:
Viewing active user sessions
Use this page to view currently-active user sessions, and to
terminate selected sessions as required. Each row corresponds to a
single user and shows the following details:
The username
The user's UEBA Threat score. For more information on UEBA Threat
scores, see Reviewing User Activity.
Use the Advanced Filter icon at the top of the page to search by:
an entered username
a specified Gateway
attributes:
Username: enter a user name
Device ID: select a device ID
Risk: select a UEBA Threat score level
The data automatically updates to reflect the chosen search
criteria.
Click the Group By user name to view all active
sessions for the user:
Viewing all active sessions for a user
Alternatively, to expand or collapse the list of sessions for
all users, click the icon at the top-right:
Expand or collapse the complete user session list
To terminate a specific user session, locate the session row on the
page and click the corresponding terminate button:
Terminate a session
nZTA provides a confirmation dialog showing the session selected to be deleted:
Confirming the session to terminate
All session terminations performed through this page are logged in
the nZTA Access Logs.
You can also terminate active user sessions through the Anomalies
info-panel. For more details, see Using the Summary Ribbon.
Reviewing Application Usage
Applications in nZTA are defined primarily by the URI you
use to access them, and can be fully defined (for example, a
complete URI denoting a specific application at a location) or
discovered (for example, a wildcard-prefixed FQDN that denotes
an endpoint containing one or more applications).
The Insights > Applications pages shows usage data for
all applications requested through your nZTA deployment.
nZTA provides the following views for your application
usage:
All Applications: Shows usage metrics for all
defined applications in your nZTA deployment. See All Applications.
Discovered Applications: Shows usage metrics for
all discovered applications in your nZTA deployment. See Discovered Applications.
Default Gateway Applications: Shows usage metrics
for all applications managed through the default nZTA Gateway
defined in your Application Discovery secure access policy. See
Default nZTA Gateway Applications.
A default nZTA Gateway is used to handle all requests from
applications that are not referenced by any secure access policy. To
learn more about setting a default nZTA Gateway, see Configuring a Default Gateway for Application Discovery.
From the nZTA menu, click the Insights
icon, then select Applications and choose either
All Applications, Discovered
Applications, or Default Gateway
Applications.
The Applications Overview page appears, showing the selected
metrics.
Use the tabs at the top of the page to switch between the different
views: All Applications, Discovered Applications, and
Default Gateway Applications. Each tab consists of a number of
panels containing metrics and charts to show application usage in one of
the aforementioned categories.
The All Applications tab shows usage metrics for all defined
and discovered applications:
Viewing usage charts and graphs for your applications
The display is split into sections:
Summary Ribbon
Application Top Stats
Access Trends
Activity charts for Application Accesses by
Application Group, Most Application Accesses by Location,
Most Application Accesses by Device, and Most Application
Accesses by User Group.
Each chart in the display includes a View all link
providing access to a detail page showing log records for the
corresponding chart. These log records include links to the application
and user involved in the logged event. Ivanti recommends using
this page to access the metrics page for the specific application (see
Showing Usage Data for a Specific Application) or
user (see Showing Activity for a Specific User). This method of navigation offers
an alternative to searching for a specific application through the
"Select Application" filter option, where the exact application name
might not be known (for example, discovered and default applications not
specifically defined in a secure access policy). To learn more about
using the chart detail page, see Viewing Detailed Logs for a Chart.
The summary ribbon provides the following
metrics:
All Applications: The total number of applications
defined on the Controller.
Active Applications: The number of applications
accessed during the selected time period.
Non-compliances: The number of non-compliant
attempts to access applications.
Users: The number of active users.
Gateways: The number of active nZTA
Gateways.
Anomalies: The number of anomalous application
accesses based on geographic and business hours irregularities.
The Application Top Stats panel provides the
following charts:
Top Application Type: A bar chart showing the
application types that attracted the greatest numbers of application
accesses during the selected time period (for example, FQDN, URL, or IP
address).
Top Application Protocol: A bar chart showing the
application protocol types that attracted the greatest number of
application accesses during the selected time period (for example, Web,
RDP, or SSH).
Top Non Reachable Applications: A bar chart showing
the applications marked most-often not reachable by the
Controller. To learn more about application availability
status, see Viewing your Secure Access Policies.
The Top Non Reachable Applications chart includes only applications
where the status can be determined. It does not show applications where
the status is unknown, such as for applications based on FQDNs,
wildcard-based FQDNs, and IPv4/IPv6 ranges - all of which are
unsupported by the application health monitoring feature.
For all charts, hover your pointer over each bar to display a tooltip
of the type and number of accesses recorded.
The Access Trends panel shows application access
trends that occurred during the selected time period. You can choose to
display this information through line and bar charts, or in a Sankey
chart. Use the toggle icon at the top-right to select the required
view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Expand the current view
Click this icon again to return to the standard view.
In line/bar chart view. The display is split into two segments:
A line chart showing the number of accesses for the top-10
applications during each hourly period of the day
A bar chart showing one of four data types, selected using the
Filter Bar Chart By drop-down control:
•Unique User Count: Shows a count of unique user activity identified
during each hourly period.
•Unique Device Type Count: Shows a count of
unique device types identified during each hourly period.
•Unique
Location Count: Shows a count of activity from unique user locations
identified during each hourly period.
•Unique User Group Count: Shows a
count of activity from unique user groups identified during each hourly
period.
If you set a Time Period filter than spans more than one day, the
data values shown in each hour period are cumulative totals for the same
hour in each day during the time period.
In this chart, hover your pointer over each hourly interval to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full 24 hour period, click the
zoom out icon:
Zoom out from a selected time period
To toggle on or off the data for a particular application, click the
name in the legend. Or, to view only the data for a specific
application, click the corresponding line in the graph.
In the Sankey chart view, nZTA provides an alternate
visualization of application access activity, showing directed flow
between related objects.
User Access Trends Sankey chart
The chart maps User Groups > Devices > Gateways >
Applications. By hovering your pointer over a flow of interest,
nZTA displays a tooltip confirming the scale of the activity
between the two objects connected by the flow. To focus the display on a
specific flow, or to identify related objects that interact with this
flow, click the chart at a point of interest. nZTA provides
highlighting to all flows that pass through the point selected.
The Activity Charts on this page represent top
application access totals in the following categories:
Application Accesses by Application Group: a grid
chart showing the application groups containing the applications that
accrued the highest number of successful accesses. Application group
sizes in the chart are proportional to the number of accesses, compared
with other groups. Tooltips show a count of the accesses made to that
group. To learn more about Application Groups, see Adding Application Groups to the Controller.
Most Application Accesses by Location: a bar chart
showing a list of the most active user locations with respect to
application access. Tooltips show a count of the application accesses by
that location.
Most Application Accesses by Device: a bar chart
showing a list of the most active user device types with respect to
application access. Tooltips show a count of the application accesses by
that device type.
Most Application Accesses by User Group: a bar
chart showing a list of the most active user groups with respect to
application access. Tooltips show a count of the application accesses by
users in that user group.
Hover your pointer over a particular element to view a tooltip
showing the label and total.
Discovered Applications
The Discovered Applications tab shows usage metrics for
applications discovered by the Controller for applications
defined with a wildcard domain and with Application
Discovery enabled:
Viewing usage charts and graphs for discovered applications
The display is split into sections:
Summary Ribbon
Discovered Application Stats
Access Trend
Activity charts for Application Accesses by
Application Group, Most Application Accesses by Location,
Most Application Accesses by Device, and Most Application
Accesses by User Group.
Each chart in the display includes a View all link
providing access to a detail page showing log records for the
corresponding chart. These log records include links to the application
and user involved in the logged event. Ivanti recommends using
this page to access the metrics page for the specific application (see
Showing Usage Data for a Specific Application) or
user (see Showing Activity for a Specific User). This method of navigation offers
an alternative to searching for a specific application through the
"Select Application" filter option, where the exact application name
might not be known (for example, discovered and default applications not
specifically defined in a secure access policy). To learn more about
using the chart detail page, see Viewing Detailed Logs for a Chart.
The summary ribbon provides the following
metrics:
All Applications: The number of applications
discovered by the Controller.
Active Applications: The number of discovered
applications accessed during the selected time period.
Users: The number of users active with discovered
applications.
Gateways: The number of nZTA Gateways
serving discovered applications.
Anomalies: The number of anomalous application
accesses based on geographic and business hours irregularities.
The Discovered Application Stats panel provides two
charts:
Top Applications Discovered by Policy: A chart
showing the application definitions, with Application Discovery enabled,
for which the greatest number of applications were discovered. The
segment sizes are proportional to the number of discovered applications
for each application domain.
Top Application Protocol: A bar chart showing the
application protocol types, with Application Discovery enabled, that
attracted the greatest number of application accesses during the
selected time period (for example, Web, RDP, or SSH).
For both charts, hover your pointer over each bar to display a
tooltip of the type and number of accesses recorded.
The Access Trend panel shows application access
trends that occurred with discovered applications during the selected
time period. You can choose to display this information through line and
bar charts, or in a Sankey chart. Use the toggle icon at the top-right
to select the required view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Click this icon again to return to the standard view.
In line/bar chart view. The display is split into two segments:
A line chart showing the number of accesses for the top-10
discovered applications during each hourly period of the day
A bar chart showing one of four data types, selected using the
Filter Bar Chart By drop-down control:
•Unique User Count: Shows a count of unique user activity identified
during each hourly period.
•Unique Device Type Count: Shows a count of
unique device types identified during each hourly period.
•Unique
Location Count: Shows a count of activity from unique user locations
identified during each hourly period.
•Unique User Group Count: Shows a
count of activity from unique user groups identified during each hourly
period.
If you set a Time Period filter than spans more than one day, the
data values shown in each hour period are cumulative totals for the same
hour in each day during the time period.
In this chart, hover your pointer over each hourly interval to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full 24 hour period, click the
zoom out icon:
Zoom out from a selected time period
To toggle on or off the data for a particular application, click the
name in the legend. Or, to view only the data for a specific
application, click the corresponding line in the graph.
In the Sankey chart view, nZTA provides an alternate
visualization of application access activity, showing directed flow
between related objects.
User Access Trends Sankey chart for discovered applications
The chart maps User Groups > Devices > Gateways >
Applications. By hovering your pointer over a flow of interest,
nZTA displays a tooltip confirming the scale of the activity
between the two objects connected by the flow. To focus the display on a
specific flow, or to identify related objects that interact with this
flow, click the chart at a point of interest. nZTA provides
highlighting to all flows that pass through the point selected.
The Activity Charts on this page represent top
application access totals in the following categories:
Application Accesses by Application Group: a grid
chart showing the application groups containing the applications, with
Application Discovery enabled, that accrued the highest number of
successful accesses. Application group sizes in the chart are
proportional to the number of accesses, compared with other groups.
Tooltips show a count of the accesses made to that group. To learn more
about Application Groups, see Adding Application Groups to the Controller.
Most Application Accesses by Location: a bar chart
showing a list of the most active user locations with respect to
application access. Tooltips show a count of the application accesses by
that location.
Most Application Accesses by Device: a bar chart
showing a list of the most active user device types with respect to
application access. Tooltips show a count of the application accesses by
that device type.
Most Application Accesses by User Group: a bar
chart showing a list of the most active user groups with respect to
application access. Tooltips show a count of the application accesses by
users in that user group.
Hover your pointer over a particular element to view a tooltip
showing the label and total.
Default ZTA Gateway
Applications
The Controller includes a default secure access policy
called "Application discovery", disabled by default, that is used to
define behavior for applications and resources that are not controlled
by a specifically-created secure access policy. In this policy, you can
add a default nZTA Gateway that you want to use to handle all
such requests. To learn more about configuring a default nZTA
Gateway, see Configuring a Default Gateway for Application Discovery.
Due to the nature of the typical background resource and API requests
made by a client device during normal use of a web-based application,
the metrics shown on this page might include a large number of secondary
application and API requests that nZTA identifies and logs as
not falling under the remit of the primary application's secure access
policy. Such requests have been handled instead by the default nZTA
Gateway.
The applications listed on this tab could be operating system
triggered resource requests related, for example, to the act of
connecting to the internet. It should not be assumed that the URLs and
IP addresses shown here are automatically connected to accessing a
nZTA-controlled application or resource.
The Default Gateway Applications tab shows usage metrics for
all applications and resources handled by the default nZTA
Gateway:
Viewing usage charts and graphs for default nZTA Gateway
applications
The display is split into sections:
Summary Ribbon
Default Gateway Application Stats
Access Trend
Activity charts for Most Application Accesses
by Location, Most Application Accesses by Device, and
Most Application Accesses by User Group.
Each chart in the display includes a View all link
providing access to a detail page showing log records for the
corresponding chart. These log records include links to the application
and user involved in the logged event. Ivanti recommends using
this page to access the metrics page for the specific application (see
Showing Usage Data for a Specific Application) or
user (see Showing Activity for a Specific User). This method of navigation offers
an alternative to searching for a specific application through the
"Select Application" filter option, where the exact application name
might not be known (for example, discovered and default applications not
specifically defined in a secure access policy). To learn more about
using the chart detail page, see Viewing Detailed Logs for a Chart.
The summary ribbon provides the following
metrics:
All Applications: The number of applications
handled by the default nZTA Gateway.
Active Applications: The number of default nZTA
Gateway applications accessed during the selected time period.
Users: The number of users active with default
nZTA Gateway applications.
Devices: The number of devices accessing default
nZTA Gateway applications.
Gateways: Denotes the nZTA Gateway, or
number of nZTA Gateways in the Gateway Group, selected as the
default Gateway in the "Application Discovery" secure access
policy.
The application details shown here are unique to this page and are
not included in other summary ribbons or metrics involving all
applications.
The Default Gateway Application Stats panel provides
two charts:
Top Application Type: A bar chart showing the
application types that attracted the greatest numbers of application
accesses during the selected time period (for example, FQDN, URL, or IP
address).
Top Application Protocol: A bar chart showing the
application protocol types that attracted the greatest number of
application accesses during the selected time period (for example, Web,
RDP, or SSH).
For both charts, hover your pointer over each bar to display a
tooltip of the type and number of accesses recorded.
The Access Trend panel shows application access
trends that occurred during the selected time period. You can choose to
display this information through line and bar charts, or in a Sankey
chart. Use the toggle icon at the top-right to select the required
view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Expand the current view
Click this icon again to return to the standard view.
In line/bar chart view. The display is split into two segments:
A line chart showing the number of accesses for the top-10 requested
applications during each hourly period of the day
A bar chart showing one of four data types, selected using the
Filter Bar Chart By drop-down control:
•Unique User Count: Shows a count of unique user activity identified
during each hourly period.
•Unique Device Type Count: Shows a count of
unique device types identified during each hourly period.
•Unique
Location Count: Shows a count of activity from unique user locations
identified during each hourly period.
•Unique User Group Count: Shows a
count of activity from unique user groups identified during each hourly
period.
If you set a Time Period filter than spans more than one day, the
data values shown in each hour period are cumulative totals for the same
hour in each day during the time period.
In this chart, hover your pointer over each hourly interval to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full 24 hour period, click the
zoom out icon:
Zoom out from a selected time period
To toggle on or off the data for a particular application, click the
name in the legend. Or, to view only the data for a specific
application, click the corresponding line in the graph.
In the Sankey chart view, nZTA provides an alternate
visualization of application access activity, showing directed flow
between related objects.
User Access Trends Sankey chart for default nZTA Gateway
applications
The chart maps User Groups > Devices > Gateways >
Applications. By hovering your pointer over a flow of interest,
nZTA displays a tooltip confirming the scale of the activity
between the two objects connected by the flow. To focus the display on a
specific flow, or to identify related objects that interact with this
flow, click the chart at a point of interest. nZTA provides
highlighting to all flows that pass through the point selected.
The Activity Charts on this page represent top
application access totals in the following categories:
Most Application Accesses by Location: a bar chart
showing a list of the most active user locations with respect to
application access. Tooltips show a count of the application accesses by
that location.
Most Application Accesses by Device: a bar chart
showing a list of the most active user device types with respect to
application access. Tooltips show a count of the application accesses by
that device type.
Most Application Accesses by User Group: a bar
chart showing a list of the most active user groups with respect to
application access. Tooltips show a count of the application accesses by
users in that user group.
Hover your pointer over a particular element to view a tooltip
showing the label and total.
When viewing metrics on this page, the following limitations should
be noted:
Non-Compliance messages are not generated for the default nZTA
Gateway. This is due to the fact Ivanti Secure Access
Client blocks such messages directly without sending them on to the
nZTA Gateway.
The default nZTA Gateway application details captured on
this page are not included in the metrics captured on the Network
Overview page. However, the default nZTA Gateway is still
shown on the Network Overview page for monitoring purposes (for
example, CPU, disk, and memory usage).
Anomaly detection for applications handled by the default nZTA
Gateway (especially business hours anomalies) is not displayed on
any of the Insights dashboards. This is due to the fact that
the number of applications detected can be very large, which can in turn
impact the user UEBA Threat score.
Log records for applications handled by the default nZTA
Gateway are displayed only on the Secure Access >
Gateways > Logs page. These records are not displayed on the
Insights > Logs page.
If a user associated with the default User Group tries to access
applications handled by the default nZTA Gateway, the
Users dashboard for that specific user displays only the user
UEBA Threat score, risk rank and the moving average on the Access
Trend chart. It does not capture details of the default gateway
applications accessed, primarily to ensure that the application data
displayed here does not become overpopulated.
Configuring Default
Gateway Application
A Configure button is provided in the nZTA Gateway
Applications page to trigger the workflow of blocking the discovered
applications behind default gateway.
To configure default nZTA Gateway application:
In the default nZTA Gateway applications page, click
Configure.
The Configure Applications page is displayed showing a list
of discovered applications behind the default gateway.
Configure default nZTA Gateway
applications
In the search box provided, start typing the application name.
nZTA auto-completes any matching application name.
Select an application from the list and click Create
Policy to create a Secure Access Policy. To learn more about
creating a secure access application, see Creating/Editing Secure Access Policies.
Showing Usage
Data for a Specific Application
To view usage data and metrics for a specific application, use the
Set Application option in the filter menu:
Activating the Set Application option
Alternatively, from the Network Overview page,
access specific application data from the Applications
info-panel view. For more details, see Using the Summary Ribbon.
nZTA displays the Application page, showing
activity for the selected application:
Viewing usage data for a specific application
Understanding the Display
The Application page contains the following components:
Filter bar, allowing the selection of active or
historic data. For details, see Using the Filter Bar.
Summary ribbon, showing details of the selected
application. For more details, see Using the Summary Ribbon.
Each chart on this page includes a View all link.
This link provides access to a detail view showing logs for the
corresponding chart. For example:
Viewing Application Device Type Access detailed logs
Each detail view shows logs for the corresponding chart or category.
To learn more about using the chart detail page, see Viewing Detailed Logs for a Chart.
Using the Summary Ribbon
The Summary Ribbon at the top of the Application page shows
details for the application:
Viewing the summary ribbon
The summary ribbon provides the following information:
First Accessed: The date on which the application
was first accessed.
Last Accessed: The date on which the application
was most recently accessed.
Type: The application type. For example,
"Web".
Port: The port on which the application is
accessed.
IP Address: The IP address through which the
application is accessed.
Application Location: The geographic location where
the application is hosted.
Gateway Name: The name of the nZTA Gateway
managing the application.
Gateway Location: The location of the nZTA
Gateway managing the application.
Secure Access Policy: The name of the Secure Access
Policy governing access to the application. Click the name of the policy
to access the Secure Access Policies page.
If your application is discovered, this is denoted
by a label in the ribbon. To learn more about discovered applications,
see Reviewing Application Usage.
Viewing Application
Accesses by Device Type
The Application Device Type Access panel shows application
accesses by device type:
Viewing application accesses by device type
The chart provides a breakdown of application accesses for each
device type. The number in the center of the chart is a total for all
device types. Hover your pointer over a device type to view a tooltip
showing the number of accesses made by devices of that type.
Viewing
Access Trends for the Selected Application
nZTA uses this section to show access trends for the
selected application that occurred during the selected time period.
You can choose to display this information through line and bar
charts (as shown), or in a Sankey chart. Use the toggle icon at the
top-right to select the required view:
Toggle between line/bar chart view and Sankey chart view
To expand the current view, click the Full Screen icon:
Expand the current view
The line and bar chart shows application access trends through each
hourly interval of the day:
Viewing hourly access trends for an application
The horizontal axis reflects the 24 hourly intervals in a day, with
the vertical axis showing the number of accesses. As users access the
application, access attempts are recorded and shown in this chart
according to the hour in which they occurred. This in turn provides an
overview of the daily access trends for the application.
The bars denote the number of accesses made, with the line charting
the moving average over 30 days.
Errors and non-compliances detected in the hour are marked as per the
legend.
Hover your pointer over an hour interval to see a tooltip summary of
data points for that hour:
Viewing the
Application Access Trends Sankey Chart
The Application Access Trends Sankey chart provides an alternate
visualization of access activity for your selected application, showing
directed flow between related objects. The width of each stream in the
flow is proportional to the utilization of the object the flow passes
through, allowing an administrator to view significant usage trends for
the selected application. `
To toggle between the application access trends line/bar chart and
the application access trends Sankey chart, use the icons at the
top-right:
Toggle between line/bar chart view and Sankey chart view
By clicking the toggle display icon, the Application Access Trends
Sankey chart replaces the line/bar chart in the display. All other
components remain unchanged.
Displaying the Application Access Sankey Chart
The Sankey chart maps Locations >
Devices > Gateways >
Application for the selected application. By hovering
your pointer over a flow of interest, nZTA displays a tooltip
confirming the scale of the activity between the two objects connected
by the flow.
To focus the display on a specific flow, or to identify related
objects that interact with this flow, click the chart at a point of
interest. nZTA provides highlighting to all flows that pass
through the point selected.
Viewing Application
Activity Charts
On the Application page, nZTA provides the
following charts:
Top Users: Shows the users who accrued the most
accesses for the selected application.
User Access Locations: Shows the user locations
from which the most accesses were recorded for the selected
application.
Hover your pointer over a bar in the chart to view a tooltip showing
the number of accesses made.
Viewing Currently
Enrolled User Devices
You can view a list of the user devices currently enrolled with the
Controller through the Tenant Admin Portal.
To view currently enrolled user devices:
Log into the Tenant Admin Portal.
Click Insights > Devices.
The Devices page appears.
Enrolled user device list
Use this page to:
View information concerning the devices your users have enrolled to your nZTA service.
Group the records by unique data item using the Group By drop-down list.
Filter the records based on column data using the column filters.
Perform following using the Actions drop-down menu:
If you click Device ID link within a specific row from the table of devices,
nZTA displays an info-panel providing further details:
Enrolled user device info-panel
To unenroll selected devices from the list, tick the check box in the row for one or more chosen devices, click the Actions drop-down list, and then select Unenroll Selected Devices.
To automatically unenroll inactive devices after a set time period,
click the Actions drop-down list, and then select Automatic Unenroll Settings.
Then, in the Automatically Unenroll Devices dialog, select
an inactivity duration and click Save. All devices that
reach this duration limit without being logged-in are automatically
unenrolled. To disable the automatic unenroll mechanism, disable
Automatic Unenroll Enabled switch.
Uploading Client Logs
to the Controller
To help Ivanti Technical Support teams troubleshoot and
debug any issues your end user devices have when connecting to your
nZTA services, you can upload logs from connected devices to
the Controller for analysis. This process can be initiated
remotely from the nZTA Tenant Admin portal, or from the
Ivanti Secure Access Client application installed on the
device.
Client connection logs are stored securely in the Controller
and cannot be accessed by unauthorized users. To obtain the logs, your
device must be in a connected state.
Upload of client logs is not currently supported on Ivanti Secure
Access Client Linux variants.
To upload Ivanti Secure Access Client logs for an enrolled
device from the nZTA Tenant Admin Portal:
Log into the Tenant Admin Portal.
Click Secure Access > Devices > Enrolled
Devices.
The Enrolled Devices page appears.
From the list of enrolled devices, tick the check box in the row
for your selected device and click the following icon:
Upload client logs for the selected
device
Devices running Ivanti Secure Access Client versions
released earlier than nZTA 20.11 do not have the upload
capability and cannot respond to this feature.
If your device is enrolled, but not connected, an error message is
displayed "User session is not found".
nZTA displays a confirmation dialog showing the details
of the task:
Confirming upload of the selected client
logs
Confirm the details in section 1 and provide the
optional case ID (if instructed to do so by your
support representative) in section 2.
To initiate the upload process, click Upload
Logs.
The upload process begins.
A log upload status section is added to the info-panel for that
device. This shows the progress of the upload and includes a timestamp
of the last upload:
Uploaded log status for a device - in progress
Uploaded log status for a device - complete
To upload logs from the end user device:
On the end user device, open the Ivanti Secure Access
Client application.
In the Ivanti Secure Access Client application, use the
Upload facility in the Logs
sub-menu.
For example:
Uploading logs
The log upload facility within Ivanti Secure Access Client
requires the device to be enrolled with the Controller.
However, a user can initiate a log upload in both connected and
disconnected states.
Monitoring nZTA Gateway
Activity
To view usage data and metrics for all nZTA Gateways, or for
a specific nZTA Gateway, use the Gateways Overview
page.
To view the Gateways Overview page, select Insights
> Gateways:
Viewing nZTA Gateway metrics
By default, this page shows data for all nZTA Gateways. To
view data for a specific nZTA Gateway, use the filter feature
described in Using the Filter Bar.
Some features on this page require your nZTA Gateways to be
running as version 22.1R1 or later. nZTA Gateways running
versions earlier than this might not be included in some status and
health data.
Understanding the Display
The Gateways Overview page contains the following
components:
Filter bar, allowing the selection of active or
historic data. For details, see Using the Filter Bar.
Summary ribbon, showing metrics for deployed
nZTA Gateways. For more details, see Using the Summary Ribbon.
Activity charts, showing top 10 nZTA
Gateway usage metrics in a number of categories. For more details,
see Viewing nZTA Gateway Activity Charts.
Each chart on this page includes a View all link.
This link provides access to a detail view showing logs for the
corresponding chart. For example:
Viewing detailed logs for Top 10 Gateways by Errors
Each detail view shows logs for the corresponding chart or category.
To learn more about using the chart detail page, see Viewing Detailed Logs for a Chart.
Using the Summary Ribbon
The Summary Ribbon at the top of the Gateways Overview page
shows relevant summary statistics relating to your deployed nZTA
Gateways:
Viewing the summary ribbon
The summary ribbon provides the following information:
All Gateways: The total number of deployed nZTA
Gateways.
Active Gateways: The number of active deployed
nZTA Gateways in the selected time period. In other words, those
nZTA Gateways that are online and reporting activity.
Active Users: The number of users accessing
applications and resources managed by your active nZTA Gateways
during the selected time period.
Active Devices: The number of unique devices used
to access applications and resources managed by your active nZTA
Gateways during the selected time period.
Critical Errors: The number of critical errors
observed on your nZTA Gateways during the selected time
period.
Non-Compliance: The number of non-compliant
attempts to access the applications managed by your nZTA
Gateways.
Reviewing
the Status of your Deployed nZTA Gateways
The Gateway Stats panel shows the status of your
deployed nZTA Gateways during the selected time period:
Viewing the Status of your deployed nZTA Gateways
The panel provides three separate components:
A visual breakdown of your deployed nZTA Gateways as
Offline Gateways (nZTA Gateways deployed but
unresponsive/unavailable), Online Gateways (responsive nZTA
Gateways not currently handling user traffic), and Active
Gateways (nZTA Gateways handling user traffic).
A visual breakdown of your deployed nZTA Gateways by
version.
The software updates available for your deployed nZTA
Gateways, if applicable.
Viewing nZTA Gateway
Access Trends
This section shows nZTA Gateway access trends that occurred
during the selected time period:
Viewing nZTA Gateway access trends
The horizontal axis of each chart reflects the selected time period,
and dynamically adapts to span the period in increments appropriate to
that period. For example, 5 minute intervals for the Last Hour
view, or hourly intervals where you select a whole day.
To expand the current view, click the Full Screen icon:
Expand the current view
The display is split into two segments:
A line chart showing the number of nZTA Gateway accesses in
the selected time period.
A bar chart showing access trends for a selected data type. Use the
Show Trend For drop-down control to select the chart
data type. Choose from:
Critical Errors
Throughput (MB)
Major Errors
Non Compliances
In this chart, hover your pointer over each interval point to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full period, click the zoom
out icon:
Zoom out from a selected time period
In the line chart, toggle on or off the data for a particular trend
type by clicking the name of the type in the legend.
Viewing nZTA
Gateway Activity Charts
On the Gateways Overview page, nZTA provides the
following charts:
Top 10 Gateways by Errors: The top 10 nZTA
Gateways for which errors were reported. Use the Filter
By drop-down control to select the criteria for the chart.
Choose from Critical Errors, Major Errors, or
Non-Compliances.
Top 10 Gateways by Health: The top 10 nZTA
Gateways by system health. Use the Filter By
drop-down control to select the criteria for the chart. Choose from
average CPU usage, average Swap Memory usage, average
Disk Usage, or Network Throughput.
Top 10 Gateways by Access: The top 10 nZTA
Gateways by the number of accesses. Use the Filter
By drop-down control to select the criteria for the chart.
Choose from Applications, Users, or
Devices.
Hover your pointer over a bar in the chart to view a tooltip showing
the nZTA Gateway name and total applicable to that bar.
Reviewing Policy Failures
When a device attempts to access an application or resource
controlled by a Secure Access Policy, the device must first comply with
all relevant device policies. If the device does not meet one
or more of the conditions in a policy, a failure event is recorded and
access is denied. nZTA displays policy failure data and metrics
in the Policy Failures page.
To view the Policy Failures page, select Insights
> Policy Failures:
Viewing policy failure metrics
The failure types reported on this page are comprised of the
following types:
Network policy failures: a device does not meet the conditions in a
policy containing a Network type device rule.
Time-of-day policy failures: a device does not meet the conditions
in a policy containing a Time of day type device rule.
Compliance policy failures: a device does not meet the conditions in
a policy containing other device compliance rules.
In this release, policy failures based on rules of type
Location are not included in these metrics.
Each chart on this page includes a View all link.
This link provides access to a detail view showing logs for the
corresponding chart. For example:
Viewing detailed logs for Top 10 Applications With Failures
Each detail view shows logs for the corresponding chart or category.
To learn more about using the chart detail page, see Viewing Detailed Logs for a Chart.
Using the Summary Ribbon
The Summary Ribbon at the top of the Policy Failures page
shows policy failure totals across a number of categories:
Viewing the summary ribbon
The summary ribbon provides the following information:
Total Failures: The total number of policy failures
detected across your deployment in the selected time period.
Failed Users: The number of users who triggered a
policy failure upon attempting to access an application or resource
controlled by a Secure Access Policy.
Failed Applications: The number of applications to
which access was denied due to a policy failure.
Compliance Failures: The number of compliance
failures recorded against all device policies, excluding network and
time-of-day type policies.
Network Failures: The number of failures recorded
against a network type device policy.
Time of Day Failures: The number of failures
recorded against a time-of-day type device policy.
Viewing Policy Failures
Access Trends
nZTA uses this section to show policy failure access trends
that occurred during the selected time period:
Viewing policy failure access trends
To expand the current view, click the Full Screen icon:
Expand the current view
The display is split into two segments:
A line chart showing the number of policy failures for network,
time-of-day, and compliance (marked in the chart as "hc") policy types
during each hourly period of the day
A bar chart showing one of two data types, selected using the
Filter Bar Chart By drop-down control:
User Count
Application Count
If you set a Time Period filter than spans more than one
day, the data values shown in each hour period are cumulative totals for
the same hour in each day during the time period.
In this chart, hover your pointer over each hourly interval to view a
tooltip showing the corresponding data totals. Furthermore, you can
click and drag a select box across a shorter time period to zoom in on a
narrower time window. To return to the full 24 hour period, click the
zoom out icon:
Zoom out from a selected time period
In the Policy Failures Count line chart, toggle on or off the data
for a particular failure trend type by clicking the name of the type in
the legend. Or, to view only the data for a specific type, click the
corresponding line in the graph.
Viewing Policy Failure
Activity Charts
On the Policy Failures page, nZTA provides the
following charts:
Top 10 Users With Failures: The top 10 users users
who triggered a policy failure upon attempting to access an application
or resource controlled by a Secure Access Policy.
Top 10 Applications With Failures: The top 10
applications to which access was denied due to a policy failure.
Top 10 Compliance Failure Policies: The top 10
compliance device policies that reported failures.
Top 10 Network Failure Policies: The top 10 network
device policies that reported failures.
Top 10 Time of Day Failure Policies: The top 10
time-of-day device policies that reported failures.
Hover your pointer over a bar in the chart to view a tooltip showing
the number of failure in that case.
Checking the Logs
The nZTA Logs page displays audit and activity events
observed by your nZTA secure access infrastructure. These
events are reported to the Controller by your nZTA
Gateways and the Authentication, Authorization and Accounting (AAA)
service.
Use the time period selector to set a time period or time range for
your log results. Click the date-time display (highlighted) to show the
selector dialog:
Setting a log time period
Set the time period you want to view using the available ranges at
the top-left. Choose from:
Last 60 minutes
Last 24 hours (default)
Last 7 days
Last 1 month
Custom
For Custom, set a specific From and
To to denote the start and end of your custom date/time
range.
The date/time calendar controls are enabled for only the
Custom option. However, the calendar continues to
identify the applicable start and end date-time for all predefined time
periods.
To apply your changes, click Apply. The selected
time period is displayed in the filter bar and data on the page updates
accordingly.
To set the criteria you want to use for viewing log data, use the
controls above the main log display. This section also contains
functions to highlight search terms, apply filters, and schedule log
export jobs.
Select the primary log type you want to display by using the
Log Type drop-down list:
Selecting a log type
Choose from:
Access Logs
Admin Logs
Event Logs
Then, use the icons adjacent to the log selector to further control
your log selection. Choose from the following:
Logs are refreshed automatically by changing the criteria. To
manually refresh the log display, click the following icon:
Page refresh
To search for a term in the displayed logs, click the following
field:
Search term highlighting
nZTA highlights all matches in the log display.
To trigger the advanced filter selection, use the following
icon:
To change the fields displayed for each log line, click the
following icon:
Show or hide log fields
In the field selector, click a field name to toggle between show or
hide. A tick icon indicates a displayed field. After you are
finished, click the context menu icon to close the selector. See Viewing Log Records.
To apply grouping to the displayed log records, click the
Group By button.
This feature applies grouping to a selected field in the log record
display, such that records are accumulated and grouped together under
each unique data item identified in that field. Through grouping, an
admin can quickly view the number of records of a particular type.
•To change the view density, click the following icon:
Switching between default and dense log record views
Viewing Log Records
The main part of the page shows the log records that match your
selected criteria. The number of matching log records is displayed at
the top-left.
Each log line includes the following fields:
A status indicator showing the level of severity associated with
each log event. Use the following table for a guide to the meaning of
each indicator color:
Severity
Status Color
INFO
Green
MINOR
Amber
MAJOR
Amber
CRITICAL
Red
The date and time of the event.
The message ID that identifies this type of event.
The severity of the event in words.
The session ID that was the source of the event, where
applicable.
The ID of the nZTA Gateway that reported the event, where
applicable.
The name of the nZTA Gateway that reported the event,
where applicable.
The IP address identified as the source of the event.
The user name associated with the event, where
applicable.
The ID of the device associated with the event, where
applicable.
The message (description) of the event.
Use the page controls at the bottom of the window to select the number of log
records/rows per page:
Setting the number of log rows per page
Choose from:
50
100 (default)
200
To cycle through the log pages, use the page controls at the
bottom-right.
Where a single log message is too long for the display, use your
pointing device to scroll the optional fields display to the left or
right.
Furthermore, to view a single log entry in a dedicated panel, click
the log message text to activate the info-panel view:
Viewing a single log entry in the info-panel
In the info-panel, use the Previous and
Next icons to cycle through each log entry in turn.
Filtering the Logs
The Logs page provides an advanced field filter
through which you can narrow down the displayed log entries to a sub-set
that matches the filters you apply. You can also save filter definitions
for later use.
To set a filter, click the following icon:
Activating the advanced filter
Next, use the side-panel dialog to add one or more new field
filters.
Adding a new log filter
In this dialog, select a matching criteria for the filters.
All: performs AND operation on the filters
Any: performs OR operation on the filters
Not: Negates the list of filters
You can recall a saved filter through the Saved
Filters drop-down list or set new filter criteria through the
Filter by section.
By selecting a saved filter, the filter criteria are populated into
the panel. To then apply the saved filter, click APPLY
FILTER.
You can add additional criteria lines to a recalled filter before
applying it, but the saved filter is unaffected.
Saved filters are preserved across all log pages in the Tenant Admin
portal, but might not be valid for all pages. For example, a saved
filter created on the Insights > Logs page might not
be applicable to the data on the Gateways > Logs
page (in other words, where a filter references a log field not
applicable to nZTA Gateways). In this case, where you attempt to
select an invalid filter, nZTA presents an error.
When setting new filter criteria, use the Selector
drop-down list to choose the field you want to filter on, add an
Operator type, and then enter the
Value you want to apply. For the operator, choose
from:
IS: The selected field matches exactly the value
you specify.
CONTAINS: (where applicable) The selected field
contains as a sub-string the value you specify.
To add further criteria to this filter, click the plus
symbol. Then, repeat the above step as desired. To remove a criteria
line, click the corresponding X icon.
To apply the defined filter, click APPLY FILTER.
Your filters remain in place through data refreshes, and active
filters are identified by the Filters are applied on this page
label at the top of the page. To remove a filter, click the filter icon
(or the link at the top of the page) to re-display the filters
side-panel dialog. Then, click CLEAR ALL to remove all
active filters.
To save a filter for future use, use the save-as facility at the
bottom of the panel. Enter a name for your saved filter in the text box
provided, then click Save. You can recall your filter
through the Saved Filters list at the top of the panel.
To delete saved filters, use the Saved Filters list. Select
the check box adjacent to the filter, or filters, you want to delete,
then click DELETE from the bottom of the panel.
Exporting Logs
nZTA provides the ability to export the currently-displayed
log as a Comma-Separated Value (CSV) or JavaScript Object Notation
(JSON) text file. You can download the log immediately or set up a
scheduled job to activate or repeat the export action at a defined time
and interval of your choosing.
From the nZTA menu, click the Insights
icon, then select Logs.
The Logs page appears.
Select the log type you want to display in the Log
Type drop-down list. Choose from:
Access Logs
Admin Logs
Event Logs
Click the Export Logs button.
The Export Logs page appears:
The Export Logs settings page
Use the Export Logs settings page to configure an export operation,
either to execute immediately as a one-off job, or as a scheduled
job.
Configure the following settings:
Select either CSV or JSON as
the output format.
Select the frequency of the export operation. Choose from:
Export one time: Perform the log export now as a
single job.
Daily data export: Create a daily export job
executed once per day from the selected start date, up to and including
the stop date (if defined).
Weekly data export: Create a weekly export job
executed once per week on the selected start day, up to and including
the stop date (if defined).
Monthly data export: Create a monthly export job
executed once per month on the selected start day, up to and including
the stop date (if defined).
If a stop date is specified, this is the date the schedule ceases. In
the case of weekly or monthly jobs, if this date falls before the
expected run date for that period, the job is terminated without
running. For example, in a weekly run scheduled to execute every
Thursday, if the stop date is set as a Tuesday, the final run of the job
would be the previous Thursday.
A daily data export job continues to run for one extra day beyond the
selected end date in order to process the logs for the final scheduled
day.
For daily/weekly/monthly frequency export jobs, nZTA allows
for a maximum of 5 runs per scheduled export job. That is, each schedule
runs a maximum of 5 times. On the sixth run, the first run is deleted
(together with the log file), and so on.
Set an export time frame. For one-time exports, choose from:
Last 60 minutes
Last 24 hours
Last 7 days
Last 1 month
Set a date range (30d max): This option presents a
configurable start and end date.
For daily, weekly, and monthly exports, this option switches to show
start and end date parameters. You do not need to specify an end date;
in this case, the job remains active until deleted.
Enter a Job name for the export operation.
nZTA suggests an appropriate name; use this, or type your
own.
nZTA allows for a maximum of 5 defined export jobs. Each job
that you add reduces the total, as displayed at the bottom of the page.
This is a separate limit to the maximum number of job runs described
earlier.
Viewing
Scheduled Log Export Jobs and Downloading Log Files
To view the status of your current log export jobs:
From the nZTA menu, click the Insights
icon, then select Logs.
The Logs page appears.
Select the Scheduled Jobs tab.
The Scheduled Jobs page appears:
Scheduled Jobs page
Use this page to:
View the status and progress of currently scheduled log export
jobs.
Download log files for completed job runs.
For each job on the Job Status page, you can view the configured
details of the export operation along with status indicators for
progress of the previous and outstanding job runs.
A job run refers to a single run of a scheduled job. For example, in
a weekly data export job, a job run refers to the export operation
scheduled or completed for one specific week within the start and end
dates. Thus, a scheduled log export job is comprised of one or more job
runs.
The Summary column provides totals of successful job
runs, unsuccessful/failed job runs, and inactive job runs.
Click any of the fields in a single job row to display an info-panel
at the side showing more details about the scheduled job:
The Job Details info-panel
To access the log files and view more information about each
individual job run, click the down-arrow adjacent to the Job
name:
Showing all job runs for a scheduled export job.
For daily/weekly/monthly frequency export jobs, nZTA allows
for a maximum of 5 runs per scheduled export job. That is, each schedule
runs a maximum of 5 times. On the sixth run, the first run is deleted
(together with the log file), and so on.
As with a scheduled job, click on any of the fields in the job run
row to display an info-panel at the side showing more details about the
job run:
The Job Run Details info-panel
To download the log file generated by the job run, click the
cloud icon for a completed job run:
Downloading a log file
To remove a scheduled log export job, or any of the completed job
runs within the job, tick the checkbox adjacent to the job/job run and
then click the Actions menu at the top of the page:
The Job Status menu
Select from the following options:
Delete Selected: Remove all jobs or job runs that
have been selected.
Pause the Job: Instruct the outstanding job runs in
the schedule to become inactive. The schedule continues chronologically,
but no further log export operations are completed while in this
state.
Resume the Job: Resume the schedule starting at the
next scheduled job run.
If you choose to delete a complete job, all job runs and log download
files are removed permanently.
Actionable Insights
nZTA enables you to configure actionable insights, such that
when certain conditions are met a defined action is executed.
The following actions are supported in this release:
Terminate all existing sessions for the user: If
the set condition is reached, all sessions for the affected user are
terminated. If that user attempts a further login, Ivanti Secure
Access Client denies the attempt and displays a message concerning
the breach, directing the user to contact their administrator.
nZTA also records an admin log event referencing the fact (see Checking the Logs
).
To add a new condition:
Select Add Actionable Insight.
In Set Actionable Insight for, select a
condition to apply.
The configurable options for that condition are displayed.
Add Actionable Insights
Set the required options/thresholds for the condition.
In Trigger Action, select the applicable action
to be applied if the condition is met.
From the Subsequent Login section, select one of the following
actions to trigger when conditions are met:
Allow subsequent logins with a warning message
Offer Multi-factor Authentication during the subsequent logins
Deny subsequent logins with a warning message
To save your changes, select Create.
To edit or delete an actionable insight, select the check box
adjacent to the desired condition and select Actions > Delete or
Actions > Edit as applicable.
When the user sessions are terminated due to reaching the threshold
UEBA Threat score, the admin log messages are generated in nSA. Select
the Logs tab to view the list of log messages.
Reports
nZTA provides the ability to generate and download activity
reports from pre-defined report templates or through a custom defined
report. It also supports scheduling the reports, to be generated either
daily, or weekly once, twice or thrice.
From the nZTA menu, click the Insights
icon, then select Reports.
The Reports page appears, on the Report Templates
tab.
Viewing report templates
The Reports page provides the following tabs:
Report Templates: Contains all built-in and
custom-saved templates upon which all reports are based, including a
Custom Report option to enable creation of customized
reports.
Built-in templates are read-only whereas custom-saved templates added
by a tenant admin can be deleted. You can identify custom templates as
per the following image:
Identifying a custom-created report
template from a built-in template (the delete option -
indicated)
My Reports: Contains all generated report
instances:
The list of generated
reports
Reports shown on this page either originate from a singular on-demand
request, or represent an instance of a scheduled report run. For
example, if you schedule a report to run daily, at the requisite time
each day a new instance of the report is generated and placed here.
For each generated report, you can:
Select the report name to view a summary of the configured
parameters:
Report parameters
In the Actions column, select the download icon to view
and download the report in the specified format (PDF, JSON, or CSV)
The Download icon
In the Actions column, select the delete icon to
permanently remove the report instance.
The Delete icon
Scheduled Reports: Contains the list of report
schedules:
The list of report schedules
Each entry on this page represents a scheduled report definition. For
each entry, you can:
Select the report name to view a summary of the configured
parameters:
Schedule details
In the Actions column, select the delete icon to remove
the schedule:
The Delete icon
Creating a Report
This section describes how to create a new report. You can choose to
create the report based on one of the following methods:
Create a new custom report
Create a new report based on one of the built-in predefined report
templates provided as a part of your subscription
Create a new report based on a custom template created by a tenant
admin
To configure a report:
On the Report Templates tab, choose the template
option from which to create your report.
To add a new custom report, select the "Custom Report" option:
Adding a new custom report
To add a report based on a template, select the built-in or custom
template of your choice:
Adding a new report based on a
template
The report wizard appears, beginning with the Clone
step:
Creating a report - Clone
step
Enter a unique name for the report and click
Next to continue.
In the Format step:
Creating a report - Format
step
Select or deselect the required charts from the User,
Device, and Application sections as applicable.
Selected items appear in the right-hand panel.
Use your pointing device to vertically scroll the charts panel as
required.
Select the report format (PDF, JSON, or CSV).
(Optional) select Save this report as a template
to create a new custom template containing your selections. Enter a
template name and description in the fields provided.
Click Next to continue.
In the Filter step, for each category of Users,
Devices, Gateways, and Applications, select or deselect the named items
you want to include. For example, within Users, use the
drop-down controls to select specific User Groups, User
Names, or User Locations you want to include in the
report:
Creating a report - Filter
step
Objects that appear in the drop-down lists in this step are derived
from those items last accessed within the previous 30 days only. Items
last accessed earlier than this time are not shown.
Click Next to continue.
In the Frequency step, set the frequency with
which you want this report to run:
Creating a report - Frequency
step
Choose from:
On Demand: Run once for a specified date and time
period
Daily: Run daily at a defined time
Weekly: Run at a specified time on certain days of
the week
For Daily and Weekly, use Set recurring date range
to set the start and end dates for which you want the schedule to
run.
Click Next to continue.
In the Share step, add the recipients with which
the report should be shared (if applicable):
Creating a report - Share
step
To complete the wizard and schedule the report according to the
selections made, select Confirm and Schedule.
If you elected to save the report as a custom template during the
Format step, the new template is displayed on the
Report Templates tab.
Viewing Alerts and
Notifications
The Alerts page lists all alerts and notifications
that have been raised by nZTA.
To view the Alerts page, click the
Alerts icon and then click See all
Alerts:
Alerts icon
The Alerts page appears. For example:
Alerts page
The alerts table supports the following alert types:
AAA Config Pull Failure
AAA Config Pull Success
AAA Config Pull Success - Failure Resolved
AAA Journal Update Failed
AAA Journal Update Success
Config Sync Rule Deleted
Config Sync Rule Updated
Config Sync Target Cluster Deleted
Custom Domain Certificate for mTLS Domain Due for Renewal
Custom Domain Certificate for mTLS Domain Expired
Custom Domain Certificate for TLS Domain Due for Renewal
Custom Domain Certificate for TLS Domain Expired
Device Vulnerability Risk Rating (VRR) Critical
Device Vulnerability Risk Rating (VRR) High
Device Vulnerability Risk Rating (VRR) Medium
Device Vulnerability Risk Rating (VRR) Low
Gateway Config Apply Failed
Gateway Config Import Failed
Gateway Disconnected
Gateway Invalid Configurations Cleared
Gateway Upgrade Failed
To filter the alerts table by type:
Click Configure Alert Rules icon.
Configure Alert Rules icon
The Configure Alerts & Notifications page
appears.
Click Alert Types and select the required
type.
Click Close.
To filter the alerts table by time period, click Time
Period and select the required time period.
To sort the alerts table into ascending or descending order of a
specific property, click on one of the following column headings in the
alerts table: