Ivanti Connect Secure Gateway Analytics

Introduction

Reviewing Your Network Activity

Reviewing Users Activity

Reviewing Application Usage

Reviewing Individual User Activity

Reviewing Gateways Status and Versions

Checking the Logs

Configuring Actionable Insights

Generating Reports

Managing the Sessions

Viewing Alerts and Notifications

 

Introduction

Ivanti Neurons for Secure Access Admin portal provides visibility of user activity and service usage across your Ivanti Connect Secure Gateways in your enterprise through network activity analytics, gateway performance graphs, application usage metrics, and stored activity logs.

After you log in to the Ivanti Neurons for Secure Access Admin portal and select Ivanti Connect Secure from the Gateway Switcher (Ivanti Connect Secure, Ivanti Neurons for Secure Access), Ivanti Connect Secure displays the Network Overview page. This page presents a top-down overview of your application infrastructure, providing an opportunity to monitor user and Gateway activity, and to identify problems and compliance issues as they occur. For more information, see Reviewing Your Network Activity

Through the Ivanti Connect Secure menu, use the Insights menu icon to:

Ivanti Connect Secure provides both a light theme and a dark theme for the UI display.

Reviewing Your Network Activity

The Network Overview page shows real-time analytics data for your application infrastructure, providing a one-page dashboard of activity across your organization.

To access the Network Overview page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See .Logging in to Ivanti Neurons for Secure Access.

    The Network Overview page appears by default.

  2. To return to the Network Overview page at any time, click the Insights menu icon and then click Overview. Alternatively, click the "Ivanti Neurons for Secure Access" banner at the top.

Ivanti Connect Secure provides bread-crumb navigation for all Insights pages at the top.

img/DashboardMap.png

Understanding the Display

The primary components of the Network Overview page are the following:

The data in this page refreshes automatically every 5 minutes.

With each chart, click the View all link to view detailed log records for that category.

The following principles apply to all elements of the page:

  • A user can have one or more devices.
  • Each device can have one or more active secure access sessions on multiple gateways.
  • One session can connect to multiple applications.
  • One session can be associated with multiple Gateways.
  • One Gateway can have multiple applications registered with it.

Using the Filter Bar

Ivanti Connect Secure uses the top part of the display on all Insights data analysis pages to show the current page title, the default time period, and options to:

  • Manually refresh the data
  • Filter analytics data for a specific Ivanti Connect Secure gateway
  • Select the date and time period for which data is displayed.

By default, analytics data on all pages is shown for the last hour. To select a previous or specified time period, select the date-time display (indicated):

Selecting a date and time range

In the date-time selection dialog, choose from the following predefined time period options:

  • Last hour: Data observed for the previous 60 minutes.
  • Last <X> hours: Data observed so far in the current day, up to the last hour (in GMT).
  • Previous day: Data observed for the previous full day.
  • Previous Week: Data observed for the previous calendar week (for the previous full Sunday-to-Saturday week).
  • Custom: Data observed for a chosen time period. If you select this option, nZTA enables you to select a custom time period using the From and To date/time calendar controls.

The date/time calendar controls are enabled for only the Custom option. However, the calendar continues to identify the applicable start and end date-time for all predefined time periods.

To reset the selected time period back to the default (Last Hour) view, select Reset. To return to the current page without making any changes, select Cancel.

To apply your changes, select Apply. The selected time period is displayed in the filter bar and data across all Insights pages is updated accordingly.

The data in the display refreshes automatically at 5 minute intervals. To manually refresh the data, click the circular arrow:

img/icon_circulararrow.png

Ivanti Connect Secure provides the ability to show focused metrics for a specific Ivanti Connect Secure Gateway. To select a specific gateway, use the filter icon:

img/menu_icon_Filter.png

In the Filter panel, from the drop-down list select the required gateway and click Apply. To clear the selection, click Clear All.

Viewing the Network Summary Ribbon

The Summary ribbon at the top of the page shows data totals for the selected time filter:

img/yournw_summaryribbon.png

The ribbon indicates the totals accrued for each category during the displayed time period, as indicated adjacent to the category name.

The following categories are provided in the ribbon:

  • The number of Active Gateways.
  • The number of Active Users.
  • The number of Active Devices.
  • The number of Active Sessions.
  • The number of Active Applications.
  • The number of Non-compliances. In other words, non-compliant attempts to access your applications. For the default time period filter, non-compliance totals shown here are for 24 hours. For other selected time periods, the number reflect the total for that period.
  • For the default time period filter, Auth Failures totals shown here are for 24 hours. For other selected time periods, the number reflect the total for that period.
  • The number of Anomalies detected by Ivanti Connect Secure. That is, the total number of geographic anomalies. For the default time period filter, anomaly totals shown here are for the previous 30 days, and include only unacknowledged anomalies. For other selected time periods, this total includes both acknowledged and unacknowledged anomalies.

If you are currently viewing data for the last hour, each category in the ribbon includes a trend graph (highlighted, top) showing the changes in data during the hour. Also included is a change value (highlighted, bottom) based on the previous hour:

img/yournw_summaryribbon_trends.png

In the default last hour view, while data for Active Gateways, Users, Devices, Sessions and Applications is shown as such, Non-Compliances and Auth Failures are shown for the previous 24 hours, and anomalies are shown for the previous 30 days. This is as indicated against the Category name.

Additional trend indicators are present for the last hour time period only. Trends are not applicable when any filter is applied (intent or gateway).

If you click on any of the categories in the ribbon, Ivanti Connect Secure displays a sliding info-panel dialog showing more details for that category. For example, if you click on the Active Gateways category, a panel appears showing the list of active Gateways. In this case, a summary box is displayed for each Gateway showing statistics relevant to that instance, such as the number of active users, active sessions, active devices, non-compliance events, system status such as the system uptime, last config update, session counts such as current SSL sessions count, auth-only sessions, ActiveSync device count.

img/yournw_sidepanel.png

This version of the info-panel shows details for all Gateway locations. To view an info-panel for a single Gateway location, click the Gateway location bubble in the world map. For more details, see Using the World Map.

For the Active Gateways info-panel, use the View Gateway by Status drop-down list to change the type of Gateways displayed in the panel. Choose from:

  • All Gateways: All Gateways regardless of status.
  • Active Gateways: All active Gateways. That is, only Gateways that have active sessions. This is the default view.
  • Offline Gateways: All offline or unregistered Gateways. That is, only Gateways that are unresponsive or not yet registered with the Ivanti Neurons for Secure Access.
  • Online Gateways: All online Gateways. That is, all Gateways that are registered with the Ivanti Neurons for Secure Access.

The number of instances of each type is given in brackets.

For example, by selecting Offline Gateways, the panel updates as follows:

img/yournw_sidepanel_offlinegw.png

Use the Search bar at the top to filter the results list. For example, to show only those Gateways that match a search string. To clear your search, click CLEAR SEARCH RESULTS.

To learn more about the meaning of the different indicator colors used in the info-panel, see Understanding Gateway Status Indicator Colors. Hover your pointer over the instance health indicators to display a tooltip showing more specific details and values.

Click on any Critical or Warning notification banner to display a drop-down summary of the issues:

img/yournw_sidepanel_criticalissues.png

You can click on each entry to obtain more details and logs concerning the issue.

For the Active Users info-panel, Ivanti Connect Secure displays an average UEBA threat score. To learn more about UEBA threat scores, see Viewing a Summary of UEBA Threat Scores for your Users

For Non-Compliance and Anomalies info-panels, summaries are displayed on a per-user basis, with the reason for the event shown.

To change the sort order of the items displayed in the info-panel, use the Sorting controls at the top:

img/yournw_sidepanel_sort.png

Use the dots icon to select the sort criteria, then use the arrow icon to toggle between ascending and descending order. The sort criteria varies depending on the category chosen, and is based on the statistics shown for each item. For example, by selecting the Gateways info-panel, you can choose the display order for your Gateways based on the following statistics:

  • Active Users
  • Non-Compliances
  • Active Devices
  • Number of Issues
  • Gateway Name
  • City Name

A tick identifies the currently chosen criteria.

For Anomalies, the info-panel lists Unacknowledged and Acknowledged anomalies, and provides additional functionality to enable you to Acknowledge individual Unacknowledged anomalies.

img/yournw_sidepanel_anomalies.png

Each box in the info-panel lists a user and the active anomalies connected to them. For each user, from the Unacknowledged anomalies list, click ACKNOWLEDGE to remove this anomaly from the list.

Alternatively, use the tick icon and check boxes adjacent to each user name to acknowledge multiple, or all, anomalies in a single action. Note that when the default "active" time period filter is selected, the anomalies count in the Summary ribbon decreases by 1 for each acknowledgment.

For the Gateways info-panel, click a Gateway name to access the corresponding Gateways Overview page that provide usage metrics or configuration details for that item.

Using the World Map

The Map view contains Gateways and Users tabs. Your Gateways locations are presented on the map as a series of geographically-placed counters, with each counter depicting a location, the status of the services held there, and the number of Gateways. To learn more about the colors used to indicate service status, see Understanding Gateway Status Indicator Colors

img/yournw_worldmap.png

Use the Plus (+) and Minus (-) controls to zoom in and out of the world map, allowing you to select the desired level of detail. Alternatively, use your pointer to manipulate the map display. Double-click/tap an open area of the map to zoom in, or reposition the map display through drag and drop.

To toggle between the Map view and Sankey chart view, use the icons at the top-right:

img/MapSwitch.png

The data shown is representative of the currently-selected time period, and by default shows active data (for the previous 1 hour). To learn more about setting time periods for the displayed data, see Using the Filter Bar.

To learn more about network usage or alerts at a particular location, hover your pointer over the location identifier. It shows the active user sessions established from that Gateway location to other Gateway locations.

img/yournw_worldmap_nwconn.png

By turning on the Show Details switch located at the bottom-left of the map, and by hovering on a Gateway location, the current Gateway status is indicated by the color scheme shown in the legend.

To learn more about the meaning of the different indicator colors used in the map and panels, see Understanding Gateway Status Indicator Colors

img/yournw_locationsummary_extended.png

To expand the current view, click the Full Screen icon:

img/FullScreen.png

In the expanded view, the Gateway Status pop-up summary panel is expanded to include more details concerning usage at that location:

In addition to the status indicator, this version of the summary panel shows the following statistics:

  • Active Users: The number of unique users that have sessions through Gateways at the location (as also indicated in the location bubble)
  • Active Sessions: The number of sessions accessed through Gateways at the location
  • Active Devices: The number of unique devices that have sessions through Gateways at the location
  • Non-Compliances: The number of active non-compliant sessions (full/partial non-compliant) in this location

Click the Full Screen icon again to return to the standard view.

In both views, click a location bubble to display a sliding info-panel dialog for the Gateways at that location.

img/yournw_sidepanel_loc.png

Use this info-panel to view health and usage statistics for the location, with further details concerning any reported problems with the deployed Gateways. The panel displays the following details:

  • Location name and number of Gateways: The descriptor for this location and the number of Gateway instances deployed there.
  • Active Users: The number of unique users that have sessions through Gateways at the location (as also indicated in the location bubble).
  • Active Sessions: The number of sessions accessed through Gateways at the location.
  • Active Devices: The number of unique that have sessions through Gateways at the location.
  • Non-Compliance: The number of active non-compliant sessions (full/partial non-compliant) in this location.
  • System Status: The system uptime and the time since the last config update.
  • Session Counts: The number of current SSL sessions, number of auth only sessions, and the number of ActiveSync devices.
  • Cluster Details: The cluster name, type, and node details.

This view of the info-panel displays data for a single Gateway location. To view an info-panel showing data for all Gateway locations, click the Gateways category in the Summary ribbon. To learn more, see Viewing the Network Summary Ribbon.

When displaying active data, all non-compliance and unacknowledged anomaly totals are displayed for the previous 24 hours.

To learn more about the information and controls contained in the info-panel, see Viewing the Network Summary Ribbon.

Understanding Gateway Status Indicator Colors

In the world map view, your current Gateway status is indicated by the color scheme shown in the legend:

img/MapLegend.png
  • Good (Green): All Gateways are functioning normally.
  • Warning (Amber): One or more of the Gateways at that location is experiencing a warning scenario. This status is triggered by the occurrence of any one of the following conditions:
    • Gateway device CPU usage is within the range 80% - 90%
    • Gateway device swap memory usage is within 10% - 50%
    • Gateway device disk usage is within the range 80% - 90%
  • Critical (Red): One or more of the Gateways at that location is experiencing an critical alert scenario. This status is triggered by the occurrence of any one of the following conditions:
    • Gateway device swap memory usage is greater than 50%
    • Gateway device disk usage is greater than 90%
    • At least 1 critical error has been reported
  • Offline (Grey): All offline or unregistered Gateways. That is, only Gateways that are unresponsive or not yet registered with the Ivanti Neurons for Secure Access.

Furthermore, counters in the Summary ribbon use the following color scheme to reflect status:

  • Red:
    • Users: at least one user has anomalies in the selected duration
    • Devices: at least one active device is non-compliant in the selected duration
    • Gateways: as described above
    • Non-compliance: if the count is non-zero
    • Anomalies: if the count is non-zero

Users Map View

In the world map Users tab, each location shows the number of active users in that location.

img/yournw_worldmap_users.png

Use the Plus (+) and Minus (-) controls to zoom in and out of the world map, allowing you to select the desired level of detail. Alternatively, use your pointer to manipulate the map display. Double-click/tap an open area of the map to zoom in, or reposition the map display through drag and drop.

To toggle between the Map view and Sankey chart view, use the icons at the top-right:

img/MapSwitch.png

The color of the location shows the average UEBA Threat scores of the active users in that location:

  • Green (No Risk) - UEBA Threat score < 10
  • Yellow (Low) - UEBA Threat score > 10 < 20
  • Orange (Medium) - UEBA Threat score > 20 < 30
  • Red (High) - UEBA Threat score > 30
  • Hover on a user location to view detailed UEBA Threat scores of the users in that users location.

By hovering on a User location, the current Users' status is indicated by the color scheme shown in the legend.

img/yournw_usersummary_extended.png

Click a location bubble to display a sliding info-panel dialog for the Users at that location.

img/yournw_sidepanel_users.png

The panel displays the following details:

  • Session type
  • Device OS type
  • Last connected gateway
  • Average UEBA Threat score
  • Anomalies
  • Alerts count

Using the Sankey Chart View

The Network Sankey chart provides an alternate visualization of your services, showing directed flow between related objects. The width of each stream in the flow is proportional to the utilization of the object the flow passes through, allowing an administrator to view significant usage and relationships across your user base and application infrastructure.

To activate the Sankey chart view, use the toggle icons at the top-right:

img/MapSwitch.png

By clicking the toggle display icon, the Sankey chart replaces the world map in the display. All other components remain unchanged.

img/Sankey.png

The Ivanti Connect Secure Sankey chart maps User Roles > Device Types > Gateways > Applications. By hovering your pointer over a flow of interest, Ivanti Connect Secure displays a tooltip confirming the scale of the activity between the two objects connected by the flow.

To focus the display on a specific flow, or to identify related objects that interact with this flow, click the chart at a point of interest. Ivanti Connect Secure provides highlighting to all flows that pass through the point selected.

Using the Sessions, Non-Compliances, Connected Clients Version and Pre-Auth Non-Compliances Charts

The Network Overview page includes bar charts to provide a breakdown of Sessions, Non-Compliances, Connected Clients Version and Pre-Auth Non-Compliances events.

img/yournw_barcharts.png

The Sessions chart provides the total number of sessions over a period. That is, user sessions that took place during the period.

To view a detailed list of events that contributed to the totals, click View all:

img/yournw_sessions_log.png

The Non-compliances chart provides a breakdown of non-compliant device activity that contravened a configured device policy. Totals are given for the highest policy contraventions recorded during the period.

To view a detailed list of events that contributed to the totals, click View all:

img/yournw_noncomp_log.png

Click on the legend labels to toggle that element on or off in the chart. Use your pointer to scroll the event messages pane to view more details in the columns to the right.

The Connected Clients Version chart provides the distribution of various versions of Ivanti Secure Access client across different device OS in the tenant.

You can view the chart based on Active Users for Ivanti Secure Access client versions distribution from the currently active sessions or All Users for Ivanti Secure Access client versions distribution from the sessions in the last 30 days.

To view a detailed list of events that contributed to the totals, click View all:

img/conn_cli_viewall.png

The Pre-Auth Non-Compliances provides the occurrences of non-compliance in the last 24 hours, in the tenant even before the authentication.

You can view the chart based on Device Types, User Locations, Gateways and HC Policies.

To view a detailed list of events that contributed to the totals, click View all:

img/pre-auth-nc-viewall.png

Using the Top Active Breakdown Charts

The radar charts at the bottom of the page show a breakdown of Gateways, Device Types, and User Locations across your organization. Each chart shows the top active items in each category.

img/yournw_radarcharts.png

Hover your pointer over a particular element to view a tooltip showing the label and total. To view more details for a chart, click the corresponding View all link. For example:

img/yournw_topuxserloc.png

Click the View All link that provides access to a detailed view showing logs for the corresponding chart.

In the detailed log page:

  • Double-click on any log to view additional details of that log in the Info Panel to the right.

  • Use the Group by option and select the field type to view the table information in groups. Then click > to view the logs in that group.

    img/icon_group.png
  • Where a specific data item in the event table is truncated due to the column width, hover your pointer over the item to view a tooltip containing a full-length description. You can also re-size the width of any column by dragging the column.

  • To copy a log's column content, double click on the column content and press ctrl-c. If the content has multiple words, for example log message column, then triple click and press ctrl-c. To paste the content elsewhere, press ctrl-v.
  • Use the Advanced Filter icon to view logs based on the pre-defined filter, operator and value. To learn more, see Filtering the Logs.

Reviewing Users Activity

The Users Overview page shows activity relating to users in your Ivanti Connect Secure deployment.

To access the Users Overview page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access,.

    The Network Overview page appears by default.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Users.

    The Users Overview page appears.

    img/Users_oview.png

Understanding the Display

The Users Overview page contains the following components:

  • Filter bar, allowing the selection of active or historic data, and filtering by Gateway. For details, see Using the Filter Bar.
  • Summary ribbon, showing metrics for user activity. For more details, see Viewing the Users Summary Ribbon.
  • User Top Stats, Top 10 Users By UEBA Threat, UEBA Threat Types, showing graphs and metrics for UEBA Threat scores across your user groups. For more details, see Viewing a Summary of UEBA Threat Scores for your Users
  • User Session Trends, showing a timeline chart of user sessions. For more details, see Viewing the Users Session Trend
  • Activity charts, showing charts for Adaptive authentication, Top user count, Top auth failures, and Session types.

Each chart on this page includes a View All link. This link provides access to a detail view showing logs for the corresponding chart. For example:

img/UserRisk_detail.png

Each detail view shows logs for the corresponding chart or category. For each column, click the arrow icon adjacent to the column name to sort in ascending or descending order. Use your pointer to scroll the log messages pane to view more details in the columns to the right.

Where a log message is too long for the display, hover your pointer over the message to view a tooltip containing the full text. Furthermore, to view a single log entry in a dedicated panel, click the log message text to activate the info-panel view.

Viewing the Users Summary Ribbon

The Summary ribbon at the top of the Users Overview page shows activity totals for the selected time filter:

img/useract_summaryribbon.png

The ribbon indicates the totals accrued for each category during the displayed time period, as indicated adjacent to the category name. Hover your pointer over the category elements to show a descriptive tooltip.

  • Active Gateways: The total number of active Ivanti Connect Secure Gateways.
  • Active Users: The number of active users during the selected time period.
  • Active Devices: The number of active devices.
  • Active Sessions: The number of active sessions.
  • Active Applications: The number of in-use applications.
  • Non-Compliances: The number of non-compliant sessions (full/partial non-compliant) across all gateways in the last 24 hours.
  • Auth failures: The number of authentication failures in the last 24 hours.
  • Active Anomalies: The number of anomalies detected by Ivanti Connect Secure in the last 30 days.

By default, the data presented in the ribbon corresponds to the current day, since midnight GMT. The number of hours over which the data applies is displayed in each category. To change the time period, use the filter bar (see Ivanti Connect Secure Gateway Analytics.)

img/useract_ribbontrends.png

Viewing a Summary of UEBA Threat Scores for your Users

On the Insights > Users page, the User Top Stats panel displays information concerning UEBA threat across your user base:

img/useract_riskdata.png

The User Top Stats contains:

  • Active Users tab to view user stats of the active users.
  • All Users tab to view user stats that include users logged in for the last 30 days.

The panel provides:

  • A breakdown of UEBA threat by user.
  • The average UEBA threat score across all users.
  • The top-10 users scoring highest for UEBA threat. It also shows the UEBA threat score threshold set, to terminate the user sessions with applicable rule on reaching the permissible limit.
  • A break-down of UEBA threat types.
  • The policies with highest non-compliance.

A user's UEBA Threat score is calculated from a combination of:

  • Application access attempts originating from anomalous geographic locations.
  • Non-compliant user devices that attempted to access your applications.

Each additional incident increments a user's overall UEBA Threat score.

The No. of users chart provides a visual indication of the number of users that fall into each of the UEBA Threat categories. These categories are shown as a range of UEBA Threat scores and number of users. The upper and lower bands for each category are shown in brackets. The categories are:

  • No risk (0-10)
  • Low (11-20)
  • Moderate (21-30)
  • High (>31)

Where a particular threat category matches no users for the selected time period, that category label is not shown.

Below this chart, Ivanti Connect Secure displays the Average UEBA Threat Score for all users on a scale between zero UEBA Threat and the highest UEBA Threat score measured at the end of the current time period.

The maximum value shown in the chart corresponds to the highest UEBA Threat score for all users as they stand at the end of the time period, not the highest they have been within that period.

The Top 10 Users by UEBA Threat Score chart shows the top-10 users with the highest cumulative UEBA Threat score across the selected time period. Hover your pointer over each bar in the chart to see the name of the corresponding user.

The UEBA Threat Type chart provides a breakdown of all geolocation anomalies and non-compliances that occurred during the selected time period.

The Top Policies with Non-compliances chart shows the device policies that recorded the highest number of non-compliances for the active users. Hover your pointer over each bar in the chart to see the name of the corresponding policy.

Viewing the Users Session Trend

Ivanti Connect Secure uses this section to show user sessions trends that occurred during the period:

img/useract_sessiontrends.png

You can choose to display this information through bar charts (as shown), or in a Sankey chart. Use the toggle icon at the top-right to select the required view:

img/MapSwitch.png

To expand the current view, click the Full Screen icon:

img/FullScreen.png

In bar chart view, the bar chart shows one of following data types, selected using the drop-down control:

  • Unique User Count
  • Unique Session Count
  • Unique Device Count

In the Sankey chart view, Ivanti Connect Secure provides an alternate visualization of user sessions, showing directed flow between related objects.

img/AccessTrends_sankey.png

The chart maps User Roles > Device Types > Gateways. By hovering your pointer over a flow of interest, Ivanti Connect Secure displays a tooltip confirming the scale of the activity between the two objects connected by the flow.

To focus the display on a specific flow, or to identify related objects that interact with this flow, click the chart at a point of interest. Ivanti Connect Secure provides highlighting to all flows that pass through the point selected.

Viewing the Users Activity Charts

Ivanti Connect Secure provides charts to represent user activity:

img/useract_activitycharts.png
  • Adaptive Authentications: a chart of adaptive authentication in the last 24 hours based on Location, Realm, or Reason.
  • Top User Counts: a chart showing users that accrued the highest number of successful accesses based on Location, Auth Server, Gateway, Device Type or Session.
  • Top Auth Failures: a chart of authentication failures observed based on the Location, Auth Server, or Gateway.
  • Session Types: a chart showing number of Imported IF-MAP sessions, Exported IF-MAP sessions and Local sessions.
  • Top 10 Non-Compliant Host Checker Policies: a chart showing the top 10 host checker policies that recorded the highest number of non-compliances.
  • Top User Roles: a chart showing the totals for the number of user roles such as marketing, sales, account, security, store.

Click the View All link that provides access to a detailed view showing logs for the corresponding chart.

In the detailed log page:

  • Double-click on any log to view additional details of that log in the Info Panel to the right.

  • Use the Group by option and select the field type to view the table information in groups. Then click > to view the logs in that group.

    img/icon_group.png
  • Use the Advanced Filter icon to view logs based on the pre-defined filter, operator and value. To learn more, see Filtering the Logs.

Reviewing Application Usage

Applications are defined primarily by the URI you use to access them, and can be fully defined (for example, a complete URI denoting a specific application at a location).

Ivanti Connect Secure provides views for your application usage metrics for all defined applications in your Ivanti Connect Secure deployment..

To view application usage:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

    The Network Overview page appears.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Applications.

    The Applications Overview page appears, showing the selected metrics.

    img/Apps_oview.png

Understanding the Display

The Applications page contains the following components:

Each chart on this page includes a View All link. This link provides access to a detail view showing logs for the corresponding chart. For example:

Using the Applications Filter Bar

Ivanti Connect Secure uses the top part of the display on all Insights data analysis pages to show the current page title, the default time period, and options to:

  • Manually refresh the data
  • Select the date and time period for which data is displayed.
  • Set a filter for a specific Ivanti Connect Secure Gateway
  • Select Layer 3 and Layer 7 Applications

L3 user sessions support viewing both IPv4 and IPv6 applications.

By default, analytics data on this page and others is shown for the last hour or current day. To manually refresh the data, click the circular arrow:

img/icon_circulararrow.png

Ivanti Connect Secure provides the ability to show focused metrics for a specific Ivanti Connect Secure Gateway. To select a specific gateway, use the filter icon:

img/menu_icon_Filter.png

In the Filter panel, from the drop-down list select the required gateway and click Apply.

To clear the selection, click Clear All.

Ivanti Connect Secure provides the ability to show focused metrics for Layer 3 and Layer 7 applications. By default, data on this page shows for All Applications. Select the required application access from the list to view the corresponding charts and trends in the Applications page. Within Layer 3 Applications, you can choose ESP or SSL applications.

img/apps_layer_list.png

Using the Applications Summary Ribbon

The Summary ribbon provides the following metrics:

  • Active Applications: The total number of active applications defined on the Ivanti Connect Secure.
  • Active Users: The number of active users.
  • Active Gateways: The number of active Gateways.
  • Active Devices: The number of active devices.
img/apps_summaryribbon.png

Viewing Top Protocols by Application Access

The Top Protocols by Application Access Count radar chart shows the top protocols that attracted the greatest number of application accesses during the period (for example, Web, RDP, SSH or Bookmark).

Hover your pointer over each bar to display a tooltip of the protocol type and number of accesses recorded.

img/apps_radar.png

To view a detailed list of events that contributed to the totals, click View all.

img/apps_radar_viewall.png

Viewing Applications Access Trend

The Applications Access Trend panel shows application access trends that occurred during the period. Choose to display this information through line and bar charts, or in a Sankey chart.

img/apps_trend.png

Use the toggle icon at the top-right to select the required view. Also at the top-right, use the full-screen icon to toggle the current view between normal and full screen.

  • In line/bar chart view:

    The display is split into two charts:

    • A line chart showing the number of accesses for the top-10 applications during each hourly period of the day
    • A bar chart showing one of four data types, selected using the Filter Access By drop-down control:
      • Unique User Count: Shows a count of unique user activity identified during each hourly period.
      • Unique Device Type Count: Shows a count of unique device types identified during each hourly period.
      • Unique Location Count: Shows a count of activity from unique user locations identified during each hourly period.
      • Unique User Group Count: Shows a count of activity from unique user groups identified during each hourly period.

    In this chart, you can:

    • Hover your pointer over each hourly interval to view a tooltip showing the corresponding data totals.
    • Click and drag a select box across a shorter time period to zoom in on a narrower time window. To return to the full 24 hour period, click the zoom out icon.
    • Click the corresponding line in the graph to view only the data for that specific user group.

Using the Sankey Chart View

The Sankey chart provides an alternate visualization of application access activity, showing directed flow between related objects. The width of each stream in the flow is proportional to the utilization of the object the flow passes through, allowing an administrator to view significant usage and relationships across your user groups and application infrastructure.

img/apps_sankey.png

Hover your pointer over a flow of interest to display a tooltip confirming the scale of the activity between the two objects connected by the flow.

To focus the display on a specific flow, or to identify related objects that interact with this flow, click the chart at a point of interest. Ivanti Connect Secure provides highlighting to all flows that pass through the point selected.

Viewing the Activity Charts

The Activity Charts on this page represent top application access totals in the following categories:

  • Top Network Access Layers by Apps Access Count: a bar chart showing the count of Layer 3 and Layer 7 applications accesses.
  • Top User Locations: a bar chart showing the count of application accesses made from various user locations.
  • Top Device Types by Applications Access Count: a bar chart showing a count of number of applications accesses made from various devices.
  • Top Users by Applications Access Count: a bar chart showing a count of number of applications accesses made by the users.
  • Top Gateways by Applications Access Count: a bar chart showing a count of number of applications accesses made from Gateways.
  • Top User Roles: a bar chart showing the count of application accesses made by various user roles (example: Marketing, Sales, Accounts, Security).
  • Top Application Names: a bar chart showing the count of application accesses made to various applications (example: Microsoft Teams, Outlook).

Hover your pointer over a particular element to view a tooltip showing the label and total.

Use the Filter to view active access count by Gateway, Device Type, User Name, User Role, or User Location City.

Click the View All link that provides access to a detailed view showing logs for the corresponding chart.

In the detailed log page:

  • Double-click on any log to view additional details of that log in the Info Panel to the right.

    img/apps_top_charts_viewall_infopanel.png
  • Double-click on any log to view additional details of that log in the Info Panel to the right.

  • Use the Group by option and select the field type to view the table information in groups. Then click > to view the logs in that group.

    img/icon_group.png
  • Use the Advanced Filter icon to view logs based on the pre-defined filter, operator and value. To learn more, see Filtering the Logs.

Configuring nZTA Policy to an ICS Application

Administrators can now configure ICS application with nZTA Secure Access Policy from the nSA-ICS Applications page. This feature requires nZTA license. The Secure Access Policy defines how end users can connect to nSA to access applications.

A Configure button is provided in the ICS Applications page to configure nZTA Secure Access Policy to an ICS application.

img/apps_oview_zta.png

To configure nZTA policy to the ICS application:

  1. In the ICS applications page, click Configure.

    The Configure Applications page is displayed showing a list of accessed applications behind the ICS gateway.

    img/config_gwapp.png
  2. In the search box provided, start typing the application name. ICS auto-completes any matching application name.

  3. Select an application from the list and click Create Policy to create a nZTA Policy.

    The nZTA Create Secure Access Policy page is displayed. The Application Name, Application Detail and Description fields are pre-filled in the page.

    img/create_zta_policy.png
  4. Click Save Application and then click Next.

  5. Define Device Policy, User Group and Gateway/Gateway Group/Gateway Selector. For details, see the section Creating a Secure Access Policy.

Reviewing Individual User Activity

This page shows activity relating to a specific user in your Ivanti Connect Secure deployment.

To access the User Overview page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

    The Network Overview page appears by default.

  2. Launch the User Overview page by doing one of the following:

    • In the Search field on Filter bar, type the username for which you want to see the activities.
    • In the Summary ribbon, click Active Users. In the Active Users panel displayed, click the username link for which you want to see the activities.
    • Click the View All link in any of the charts. In the logs table displayed, click the username link for which you want to see the activities.

    The User Overview page is displayed.

    img/user_oview.png

The page has the following areas:

  • The Filter bar
  • The Summary ribbon
  • UEBA Threat Score and UEBA Threat Score Rank
  • User Sessions trend
  • Activity charts, showing charts for Bandwidth details, Last 5 Login Locations, Application Access and Session Details
  • Table showing User Device and Status

Each chart on this page includes a View All link. This link provides access to a detail view showing logs for the corresponding chart.

Using the Filter Bar

The top part of the page has the option to manually refresh the data.

Viewing the User Summary Ribbon

The Summary ribbon provides the following metrics:

  • Active Sessions Duration – All active sessions duration combined of the user, displayed in hours, minutes, and seconds.
  • Last Login Location – The location from where the user has last logged in.
  • Number of Auth Failures – The number of authentication failures for this user in the last 30 days.
  • Number of Non-Compliant Sessions – The number of Non-compliant sessions (full/partial non-compliant) for this user across all gateways in the last 30 days.
  • Number of Anomalies – The number of anomalies (acknowledged and unacknowledged) detected by Ivanti Connect Secure in the last 30 days. 
img/user_summary_ribbon.png

Viewing the UEBA Threat Score

The UEBA Threat Score panel contains:

  • UEBA Threat Score – It is the cumulative value of number of anomalies and number of non-compliant sessions of this user. Click the View All link to see the log details in a table.
  • UEBA Threat Score Rank – It is the UEBA Threat score position of this user based on the UEBA Threat scores of all the users in the tenant.
  • Reset Score – As an administrator, you can reset the UEBA Threat score of this user.

A user’s UEBA Threat score is calculated from a combination of geographic anomalies, non-compliance with device policies, and activity deviations.

Viewing the User Session Trend

This section shows the following user activities per day that occurred during the last seven days. You can hover over the trend to view details.

  • Number of unique Active Sessions
  • Number of Applications accessed
  • Number of Anomalies
  • Number of Non-Compliance sessions
  • Number of Auth Failures

Viewing the User Activity Charts

This Ivanti Connect Secure provides charts to represent user activity:

  • Bandwidth Details – shows the Bandwidth Consumed per day and Total Time connected per day by the user for the last seven days.
  • Last 5 Login Locations – shows the last top five Login Locations accessed by the user in the last 30 days.
  • Application Access – shows the number of Applications accessed by the user in the active sessions and in the last 30 days based on Bookmark, VDI and HTML5 access.
  • Session Details – shows the number of Active Sessions and Total number of sessions in the last 30 days based on Role, Gateways and Active sessions
img/user_act_charts.png

Click the View All link that provides access to a detailed view showing logs for the corresponding chart.

Viewing the User Device and Status

This table provides the status of the devices used by the user for connecting to VPN in the last 30 days. Each row in the table includes Device ID and Device Type of a device among other user session details.

Click the link in each column to drill-down for additional details.

img/user_dev_status.png

Reviewing Gateways Status and Versions

The Gateway Overview page gives an overall detail of all the gateways that are registered in the tenant.

To access the Gateway Overview page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Gateways.

    The Gateway Overview page appears.

img/l2_gateways.png

Understanding the Display

The Gateway Overview page contains the following components:

  • Summary ribbon
  • Gateway Status and Versions
  • Access Trend View
  • Top 10 Gateways by Errors
  • Top 10 Gateways by Health
  • Overall Concurrent Users License Usage

Use the Filter bar, located on the top-right-corner of the page, that allows the selection of active or historic data, and filter by Gateway. For details, see Using the Filter Bar.

Each chart on this page includes a View All link. This link provides access to a detail view showing logs for the corresponding chart.

Viewing the Gateways Summary Ribbon

The Gateway Overview Summary panel gives the following details:

  • All Gateways: Shows the total number of Ivanti Connect Secure Gateways that are registered with the tenant.
  • Active Gateways: The total number of active gateways within the tenant.
  • Active Sessions: The total number of active sessions across all the connected gateways within the tenant.
  • Consumed Concurrent User Licenses: The total number of concurrent user licenses consumed across all the gateways.
  • Critical Errors: The total number of critical errors in the last 24 hours across all the gateways. The trend shows the critical error occurrence in the last 24 hours. It also shows the number of errors increased or decreased in the last 24 hours.

Viewing the Gateways Status and Versions

The Gateways by status chart shows the distribution of gateways by their status:

  • Offline Gateways: All gateways that are registered with the tenant, but not connected.
  • Online Gateways: All gateways that are registered with the tenant and connected but are not running any sessions.
  • Active Gateways: All gateways that have at least one active session.

The Gateway by versions chart shows the distribution of latest 10 gateway versions across all the gateways within the tenant. The Gateways by ESAP version chart shows the distribution of latest 10 ESAP versions across all the gateways within the tenant.

To view a detailed list of events that contributed to the totals, click View All.

img/gw_status_ver_all.png

Viewing the Gateways Access Trend

Ivanti Connect Secure uses the Gateways Access Trend section to show:

  • the hourly distribution of the number of logins, average CPU usage, average memory usage, average disk usage, average network throughput across all the gateways during the last 24 hours.
  • the hourly distribution of critical errors across all the gateways during the last 24 hours.

You can check the trend for Critical Errors and Throughput (MB).

To view a detailed list of events that contributed to the totals, click View All.

img/gw_access_trend.png

Viewing the Top Gateway Activity Charts

Ivanti Connect Secure provides charts to show breakdown of Top 10 Gateways by Errors and Top 10 Gateways by Health.

The Gateways by Errors chart provides the total number of Critical Errors or Integrity Check Violations across top 10 gateways over the last 24 hours. Use the Filter drop-down to select the option from the list.

To view a detailed list of events that contributed to the totals, click View All.

img/gw_topten_by_errors.png

The Gateways by Health chart shows the top 10 gateways that have high CPU usage, Memory usage, Disk usage, or Network throughput. Use the Filter drop-down to select the option from the list.

To view a detailed list of events that contributed to the totals, click View All.

img/gw_topten_by_health.png

The Overall Concurrent Users License Usage chart provides the maximum licenses used on a daily basis across all the gateways over the last 30 days.

To view a detailed list of events that contributed to the totals, click View All.

img/con_user_lic_usage_l4_page.png

Use the Advanced Filter icon to view logs based on the pre-defined filter, operator and value. To learn more, see Filtering the Logs.

Checking the Logs

The Ivanti Connect Secure Logs page displays audit and activity events observed by your Ivanti Connect Secure access infrastructure. These events are reported to the Ivanti Neurons for Secure Access by your Gateways and Authentication, Authorization and Accounting (AAA) service.

To view the Logs page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Logs.

    The Logs page appears.

img/Logs.png

This page comprises the following sections:

Ivanti Connect Secure additionally provides a separate log records page pertaining to activity for specific Gateways.

Setting a Log Time Period

Use the time period selectors at the top of the page to set a time period or time range for your log results.

To switch between Time Period and Time Range. use the following icon:

img/time_range.png

The adjacent time selection boxes update according to your choice. For Time Period, set the time period you want to view. Choose from:

  • Last 60 minutes
  • Last 24 hours (default)
  • Last 7 days
  • Last 1 month

For Time Range, set a specific Date and Time for both the start and end of your time range.

Setting Log Criteria and Filtering the Output

To set the criteria you want to use for viewing log data, use the controls above the main log display. This section also contains functions to highlight search terms, apply filters, and schedule log export jobs.

Select the primary log type you want to display by using the Log Type drop-down list:

img/Logs_logtype.png

Choose from:

  • Access Logs
  • Admin Logs
  • Event Logs

Then, use the icons adjacent to the log selector to further control your log selection. Choose from the following:

  • To search for a term in the displayed logs, click the following icon:

    img/icon_magglass.png

    Ivanti Connect Secure highlights all matches is the log display.

  • Logs are refreshed automatically by changing the criteria. To manually refresh the log display, click the following icon:

    img/icon_circulararrow.png
  • To change the fields displayed for each log line, click the following icon:

    img/icon_fieldselector.png

    In the field selector, click a field name to toggle between show or hide. A tick icon indicates a displayed field. After you are finished, click the context menu icon to close the selector. See Viewing Log Records.

  • To trigger the advanced filter selection, use the following icon:

    img/icon_advfilter.png

    To learn more, see Filtering the Logs.

  • To group the logs based on the fields, use the Group by option and select the field type to view the table information in groups.

    img/icon_group.png

    Click > to view the logs in that group.

    img/logs_groupby.png
  • To export the displayed log as a CSV or JSON text file, or to set up a new scheduled log export job, click the following icon:

    img/icon_logexport.png

    To learn more about log export jobs, see Exporting Logs.

  • To view the status of currently-scheduled log export jobs, click the following icon:

    img/icon_logexportjobs.png

    To learn more about log export jobs, see Exporting Logs.

  • To change the view density, click the following icon:

    img/icon_viewdensity.png

Viewing Log Records

The main part of the page shows the log records that match your selected criteria. The number of matching log records is displayed at the top-left.

Each log line includes the following fields:

  • A status indicator showing the level of severity associated with each log event. Use the following table for a guide to the meaning of each indicator color:

    Severity Status Color
    INFO Green
    MINOR Amber
    MAJOR Amber
    CRITICAL Red
  • The date and time of the event.

  • The message ID that identifies this type of event.

  • The severity of the event in words.

  • The session ID that was the source of the event, where applicable.

  • The ID of the Ivanti Connect Secure Gateway that reported the event, where applicable.

  • The name of the Ivanti Connect Secure Gateway that reported the event, where applicable.

  • The IP address identified as the source of the event.

  • The user name associated with the event, where applicable.

  • The ID of the device associated with the event, where applicable.

  • The message (description) of the event.

Use the page controls at the bottom to select the number of log records/rows per page:

img/Logs_pagesize.png

Choose from:

  • 50
  • 100 (default)
  • 200

To cycle through the log pages, use the page controls at the bottom-right.

Where a single log message is too long for the display, use your pointing device to scroll the optional fields display to the left or right.

Furthermore, to view a single log entry in a dedicated panel, click the log message text to activate the info-panel view:

img/LogSidepanel.png

In the info-panel, use the Previous and Next icons to cycle through each log entry in turn.

Filtering the Logs

The Logs page provides an advanced field filter through which you can narrow down the displayed log entries to a sub-set that matches the filters you apply.

To add a filter, click the following icon:

img/icon_advfilter.png

Next, use the pop-up dialog to add one or more new field filters.

img/LogFilter.png

In this dialog, select a matching criteria for the filters.

  • All: performs AND operation on the filters
  • Any: performs OR operation on the filters
  • Not: Negates the list of filters

Use the Selector drop-down list to choose the field you want to filter on, add an Operator type, and then enter the Value you want to apply.

For the operator, choose from:

  • IS: The selected field matches exactly the value you specify.
  • CONTAINS: The selected field contains as a sub-string the value you specify.

Click the plus symbol to add your filter, then repeat the process to add any further filters you want to apply.

To apply your filters to the log data, click APPLY.

Your filters remain in place through data refreshes and are displayed at the bottom of the screen. To remove a filter, click the corresponding X icon.

In addition, Ivanti Connect Secure enables you to store advanced filters for future use. After you have applied filter criteria, enter a filter name into the box provided and click Save.

To load a previously-saved filter, select your filter from the Saved Filters drop-down list and click Apply.

To delete one or more previously-saved filters, select the filters from the Saved Filters drop-down list and click Delete.

Exporting Logs

Ivanti Connect Secure provides the ability to export the currently-displayed log as a Comma-Separated Value (CSV) or JavaScript Object Notation (JSON) text file. You can download the log immediately or set up a scheduled job to activate or repeat the export action at a defined time and interval of your choosing.

To access the Export Logs page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Logs.

    The Logs page appears.

  3. Select the log type you want to display in the Log Type drop-down list. Choose from:

    • Access Logs
    • Admin Logs
    • Event Logs
  4. Click the cloud icon at the top of the page:

    img/icon_logexport.png

    The Export Logs page appears:

    img/LogExport.png

Use the Export Logs settings page to configure an export operation, either to execute immediately as a one-off job, or as a scheduled job.

Configure the following settings:

  • Select either CSV or JSON as the output format.

  • Select the frequency of the export operation. Choose from:

    • Export one time: Perform the log export now as a single job.
    • Daily data export: Create a daily export job executed once per day from the selected start date, up to and including the stop date (if defined).
    • Weekly data export: Create a weekly export job executed once per week on the selected start day, up to and including the stop date (if defined).
    • Monthly data export: Create a monthly export job executed once per month on the selected start day, up to and including the stop date (if defined).

    If a stop date is specified, this is the date the schedule ceases. In the case of weekly or monthly jobs, if this date falls before the expected run date for that period, the job is terminated without running. For example, in a weekly run scheduled to execute every Thursday, if the stop date is set as a Tuesday, the final run of the job would be the previous Thursday.

    A daily data export job continues to run for one extra day beyond the selected end date in order to process the logs for the final scheduled day.

    For daily/weekly/monthly frequency export jobs, Ivanti Connect Secure allows for a maximum of 5 runs per scheduled export job. That is, each schedule runs a maximum of 5 times. On the sixth run, the first run is deleted (together with the log file), and so on.

  • Set an export time frame. For one-time exports, choose from:

    • Last 60 minutes
    • Last 24 hours
    • Last 7 days
    • Last 1 month
    • Set a date range (30d max): This option presents a configurable start and end date.

    For daily, weekly, and monthly exports, this option switches to show start and end date parameters. You do not need to specify an end date; in this case, the job remains active until deleted.

  • Enter a Job name for the export operation. Ivanti Connect Secure suggests an appropriate name; use this, or type your own.

  • To execute the defined job, click Export.

    To view all scheduled export logs jobs, and to download the log files created by each job, see Viewing Scheduled Log Export Jobs and Downloading Log Files

Ivanti Connect Secure allows for a maximum of 5 defined export jobs. Each job that you add reduces the total, as displayed at the bottom of the page. This is a separate limit to the maximum number of job runs described earlier.

Viewing Scheduled Log Export Jobs and Downloading Log Files

To view the status of your current log export jobs:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Logs.

    The Logs page appears.

  3. Click the list icon at the top of the page:

    img/icon_logexportjobs.png

    The Job Status page appears:

    img/LogExportJobs.png

Use the Job Status page to:

  • View the status and progress of currently scheduled log export jobs.
  • Download log files for completed job runs.

For each job on the Job Status page, you can view the configured details of the export operation along with status indicators for progress of the previous and outstanding job runs.

A job run refers to a single run of a scheduled job. For example, in a weekly data export job, a job run refers to the export operation scheduled or completed for one specific week within the start and end dates. Thus, a scheduled log export job is comprised of one or more job runs.

The Summary column provides totals of successful job runs, unsuccessful/failed job runs, and inactive job runs.

Click any of the fields in a single job row to display an info-panel at the side showing more details about the scheduled job:

img/JobDetails.png

To access the log files and view more information about each individual job run, click the down-arrow adjacent to the Job name:

img/LogExportJobsDetail.png

For daily/weekly/monthly frequency export jobs, Ivanti Connect Secure allows for a maximum of 5 runs per scheduled export job. That is, each schedule runs a maximum of 5 times. On the sixth run, the first run is deleted (together with the log file), and so on.

As with a scheduled job, click on any of the fields in the job run row to display an info-panel at the side showing more details about the job run:

img/JobRunDetails.png

To download the log file generated by the job run, click the cloud icon for a completed job run:

img/icon_bluecloud.png

To remove a scheduled log export job, or any of the completed job runs within the job, tick the checkbox adjacent to the job/job run and then access the context menu at the top of the page:

img/JobStatusMenu.png

Select from the following options:

  • Delete Selected: Remove all jobs or job runs that have been selected.
  • Pause the Job: Instruct the outstanding job runs in the schedule to become inactive. The schedule continues chronologically, but no further log export operations are completed while in this state.
  • Resume the Job: Resume the schedule starting at the next scheduled job run.

If you choose to delete a complete job, all job runs and log download files are removed permanently.

Configuring Actionable Insights

The Actionable Insights function enables the tenant admin to create a policy/action to terminate all the existing sessions, with applicable rule, of a user when the UEBA threat score goes beyond the permissible limit.

To configure actionable insights:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Actions.

    The Actionable Insights page is displayed.

    img/actionable_insights.png
  3. From the Set Actionable Insights for drop-down list, select UEBA Threat Score.

  4. Click Add Actionable Insights.

    img/ai_uebascore.png
  5. Enter a Threshold Value.

  6. In the Current Session section, select the Terminate all the existing sessions of this user when the UEBA threat score reaches the threshold value option. This is selected by default.

  7. From the Subsequent Login section, select one of the following actions to trigger when conditions are met:

    The newly added trigger actions will be supported with the ISAC Client version 22.3R1. For more details, refer KB: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45603.

    • Allow subsequent logins with a warning message

    • Offer Multi-factor Authentication during the subsequent logins

    • Deny subsequent logins with a warning message

      A maximum of three thresholds can be created using the subsequent login conditions.

  8. Click Create. A table showing the metric name, threshold value that is set, and the action to trigger when the condition is met, is shown in the Actionable Insights page.

    A confirmation message for the successful creation of the action is displayed. Click Close to close the message box.

    img/ai_ueba_thresholds.png
  9. To modify an action, select the check box corresponding to the action from the list, click the Edit icon, make the changes and then click Update.

  10. To change the sequence of the rule, drag up or down the rule.

  11. To remove one or more actions, select the check box(es) corresponding to the action from the list, and click Delete. Click Yes, Delete to confirm.

When a user session is terminated due to reaching the threshold UEBA Threat score, the following admin log message is generated in nSA: "User <username> session <session id> has been terminated due to UEBA Threat score based Actionable Insights configuration". Select the Logs tab to view the list of log messages.

Generating Reports

The Reports function provides the ability to generate reports from the pre-defined templates or from the custom report. You may choose any of the pre-defined templates from User Activity Summary report, Application Access report, User Risk report or User Session Report. It also provides options to generate reports in PDF, JSON or CSV formats.

Accessing the Reports Page

To access the Reports page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher. See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Reports.

    The Reports page is displayed.

    img/pcs_reports.png

The Reports page provides the following tabs:

  • Report Templates – You can use the Custom Report option or the pre-defined report templates, and go through the wizard to configure and schedule the required report.
  • My Reports – You can view a list of generated reports for all users of this tenant.
    • Click the report name link to view the summary of the configured details.
    • Click the download icon located next to the report to view report in the specified format (PDF, JSON, or CSV)

Configuring a Report

For scheduling a report, you can select one of the pre-defined report templates if that meets your requirement. Otherwise, select the Custom Report option.

Configuring Custom Report

To configure Custom report:

  1. In the Reports page, select Report Templates > Custom Report.

  2. In the Clone page, enter unique name for the report and click Next.

  3. In the Format page:

    1. Select the required charts from User, Device and Application sections.
    2. Select the report format (PDF, JSON, or CSV).
    3. Select the check box if you want to save the report as a template.
    img/pcs_rep_cust_fmt.png
  4. Click Next.

  5. In the Filter page, select the data filter from User, Device, Gateway and Application attributes. Then click Next.

    img/pcs_rep_filter.png
  6. In the Frequency page:

    • Set recurring date range - Click the calendar icon, specify the start date and the end date, and then click Apply.
    • Frequency - Select one of the options:
      • On Demand: Click the calendar icon, select the start date and the end date of the report, and then click Apply.

        img/pcs_report_ondemand.png
      • Daily: Click the time icon and select the start time. Then select the time zone from the drop-down list.

        img/pcs_report_daily.png
      • Weekly: Select the days of the week. Click the time icon and select the start time. Then select the time zone from the drop-down list.

        img/pcs_report_weekly.png
  7. Click Next.

  8. In the Share page, select the admin users from the list to whom the notifications need to be sent, and click Confirm and Schedule.

    img/pcs_rep_share.png
  9. In the Confirm Submission page, verify the details and then click Schedule Report.

    img/pcs_rep_confirm.png
  10. The report will be generated per schedule and listed in the My Reports page.

    • Click the report name link to view the summary of the configured details.
    • Click the download icon located next to the report to view report in the specified format (PDF, JSON, or CSV)
    img/pcs_rep_myreports.png

Configuring Pre-defined Report

To configure pre-defined report:

  1. In the Reports page, select Report Templates > <pre-defined report>.
  2. In the Clone page, enter unique name for the report and click Next.
  3. In the Format page:
    1. Select the required charts from User, Device and Application sections, as applicable. By default, all the pre-defined template charts are selected.
    2. Select the report format (PDF, JSON, or CSV).
  4. Click Next.
  5. Configure the Filter, Frequency and Share pages as described in Configuring Custom Report.
  6. In the Confirm Submission page, verify the details and click Schedule Report.
  7. The report will be generated per schedule and listed in the My Reports page.
    • Click the report name link to view the summary of the configured details.
    • Click the download icon located next to the report to view report in the specified format (PDF, JSON, or CSV)

Managing the Sessions

Ivanti Connect Secure Sessions Management page allows you to manage the Active Sessions, Exported IF-MAP Sessions, Imported IF-MAP Sessions and ActiveSync Devices.

To navigate to Session Management page:

  1. Log in to the Ivanti Neurons for Secure Access Admin portal as a Tenant Admin, and select Ivanti Connect Secure from the Gateway Switcher (9 dots). See Logging in to Ivanti Neurons for Secure Access.

  2. From the Ivanti Connect Secure menu, click the Insights icon, then select Session Management > Active Sessions.

    The Session Management page is displayed. It presents the various sessions tabs to manage the sessions.

    img/pcs_session_mgmt.png
  3. The logs data presented can be sorted based on the column.

  4. To manually refresh the data, click the circular arrow:

    img/icon_circulararrow.png

Managing Active Sessions

To view Active Sessions:

  1. In the Session Management page, select the Active Sessions tab.

    The Users list is displayed.

  2. Click the > icon that is present next to a user name.

    An expanded list shows all the active sessions of that user.

    img/pcs_sm_active_session.png
  3. To view active sessions of all the users, click the Expand/Collapse icon.

    img/icon_expand.png
  4. To view the active sessions in a specific Gateway, select the Gateway from the Gateways list and click Update.

  5. To view sessions based on the risk, select the appropriate option from the Attributes list.

    img/pcs_sn_risk_attrib.png

To terminate user session:

  1. In the Users list, click the > icon that is present next to the user name.

    An expanded list shows all the active sessions of that user. .

  2. Click the Terminate User Session icon available in the Action column corresponding to the session you want to delete.

    img/icon_terminate_session.png
  3. To terminate all the sessions, click the End All Sessions button provided at the top-right corner of the page.

Viewing Exported IF-MAP Sessions

To view Exported IF-MAP Sessions:

  1. In the Session Management page, select the Exported IF-MAP Sessions tab.

    The Exported IF-MAP Sessions page is displayed. The page shows a list of Exported IF-MAP Sessions.

    img/pcs_sm_exported_ifmap.png
  2. You can sort the list based on the column.

  3. To view the sessions by a specific user, enter the username in the Username field and click Update.

  4. To view all the sessions associated to a specific Gateway, select the Gateway from the drop-down list and click Update.

Managing Imported IF-MAP Sessions

To manage Imported IF-MAP Sessions:

  1. In the Session Management page, select the Imported IF-MAP Sessions tab.

    The Imported IF-MAP Sessions page is displayed. The page shows a list of Imported IF-MAP Sessions.

    img/pcs_sm_imported_ifmap.png
  2. You can sort the list based on the column.

  3. To view the sessions by a specific user, enter the username in the Username field and click Update.

To remove session:

  1. In the IF-MAP Imported Sessions page, select the check box(es) present next to the sessions that you want to remove and click the Remove Selected button.
  2. To remove all the sessions, click the Remove All button.

Managing ActiveSync Devices

The ActiveSync Devices page shows all ActiveSync Device sessions that are currently active across all Gateways that are registered with nSA.

To view ActiveSync Devices:

  1. In the Session Management page, select the ActiveSync Devices tab.

    The ActiveSync Devices page is displayed. The page shows a list of devices.

    img/pcs_sm_activesync_dev.png
  2. You can sort the devices list based on the column.

  3. To view the devices accessed by a specific user, enter the username in the Username field and click Update.

  4. To view all the devices associated to a specific Gateway, select the Gateway from the drop-down list and click Update.

To block/unblock one or more devices:

  1. In the Session Management page, select the ActiveSync Devices tab.

    The ActiveSync Devices page is displayed that shows a list of devices.

    The Access Allowed column shows if the device is blocked/allowed for use. The tick mark means the access is allowed for that device.

  2. To block a device, select the check box(es) next to the device that you want to block and click Block Access.

    The device is blocked, and a confirmation message is displayed.

  3. To unblock a device, select the check box(es) next to the blocked device that you want to unblock and click Allow Access.

    The devices is unblocked, and a confirmation message is displayed.

To remove one or more devices:

  1. In the Session Management page, select the ActiveSync Devices tab.

    The ActiveSync Devices page is displayed. The page shows a list of devices.

  2. To remove one or more devices, select the check box(es) next to the device that you went to remove and click Delete.

  3. To remove all the devices, click Delete All.

Viewing Alerts and Notifications

The Alerts page lists all alerts and notifications that have been raised by nZTA.

To view the Alerts page, click the Alerts icon and then click See all Alerts:

img/alerts_notifications_icon.png

The Alerts page appears. For example:

img/alerts_notifications.png

The alerts table supports the following alert types:

  • AAA Config Pull Failure
  • AAA Config Pull Success
  • AAA Config Pull Success - Failure Resolved
  • AAA Journal Update Failed
  • AAA Journal Update Success
  • Config Sync Rule Deleted
  • Config Sync Rule Updated
  • Config Sync Target Cluster Deleted
  • Custom Domain Certificate for mTLS Domain Due for Renewal
  • Custom Domain Certificate for mTLS Domain Expired
  • Custom Domain Certificate for TLS Domain Due for Renewal
  • Custom Domain Certificate for TLS Domain Expired
  • Device Vulnerability Risk Rating (VRR) Critical
  • Device Vulnerability Risk Rating (VRR) High
  • Device Vulnerability Risk Rating (VRR) Medium
  • Device Vulnerability Risk Rating (VRR) Low
  • Gateway Config Apply Failed
  • Gateway Config Import Failed
  • Gateway Disconnected
  • Gateway Invalid Configurations Cleared
  • Gateway Upgrade Failed

To filter the alerts table by type:

  1. Click Configure Alert Rules icon.

    img/alerts_rules_icon.png

    The Configure Alerts & Notifications page appears.

  2. Click Alert Types and select the required type.

  3. Click Close.

To filter the alerts table by time period, click Time Period and select the required time period.

To sort the alerts table into ascending or descending order of a specific property, click on one of the following column headings in the alerts table:

  • Severity
  • Type
  • Message Type