Access Visibility
The Access Visibility feature of CloudConnexa provides observability into the traffic that flows through your WPC.
Which private applications are users accessing and when? How can I discover internal private applications that users are trying to access and for which access policies are not set? Are the access policies working as intended? These questions are of vital importance to the implementation of the zero-trust framework. Access Visibility answers these questions by providing you the statistics on access events for every source-destination pair to which traffic is sent or blocked in a manner that is easy to filter and drill down.
Access Visibility analyzes traffic flow logs to provide information about what is being accessed and by whom. Using this information, you can do the following:
Check that the Access Groups and per-app firewalls are being enforced.
Discover internal services based on the detailed traffic flow information and define services to get more service-oriented access visibility.
Identify which Users, Networks, and Hosts are accessing the internet via Internet Gateways.
Determine whether there was legitimate or malicious intent when traffic flows get blocked.
Troubleshoot any unexpected traffic routing issues.
Caution
Cyber Shield logs and events are separate from the traffic flow logs that Access Visibility analyzes. There is a possibility that traffic flows and the resultant access events shown as 'allowed' in Access Visibility may be blocked by Cyber Shield traffic filtering.
This section provides the definitions of the terms used in the Access Visibility User Interface (UI)
Traffic Flow
A traffic flow is defined as an association created between the data traffic source and the data traffic destination that can be uniquely identified by the following attributes: source and destination IP address, destination port, and the protocol field.
Traffic Source
Traffic Sources are connected Clients and Connectors that initiate a TCP session, UDP flow, or ICMP messages that transit through the WPC. Traffic Sources can be Users/Devices in User Groups, Connectors in Networks, and Hosts.
Traffic Destination
Traffic Destinations can be the connected devices of users, internet destinations, and private IP addresses on the connected networks and Hosts that were the intended destination of the traffic from Traffic Sources. Traffic Destinations can be Applications, IP Services, Networks, Hosts, Users/Devices in User Groups, Internet Gateways, and Other. Other contains Access events that couldn’t be linked to any known configured Traffic Destination.
Access Event
An Access Event is generated when a new traffic flow is detected. The traffic flow may be allowed access to the destination or blocked access.
Blocked Access Event Counts
Blocked Access Event Counts is the number of Access Events that were blocked between a Traffic Source and Traffic Destination pair.
Allowed Access Event Counts
Allowed Access Event Counts is the number of Access Events that were allowed between a Traffic Source and Traffic Destination pair.
CloudConnexa Access Visibility provides statistics and information about Access Events when a Traffic Source and Traffic Destination are chosen. Access Visibility filters are an invaluable tool to narrow down the traffic source and destination choices and assist in drilling down to view the statistics of interest.
When choosing a Traffic Source, you may have many choices depending on how many User Groups and connected Networks and Hosts you have. To narrow out these choices, you can use the Destination Filter. The Destination Filter is shown in the screenshot below.
Typically, you want to check whether there was access to one or more specific Traffic Destinations of interest. You don't want to randomly select a Traffic Source and then drill through to check if that source accessed the Traffic Destination of interest. When the Destination Filter is used, you can be sure that the filtered list of Traffic Sources displayed has one or more Access Events associated with the Traffic Destinations set in the filter.
Once a Traffic Source is chosen, the filter dynamically changes to show filter fields associated with the selected type of Traffic Source. Destination filter fields are shown that can help narrow the choices of various Traffic Destinations. The screenshot below shows the filter dynamically showing the source filter fields applicable for User Groups because the selected Traffic Source is a User Group.
Once both a Traffic Source and Traffic Destination are chosen, the filter dynamically shows fields that apply to the selected Traffic Source and Traffic Destination to help further narrow your choices. The screenshot below shows the filter when both the selected Traffic Source is a User Group, and the Traffic Destination is an Internet Gateway.
Follow the steps below to find the number of access events for a specific Traffic Source to a particular Traffic Destination. Refer to Access Visibility Terms.
Check that Access Visibility is enabled. If not, use the toggle beside the Access Visibility heading to turn the feature ON.
Select the applicable time range.
Optionally, use the Destination Filter to narrow the choices of Traffic Sources. Refer to Access Visibility Filters.
Click on a card displayed to select a Traffic Source from one of the three tabs: User Groups, Networks, or Hosts. You can also use the filter in each tab to narrow the choices further.
The next screen lists the Traffic Destinations for the Traffic Source you selected earlier. You can use the source and destination filters to narrow your choices further.
The various Traffic Destination cards show the counts of Allowed and Blocked Access Events for the selected Traffic Source and those Traffic Destinations.
Tutorial showing the use of filters to check Access Events
Follow the steps below for more details on access event counts between traffic sources and destinations. The shown details provide information on the communicating endpoints and the traffic flow between them, such as user and device identity, protocol, port, IP addresses, access event counts, and amount of data transferred.
Follow the steps in Find the Number of Blocked and Allowed Access Events From a Traffic Source to a Destination.
Click on a Traffic Destination card representing the Access Events you want further details on.
An expandable list showing the details of the traffic flows that led to those aggregate Access Event counts is displayed.
Expanding any of those results shows a chart displaying the day and time those Access Events were created.
If the destination is not a configured Application or IP Service, a button called Add IP Service will appear above the chart in the top right corner.
Click Add IP Service to configure an IP Service with the protocol and destination IP address recorded for that access traffic flow if you intend to use the IP Service in Access Groups or Filters later.
Tutorial showing how to get access event counts and details between selected source and destination
As the Access Visibility feature is in Beta release, it is expected that there will be some known minor issues.
The list of known issues is as follows:
VPN tunnel reconnection state may cause some response packets from the prior connection to be treated as new traffic flows. This may result in Access Visibility showing Access Event counts with the reconnecting client as the Traffic Destination and high destination port numbers. If you are seeing User Groups as Traffic Destinations with destination port numbers in the 49152 - 65535 range, then it is being caused by this known issue.
The past Access Event counts for a User are not assigned to the new User Group when the User Group of a User is changed.
Access Events for a deleted User Group is shown, but there will be no Users shown in the filters because, on the deletion of the User Group, all the Users in that group were moved to another User Group.
On creating an IP Service, past Access Event counts are not associated with the new IP service and continue to be displayed associated with the Host or Network for which the IP Service was created.
CloudConnexa blocks internet traffic sent from a Connect application on Windows OS during connection and reconnections when Split-tunnel is set to ON. These blocked access events appear associated with the Traffic Destination category of Other.