This help contains the following topics:
The device analyzes health status of hosts and supports displaying the number of compromised hosts and security event distribution in graphs and tables. You can view a summary on the security status of hosts, and a detailed security analysis report for a single host. Thus, you can take prevention actions based asset security information.
To analyze asset traffic, you must configure the asset address range. The device will identify the specified range as the internal network and addresses outside the range as the external network, and then analyze the internal-internal, internal-external, and external-internal network traffic.
If you do not configure an asset address range, the device will only analyze the Trust-Trust, Trust-Untrust, and Untrust-Trust inter-zone traffic, identifying the Trust zone as the internal network and the Untrust zone as the external network. Traffic from other security zones will not be analyzed.
Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.
The detailed security analysis report for a single host displays only the statistics over the past 7 days, 14 days, or 30 days.
If the page does not display data, the following are possible reasons:
The device does not detect attacks.
The current traffic is not within the asset address range analyzed.
A hard disk or USB disk is not correctly installed on the device.
After the device reboots, the system continues to analyze the history data that has not been analyzed and analyzes newly generated data only after all history data is analyzed. If a large amount of history data exists, the system might be unable to analyze newly generated data in time.
Click the Monitor tab.
In the navigation pane, select Synthetic Analysis > Security Analysis.
The page displays the security events and vulnerability severity information for all hosts.
In the upper right corner of the page, click Asset Address Range to configure the asset address range.
To fitter the hosts to be displayed, you can configure host IP, risk level, and vulnerability severity as filters. For information about risk levels, see "Appendix."
To view the detailed security analysis report for a single host, click the host name in the table.
The report contains basis information (such as host name and risk level), threat information, and details (security event list).
To block a host as a source or destination and add it to the blacklist, click Block in the Handle column for the host. By default, the host will never age on the blacklist. To set the aging time for the host, navigate to the Policies > Active Defense > Blacklist > IP Blacklist page. By default, only public hosts can be blocked.
Table-1 Risk level description
Risk level | Description |
Vulnerable | Vulnerabilities were detected on the host. The host has not been attacked. For example, the system might have detected that vulnerable ports 138 and 139 are open on the host through vulnerability scanning. |
Attacked | Malicious attacks were detected on the host. For example, the host might suffer DDoS attacks, SQL injection attacks, or bots. |
Controlled | Abnormal outreach behaviors were detected on the host. For example, the host might have communicated with a C&C server or communicated with the IP, URL, or domain name associated with a known malware or worm. |
Spread | Attacks from the host to other hosts were detected. For example, the host might have initiated port scanning and brute-force attacks to other hosts. |
Damaged | File leakage was detected on the host, or threats to other hosts or databases were detected on the host. For example, mining and ransomware viruses might exist on the host. |