Threat Map

Threat Map is a visual representation of the source and destination locations around the world for the traffic through your Firebox.

The Threat Map shows only the event types associated with the detailed view you select:

  • Denied Packets (Blocked) — Shows only denied events
  • Blocked Botnet Sites — Only appears if botnet traffic is included in the log messages
  • Intrusion Prevention Service — Shows only denied events
  • Web Traffic — Shows only allowed events
  • Application Control — Shows only allowed events
  • All Traffic — Shows only allowed events

You can pivot on the information in the Threat Map for the source and destination IP addresses (IPv4 or IPv6), based on the view you select. For the Web Traffic, Application Control, and All Traffic views, the destination IP address is used for the location of the traffic. The Denied Packets and Intrusion Prevention Service views use the source IP address for the location of the traffic. The Blocked Botnet Sites view shows the source and destination IP address of the botnet site.

After you select an option in the Threat Map to pivot on, you can click on the details (such as a country or an IP address) to get additional information. For a country, this includes a list of protocols, cities, IP addresses, and hits. For an IP address, this includes a list of all hits, whether it is the source or the destination address, and whether the traffic was allowed or denied.

To see the data in the Threat Map:

  1. Select Home > Devices or Home > Groups.
    The Devices or Groups page opens.
  2. Select a device or group in the list.
    If the Firebox or group has only a logging connection to Dimension, the Executive Dashboard page opens.
    If the Firebox or group has a management connection to Dimension, the Device Summary page opens.
  3. Select Threat Map.
  4. From the Start and End drop-down list calendars, select the start and end dates and times to include in the report data, then click Apply.
  5. From the drop-down list at the top-right corner of the Threat Map, select an option to pivot on this data and change your view of the Threat Map:
    • Denied Packets (Blocked)
    • Blocked Botnet Sites
    • Intrusion Prevention Service
    • Web Traffic
    • Application Control
    • All Traffic

Screen shot of the Threat Map

The colors that appear in the map indicate the number of hits in each geographical location for the selected view.

  • Red — High number of denied events
  • Orange — Medium number of denied events
  • Yellow — Low number of denied events
  • Bright green — High number of allowed events
  • Light green — Medium number of allowed events
  • Grey — No events

If there are IP addresses from unknown geographical locations for the selected view, the Unknown link appears at the top of the map and includes the number of addresses that are unknown.

Screen shot of the Threat Map with the Unknown link

To see information about the unknown IP addresses, click Unknown.
A dialog box appears with this information for each IP address from an unknown location:

  • Domain
  • City
  • IP address
  • Hits
  • Bytes

Screen shot of the Threat Map details dialog box

To see more information about the threats on the map:

  1. From the drop-down list at the top-right corner of the Threat Map, select a pivot option.
    The Threat Map updates to show the selected data.
  2. To zoom in on the map, click a location on the map.
  3. To see the threats from a country, click that country on the map.
    A list of the threats for that country appear.

Screen shot of the Threat Map details dialog box

Threat list with IPv4 addresses.

 

Threat list with IPv6 addresses.

  1. To see more information about any IP address in the list, click the IP address.
    A dialog box with specific details about the traffic from the selected IP address opens.

Screen shot of the details for an IP address

Threat details for an IPv4 address.

 

Screen shot of the details for an IPv6 address

Threat details for an IPv6 address.

The IP address location map uses Google API to identify the current location of the IP address. There may be inconsistencies between this data and the location data from the Firebox log messages.

For each IP address, these details appear:

  • Time — The date and time of the traffic to the Firebox.
  • Disposition — Whether the traffic was allowed or denied.
  • Source — The origination address for the traffic.
  • Destination — The destination address for the traffic.
  • Hits — The number of hits for the traffic.
  • Additional info — Any other information for the IP address.
  1. To return to the list of threats for a country, click Back to List.

Related Topics

About the Home Pages

Use Dimension Tools