control policy that monitored the connection.
The access control rule or default action that handled the
connection, as well as up to eight Monitor rules matched by that connection.
If the connection matched one Monitor rule, the
displays the name of the rule that handled the connection, followed by the
Monitor rule name. If the connection matched more than one Monitor rule, the
event viewer displays how many Monitor rules it matched, for example,
Default Action + 2 Monitor Rules.
To display a pop-up window with a list of the first eight
Monitor rules matched by the connection, click
associated with the configuration that logged the connection.
Intelligence-monitored connections, the action is that of the first non-Monitor
access control rule triggered by the connection, or the default action.
Similarly, because traffic matching a Monitor rule is always handled by a
subsequent rule or by the default action, the action associated with a
connection logged due to a Monitor rule is never Monitor. However, you can
still trigger correlation policy violations on connections that match Monitor
Connections either allowed by access control explicitly, or
allowed because a user bypassed an interactive block.
Block, Block with reset
Blocked connections, including:
connections blacklisted by Security Intelligence
encrypted connections blocked by an SSL policy
connections where an exploit was blocked by an intrusion policy
connections where a file (including malware) was blocked by a
For connections where the system blocks an intrusion or file,
Block, even though you use access control Allow
rules to invoke deep inspection.
Interactive Block, Interactive Block with reset
Connections logged when the system initially blocks a user’s
HTTP request using an Interactive Block rule. If the user clicks through the
warning page that the system displays, additional connections logged for the
session have an action of Allow.
Connections trusted by access control. The system logs trusted
TCP connections differently depending on the device model; see
Logging for Trusted Connections.
Connections handled by the access control policy's default
of connections in a connection summary. For long-running connections, that is,
connections that span multiple connection summary intervals, only the first
connection summary interval is incremented. To view meaningful results for
searches using the
Connections criterion, use a custom workflow that
has a connection summary page.
of connections that match the information that appears in each row. Note that
Count field appears only after you apply a
constraint that creates two or more identical rows. If you create a custom
workflow and do not add the
Count column to a drill-down page, each connection
is listed individually and packets and bytes are not summed.
address of the network device that used ISE to authenticate the user, as
identified by ISE.
endpoint device type, as identified by ISE.
- First Packet
or Last Packet
The date and
time the first or last packet of the session was seen.
- Initiator/Responder Bytes
number of bytes transmitted by the session initiator or session responder.
- Initiator/Responder Packets
number of packets transmitted by the session initiator.
User (constrains summaries and graphs)
logged into the session initiator. If this field is populated with
Authentication, the user traffic:
event triggered an indication of compromise (IOC) against a host involved in
analysis policy (NAP), if any, associated with the generation of the event.
or reasons the connection was logged, in many situations. For a full list, see
Connection Event Reasons.
Connections with a Reason of IP Block, DNS Block, and URL Block
have a threshold of 15 seconds per unique initiator-responder pair. After the
system blocks one of those connections, it does not generate connection events
for additional blocked connections between those two hosts for the next 15
seconds, regardless of port or protocol.
connections handled by
in multiple context mode, the metadata identifying the virtual firewall group
through which the traffic passed.
Group Tag (SGT) attribute of the packet involved in the connection. The SGT
specifies the privileges of a traffic source within a trusted network. Security
Group Access (a feature of both Cisco TrustSec and Cisco ISE) applies the
attribute as packets enter the network.
of the blacklisted object that represents or contains the blacklisted IP
address in the connection. The Security Intelligence category can be the name
of a network object or group, a blacklist, a custom Security Intelligence list
or feed, or one of the categories in the Intelligence Feed.
information about the categories in the Intelligence Feed, see
Security Intelligence Options.
- TCP Flags
connections generated from NetFlow data, the TCP flags detected in the
connection. When searching this field, enter a list of comma-separated TCP
flags to view all connections that have
one of those flags.
time of the five-minute interval that the system used to aggregate connections
in a connection summary. This field is not searchable.
- Traffic (KB)
amount of data transmitted in the connection, in kilobytes.
- Total Packets
number of packets transmitted in the connection.