Lesson 13: Real-Time Monitor

Learn how to use Real-Time Monitor to track current Internet activity in your network. Apply filters to focus on traffic with specific characteristics.

Real-Time Monitor provides a simple view into current Internet activity in your network. You control how often the data is refreshed and how much data is available at a time, and you can apply search filters to focus on specific clients, URLs, or types of requests (blocked or permitted).

Unlike other reporting tools, Real-Time Monitor shows only current data.

  • The information comes directly from Usage Monitor, which tracks client activity to generate category and protocol usage alerts.
  • Each record is captured by the Real-Time Monitor database for display. The database contains a limited (configurable) number of records.
  • When the Real-Time Monitor database is full, each new record overwrites an older record. Older information is no longer available in the monitor (though it is available in other reporting tools).

Real-Time Monitor shows activity for one Policy Server at a time. (Policy Server is a component responsible for coordinating other components.)

The Forcepoint Security Manager also connects to one Policy Server at a time, and Real-Time Monitor connects to that same Policy Server at launch. As long as Real- Time Monitor is displayed in the content pane, it changes its Policy Server connection each time the Security Manager changes its connection.

When Real-Time Monitor is open in full screen mode, it remains connected to a single Policy Server, regardless of whether the Security Manager connects to a different Policy Server.

  • The Policy Server IP address is displayed in the Real-Time Monitor title bar.
  • Multiple Real-Time Monitor instances can be run in full screen mode on the same machine, each connected to a different Policy Server.

So if you are a network security administrator, you can monitor your entire deployment by opening a Real-Time Monitor instance for each Policy Server deployed in your network.

Exercise 1: Real-Time Monitor basics

  1. To launch Real-Time Monitor, go to the Reporting > Real-Time Monitor page.
  2. Click Start to populate the page with data. The page shows recent Internet requests, including:
    • The IP address or name of the user who made the request. If user-based policy enforcement is used in your network, and the IP address is shown, mouse over an entry to see the user name.
    • The URL requested. If the URL is truncated, mouse over an entry to see the full URL.
    • Whether or not the requested site was recategorized as a result of Content Gateway analysis.

      An icon indicates that analysis resulted in dynamic recategorization of the site; no icon indicates that the Forcepoint URL Database or administrator- defined custom category was used. Mouse over the icon to see the original category.

    • The Category assigned to the site. The actual category used to filter the request is shown, whether that is the Forcepoint URL Database category, the custom URL category, or the category dynamically assigned as a result of analysis.
    • The Action (permitted or blocked) applied to the request.
    • The Time the request was passed to Real-Time Monitor. Because Real-Time Monitor receives request information from Usage Monitor in real time, rather than reading the request from the Log Database, the request time shown here may not match the request time that appears in investigative and presentation reports.
  3. To review current data, click Pause to prevent the page from continuing to refresh. When you are ready to start monitoring new information, click Start again.

Depending on your current settings, Real-Time Monitor holds a set number of records (250, 500, or 1000), and always displays the latest set of available records. When you pause display of new records to review current data, this can mean that the hundreds or thousands of requests that occur while the display is paused are never displayed in the monitor. (The requests are, however, stored in the Log Database, and appear in investigative and presentation reports.)

If you are a delegated administrator or reporting administrator, you have completed this tutorial. See Where Do I Go Next? for pointers to possible next steps.

If you are a Super Administrator, continue with Lesson 14: Improving web protection software.