Real-Time Monitor

Use the Reporting > Real-Time Monitor page to review current Internet activity in your network.

Important: If Real-Time Monitor does not display correctly in Internet Explorer, make sure that Compatibility View button (between the URL and the Refresh button in the browser address bar) is not selected.

Click Start to populate the page with data. The page shows recent Internet requests, including:

  • The IP address or name of the user who made the request.
    • If user-based policies are used in your network, and the user name is shown, mouse over an entry to see the IP address.
    • If a user name is longer than 30 characters, a hyphen (“-”) and the last 30 characters of the name are displayed. If you right-click to add a long user name to the search filter, delete the hyphen character from the filter field and click Show Results to display matching entries.
  • The URL requested.

    By default, if the URL is too long to display in the space provided, the field shows the first 30 characters of the URL, a space, a hyphen (“-”), and a space, and then last 20 characters of the URL. Right-click the truncated URL to see the entire string.

    Click Customize in the toolbar at the top of the page, then select Show the full URL to change this behavior.

  • Whether or not the requested site was recategorized as a result of Content Gateway scanning.
    • The presence of an icon indicates that the site was dynamically recategorized based on the results of scanning. Mouse over the icon to see the original category.
    • No icon indicates that the Forcepoint URL Database category or custom URL category was used. (This includes sites that were scanned by Content Gateway, but not recategorized.)
  • The Category assigned to the site.

    The actual category used to filter the request is shown, whether that is the Forcepoint URL Database category, the custom URL category, or the category dynamically assigned as a result of scanning.

  • The Action (permitted or blocked) applied to the request.

    Hover the mouse over an entry to see the policy or policies used to determine the action. Multiple policies may be listed if, for example:

    • Multiple group policies could be applied to the same user.
    • A policy is assigned to both the IP address and the user or group.

    When multiple policies are listed, you can use the Test Filtering tool to see which policy takes precedence for a request from the user or IP address shown in Real- Time Monitor.

  • The Time the request was passed to Real-Time Monitor.
    Because Real-Time Monitor receives request information from Usage Monitor in real time, rather than reading the request from the Log Database, the request time shown here may not match the request time that appears in investigative and presentation reports.
    Note: Filtering Service does not forward the log records created for advanced file analysis data to Usage Monitor for inclusion in the Real-Time Monitor display

To review current data, click Pause to prevent the page from continuing to refresh. When you are ready to start monitoring new information, click Start again.

  • By default, data is refreshed every 15 seconds. To change the update rate, click Customize in the toolbar at the top of the page, then select a new Data refresh rate value.

Depending on your current settings, Real-Time Monitor holds a set number of records (250, 500, or 1000), and always displays the latest set of available records. When you pause display of new records to review current data, this can mean that the hundreds or thousands of requests that occur while the display is paused are not available for display in the monitor. (The requests are, however, stored in the Log Database, and appear in investigative and presentation reports.)

To change how many records are displayed, click Customize in the toolbar at the top of the page, then select a new Number of records shown value.