Generic selectors
Exact matches only
Search in title
Search in content
post
page
Network Perception and GrayMatter Partner to Deliver OT Cybersecurity Solutions
Network Perception
Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Workspace Reports

Updated

NP-View uses reports to present network information related to the open workspace.  These reports are available to all users and can be accessed from the main menu. All of the reports are continuous scroll and can be searched by table or column. Searches can be combined between the table and columns.

Viewing Note:  The reports are displayed with alternate rows shaded in a light gray.  Also, in some columns (e.g., Risks) we also use a light gray text.  We have noticed that some custom calibrations will turn these colors to white.  If the gradient rows or text colors are not displaying on your screen try calibrating your monitor to the default settings to make them visible.

Access rules

This report provides a summary of all device rules loaded into the workspace and can be accessed from the main menu of from the device info panel.

If accessed from the main menu, rules for all devices in the workspace will be displayed. If accessed from the info panel, only the rules for the selected device will be displayed.

  • Action: (RULE_ACTION) Permit, Allow or Deny.
  • Application: (RULE_APPLICATION) Filtered application name associated with the rule (only for next-gen firewall).
  • Bindings (ACL): (RULE_ACL) Name of the access list under which the rule is defined. This is a normalized zone representation of [src zone]:[dst zone]
  • Change Status: used in comparison mode to reflect added, unchanged and removed rules.
  • Comment (Author, Date Status) : User entered comments (or justification) and associated status (verified, to review to revise.
  • Description: (RULE_DESCRIPTION) Remarks from configs associated with rules. Typically found in Cisco and SonicWall devices.
  • Destination: (RULE_DESTINATION) Object group destination for the rule.
  • Device: (RULE_DEVICE) Device host name as defined in a configuration file.
  • Dst Binding: (RULE_DST_BINDING) Outbound interface to which the rule is bound.
  • Dst Criticality: (RULE_DST_CRIT) Criticality of the object group destination (or the parent zone containing the object group destination) as defined by the user on the topology map.
  • Enabled: (RULE_ENABLED) Rule is enabled (True / False). The enabled column gets its value from the firewall config. The parser then decides if the rule is supported (True) or not (False). Disabled rules (value from firewall config) are displayed in the table as False and may have a green or gray text color.
  • First Hit: Timestamp of when rule was first accessed (under development).
  • Hit Count: (RULE_ACL_HITS) Number of times the ACL was accessed (under development).
  • Hit Updated: Timestamp of last hits import. (under development).
  • First Hit: Timestamp of when rule was last accessed (under development).
  • Line #: Line number(s) in the configuration text file where the rule can be found.
  • Object ID: Value for linking rules to comments.  This column must be displayed when exporting the rule table for enrichment and reimport.
  • Risk: (RULE_RISK) Highest risk text for associated Risk Criticality.
  • Risk Criticality: (RULE_RISK_CRIT) Highest criticality assigned by the triggered risk rule.
  • Rule: (RULE_NAME) Name of the rule found in the configuration. If the rule doesn’t have a name (e.g., Cisco devices), the value is populated by NP-View as RULE_X where X is the rule index.
  • Rule Tag: Palo Alto rule tags from firewall
  • Rule UUID: Palo Alto rule UUID from firewall
  • Service: (RULE_SERVICE) Object group service associated with the rule. In a traditional service group , X represents the source port, and Y represent the destination port. For ICMP we store the ICMP types in those fields. For example: “11 to 11” or “3 to 3” represent
    Type 3 — Destination Unreachable
    Type 11 — Time Exceeded
  • Source: (RULE_SOURCE) Object group source for the rule.
  • Src Binding: (RULE_SRC_BINDING) Inbound interface to which the rule is bound.
  • Src Criticality: (RULE_SRC_CRIT) Criticality of the object group source (or the parent zone containing the object group source) as defined by the user on the topology map.
  • Type: (RULE_TYPE) Type of rule (regular or VPN).
  • User: (RULE_USER) Filtered user name associated with the rule.

The source and destination criticalities are calculated based on the higher of the criticalities assigned to the device, network, and zone (aka. binding) that the device is in.

  • if device A is in network N1 and bound to zone Z1 and A is Low, N1 is Medium, and Z1 is High, then the criticality of A will be High (highest criticality based on zone)
  • if A is Medium, N1 is Low, and Z1 is Low, then the criticality of A will be Medium (highest criticality based on device)
  • if A is Low, N1 is High, and Z1 is Medium, then the criticality of A will be High (highest criticality based on network)

Fields with more data than can be shown within the columns with display a + icon which will show the additional data when clicked.  The source, destination and service columns will show related object groups and object data within the + popup.

Columns can be displayed or hidden using the Kebab menu in the upper right corner of the report. Changes to the menu are automatically saved. Additionally, the table can be exported as displayed, with comment history or with object groups. Only visible columns will be displayed.

Columns can be sorted, rearranged or resized and changes will be automatically saved.  Column filters can be displayed.  Filters applied to the table or column will automatically be saved. Filters can be reset from the kebab menu. The default sort order for the table is ‘Device’ then ‘Line #’.  To reset to the default sort order, open the Kebab menu and click “Clear all filters”.

Access rule commenting

Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button.

Once the comment is saved, the author and time stamp are automatically added.

Additional comments can be added and the history of comments can be displayed. Comments can only be added to the history, editing and deleting is not supported.

The history of comment changes can be viewed by clicking the clock icon in the left most column. If there is no comment history the clock icon will be disabled.

Access rules are uniquely tagged (Object ID) within NP-View for linkage to comments and risks.  The tag (hash) is calculated based on a hex converted combination of the following data fields.  Available data varies based on manufacturer so, some fields may not apply to specific manufacturers.  Most of the fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and risks will no longer be associated with this rule.

Universal Variables:

  • ‘Binding (ACL)’ (Source binding : Destination binding)
  • ‘Destination’ (group contents excluding group names*)
  • ‘Service’ (group contents excluding group names)
  • ‘Source’ (group contents excluding group names)
  • ‘Application’ (group contents excluding group names*)

Vendor-specific Variables:

  • ‘Action’
  • ‘direction’ – is used to set some rules to isolate guests from LAN so that rules in the VLAN section of the firewall be set. Each specific network is going to have a set of rules. Depending on the rules created, each traffic will be labeled in, or out, or both.
  • ‘Enabled’
  • ‘scope’ – is for the traffic zones used in their networks. Rules can be created based on the parameters of interzone, intrazone, and universal.
  • ‘Type’

*If the group name changes but the contents stay the same, the object_id will not change.

Additional Features

  • The Compare button invokes a time series comparison function for the report.   Additional details on this function can be found here.
  • Comments can be imported from an Excel file.  Additional details on this function can be found here.
  • Conditional formatting can be applied to this table report.  Additional details on this function can be found here.

Asset Inventory

This report provides a summary of all assets loaded into the workspace including: Firewalls, Routers, Switches, Gateways and Hosts. If an IP address is displayed as 0.0.0.0 this device has an IP address assigned by DHCP and while the device was detected, an IP address could not be extracted. Unmapped hosts have enough information for identification but not for mapping purposes on the topology map. For some devices there may be a large number of hosts defined in Asset Inventory but less are showing on the topology map.  These ‘invisible’ hosts are located behind mapped gateways and can be seen in the gateway’s peer list.


  • Alias: List of alternative names identified in configuration(s), separated by “:”.
  • Category: User assigned category from the topology map.
  • Created At: Time and date when the device was added to the workspace.
  • Created By: Files used to create the device or host.
  • Criticality: User assigned criticality from the topology map.
  • Description: Description from the configuration file if available.
  • IP address: IP address of the device, gateway, or host.
  • Label: Initially mirroring the Name field but can be changed by the user on the topology map and represented in this field.
  • Name: Device host name as defined in a configuration file.
  • OS: Host operating system derived from third party data files,
  • Services: Host services derived from third party data files,
  • Type: Device type; firewall, router, switch, gateway, host, unmapped host.
  • Updated At: Time and date when the device was last updated (configuration change).
  • Updated By: Type of file used to update the device.
  • + Comment: Drop down for user entered comments (or justification) and criticality levels (low, medium, high).
  • Comment Count: Label less column that indicates the number of comments available for each asset.

Object Groups

This report provides a summary of network ACL object groups including:  Host IP addresses, network address of group members, and nested object groups. Object Groups classify users, devices, or protocols into “groups” and apply those groups to Access Control Lists (ACLs) to create access control policies for those groups.  This report can be accessed from the main menu of from the device info panel.

If accessed from the main menu, objects for all devices in the workspace including globals will be displayed. If accessed from the info panel, only the objects for the selected device will be displayed. When data is loaded from a firewall vs Network Management system, the listing of object groups for addresses may vary.

  • When viewing data from a network management system, globally defined groups may be available.
  • When the data is loaded from the firewall, the global addresses may be presented as local addresses.

Objects consist of several types including Address, Service, Binding, Interface, and Zone.

  • Change Status: used in comparison mode to reflect added, unchanged and removed objects.
  • Comment: (Author, Criticality, Date) User entered comments (or justification) and criticality levels (low, medium, high).
  • ID: NP object identifier
  • Internal: NP object identifier
  • Luid: NP object identifier
  • Name: (OBJECT_NAME) Name of the object group which may include:
    • Any IP address–includes a range from 0.0.0.0 to 255.255.255.255
    • Host IP addresses
    • Hostnames
    • Other network object groups
    • Ranges of IP addresses
    • Subnets
  • Object ID: Value for linking rules to comments.  This column must be displayed when exporting the object table for enrichment and reimport.
  • Origin: (OBJECT_ORIGIN) Name of the device containing the object definition
  • Type: (OBJECT_TYPE) Address, Service, Zone or Protocol
  • Unused Status: (OBJECT_STATUS) Cisco, Juniper and Fortinet status column which defines if the rule is not used.  True = Unused.
  • Value: (OBJECT_VALUE) Content of the object group

Fields with more data than can be shown within the columns with display a + icon which will show the additional data when clicked.  The name column will show related object data details within the + popup.

Columns can be displayed or hidden using the Kebab menu in the upper right corner of the report. Changes to the menu are automatically saved. Additionally, the table can be exported as displayed, with comment history or with object groups. Only visible columns will be displayed.

Columns can be sorted, rearranged or resized and changes will be automatically saved.  Column filters can be displayed.  Filters applied to the table or column will automatically be saved. Filters can be reset from the Kebab menu. The default sort order for the table is ‘Origin’.  To reset to the default sort order, open the Kebab menu and click “Clear all filters”.

Object group commenting

Comments can be added to a row by double-clicking on the cell in the column “Comment”.  Comment text and status can be added and then saved with the save button.

Once the comment is saved, the author and time stamp are automatically added.

Additional comments can be added and the history of comments can be displayed. Comments can only be added to the history, editing and deleting is not supported.

The history of comment changes can be viewed by clicking the clock icon in the left most column. If there is no comment history the clock icon will be disabled.

Object groups are uniquely tagged (Object ID) within NP-View for linkage to comments. The tag (hash) is calculated based on a combination of the following data fields.  Available data varies based on manufacturer so, some fields may not apply to specific manufacturers.  Most of the below fields are defined above. For the fields unique to the hash, they are documented below.

If any of the data in these fields changes, the tag will change and previously linked comments and metadata will no longer be associated with this object.

  • OBJECT_NAME
  • OBJECT_TYPE
  • OBJECT_ORIGIN
  • OBJECT_VALUE
  • OBJECT_STATUS
  • OBJECT_TAG –

Additional Features

  • The Compare button invokes a time series comparison function for the report.   Additional details on this function can be found here.
  • Comments can be imported from an Excel file.  Additional details on this function can be found here.
  • Conditional formatting can be applied to this table report.  Additional details on this function can be found here.

Risks & Warnings

When a potential risk or warning is identified, it is logged in the “Risks and Warnings” table with a time and date stamp.  Each potential risk is assigned a “type” (Risk or Warning) and a Criticality (High, Medium, Low) based on the active policies in the Policy manager. Additionally, the device name and a description of the infraction is listed with the status (New, Confirmed, Resolved, False Positive, Will Not Fix or Fixed).

Risk & Warning Status and Life Cycle

For new risks or warnings, the expectation is that the user will review each item, determine if the issue needs to be addressed and they can manually change the action status accordingly.

  • new
  • confirmed: new risks or warnings that are acknowledged by the user as a valid problem to address
  • resolved: risks or warnings that are closed because the problem has been addressed
  • false positive: risks or warnings that are closed because they are not a valid problem to address
  • will not fix: risks or warnings that are closed because it was decided to not address them

Upon subsequent network updates, the system will adjust the status if required. For example:

  • If the user marks a risk as Resolved and upon the next network update the risk is still identified, the status will automatically be changed to Confirmed.
  • If upon the next network update the risk is no longer identified, the status will be changed to Fixed. Fixed items are removed from the list after a period of 7 days.
  • Time: (RISKWARNING_TIMESTAMP) Date and Time the potential risk was identified:
  • Type: (RISKWARNING_TYPE) Risk or Warning.
  • Criticality: (RISKWARNING_CRITICALITY) High, Medium or low as defined by the identifying policy and requirements.
  • Workspace: (RISKWARNING_WORKSPACE) Name of the workspace containing the potential risk or warning.
  • Device: (RISKWARNING_DEVICE) Name of the device containing the potential risk or warning.
  • Description: (RISKWARNING_DESCRIPTION) Description of the potential risk or warning.
  • Status: (RISKWARNING_STATUA) Current status as defined above.
  • Action: Action options as defined above.
  • + Comment: Drop down for user entered comments (or justification) and criticality levels (low, medium, high).
  • Comment Count: Label less column that indicates the number of comments available for each asset

Comparison Report – Show History

Access Rules and Object Groups have a Compare function to show historical differences in data that has been added or removed. The function can be engaged by clicking the “Compare” button located at the top of the page. This function is used to display changes over a period of days.

The user can select a time frame (7, 30, 90 or 356 days or a custom date range). The user can select one or more devices to include in the report and then show the history over the range. Once the parameters are selected, the “Show Comparison” button should be selected.

The comparison function will display all changes (Rule Adds, Rule Removal and Unchanged Rules) for the selected days. The data will be displayed using the column format of the selected table. The user can filter on added, removed or unchanged rules by clicking the jelly bean. Added rules will be highlighted in green, removed rules will be highlighted in red and unchanged rules will be highlighted in light blue.

Clicking the “Compare” button will revert to the normal table but will not clear the selections.

Clicking the “Reset” button will clear the selections and reset the table.

Conditional Formatting – Table Highlighting

NP-View reports use highlighting to help the user quickly identify important information.  The highlighting is controlled by the Table Highlight tab under the Policy manager function.

To learn more about Table Highlighting and the Policy Manager refer to the Policy Manager article.

Report Personalization

The table reports can be personalized by each user.  Individual columns can be sorted ascending or descending as well as pinned to the left or right which will fix the column during scrolling.

The report can also be personalized by adding or removing columns. By clicking the Kebab menu in the upper right, a list of columns will be displayed. The user can enable and disable specific columns for viewing.  After selection is final, click the save button to retain the settings.

Displayed columns can also be personalized.  The user can change the column size (drag between columns) and order of the columns (drag from header).

The updated configuration will apply to all reports of the same type across workspaces by user when the save button in the upper right is selected.

Note:  Select reports have data export and import capabilities.  Details on these features can be found here.

System Logs

The system logs features shows a detailed sequence of tasks attempted and completed.  This log is primarily used for system debugging and contains information, errors and warnings derived during system operation.  The system log feature has three views, Workspace, User, and System.  The System view is accessible only by the Administrator and shows the overall operation of system across users and workspaces.  The workspace and user views are available to the Administrator and Workspace Admin.  The user view shows the actions taken by the current user on the open workspace.   The Workspace view shows system actions for the open workspace.  The views can be filtered to show only information, errors, warnings or all.  Errors are generated when a system operation fails to complete.  Warnings are generated during data parsing and when policy / requirement infractions are identified.

Background Tasks

The background task functions shows the status of each task spawned by a data import, merge, analysis or running policy. A parsing task indicates the imported file is being normalized and hosts inferred.  Merge tasks combine the blueprints into the topology map. Analysis defines all of the paths and open ports.  Policies review the active requirements to identify potential risks for review or to provide cell / text highlighting for reports.

The report displays the task name, its progress, the workspace the task is running, the user who owns the task and the time it started or ended.  The check box allows the user to filter on the tasks pertinent to the current workspace.  The X allows the user to cancel a task that may be running too long or be stuck for some reason.

The user can also cancel all tasks within a workspace using the “Cancel All for this Workspace” button.

Tip: Click on the active spinner on the topology map to invoke the Background Task report.

Change Tracking

As modifications are made to the network and the updated configuration files are imported, the NP-View automatically detects the changes and logs them in the Change Tracking table. For each change, the timestamp, action, device, and description are recorded.

The actions recorded are as follows:

File import – for each file uploaded, of the following statuses will be displayed

  • successful import” – file imported successfully
  • ignored file: <filename> – unknown file type, ignored
  • failed import” – file failed to import, review help center for reason

Topology map – for each file uploaded, of the following statuses will be displayed for the topology map

  • device path information” – triggered if the connectivity matrix changes
    • Path can be added or removed
    • Assets refers to destination IP addresses
    • Services refers to the unique ports (or any) associated with the imported device
    • Details on the above can be viewed in the Connectivity paths
  • topology updated” – indicates the topology map has been successfully updated
  • topology failure” – indicates the topology map has failed, review help center for reason

Connectivity Paths – for each file uploaded, of the following statuses will be displayed for the workspace

  • workspace analysis updated” – all other tables have been successfully updated

Changes are displayed by calendar day. At the top of the table is a drop down that allows the user to select which day to review. The default is the current day.

The change tracking table can be searched, sorted by any column, switched to a list view, exported, and configured with alternate columns if required. These functions are available in the upper right corner of the table.

Connectivity Paths

This report provides a summary of network paths and their analysis results. By clicking on a specific rule sequence, the associated access rule can be displayed for review and comment.

See additional details here.

Compare path history

This interactive report provides a network path comparison between two points in time. When a configuration file is added to the system and is different from the previously imported file, a new “Version” is created.  The user can select two versions to compare.  The resulting table will display the changes between the two files. Removals in the left column and adds in the right column.

See additional details here.

Table of Contents

Network Perception 2023. All Rights Reserved.

Linkedin Twitter Youtube

Subscribe to the Newsletter!