Firewall Dashboard

The Firewall dashboard monitors network traffic, manages access rules, and blocks malicious connections in real-time.

Interface Overview

1. Traffic View

Live network traffic display:

2. Blocked Items

Lists of blocked entities:

• Blocked IPs - Known malicious sources
• Blocked Domains - Malware/C2 domains
• Blocked Countries - Geographic restrictions
• Blocked Ports - Restricted services

3. Active Rules

Firewall policies in effect:

RULE 1: ALLOW TCP 10.0.0.0/8 -> ANY:443 (HTTPS Internal)
RULE 2: BLOCK TCP ANY -> ANY:23 (Telnet)
RULE 3: ALLOW UDP ANY -> 8.8.8.8:53 (DNS Google)
RULE 4: BLOCK ANY 185.243.0.0/16 -> ANY (Threat Intel)

4. Threat Intelligence

Real-time threat feeds:

• IP reputation scores
• Known C2 servers
• Malware distribution sites
• Phishing domains

Key Features

Traffic Analysis

Investigate network patterns:

1. Filter by source/destination IP
2. Look for unusual ports or protocols
3. Check data volumes (large transfers = potential exfil)
4. Identify beaconing patterns (regular intervals)

Quick Actions

Respond to threats immediately:

Connection Patterns

Watch for these suspicious patterns:

• Beaconing - Regular connections at fixed intervals (C2)
• Port Scanning - Connections to many ports in sequence
• DNS Tunneling - Unusual DNS query volumes
• Lateral Movement - Internal-to-internal unusual traffic

Alert Types

Investigation Workflow

1. Alert triggers - Firewall flags suspicious traffic
2. Check IP reputation - Is the IP on threat lists?
3. Review connection history - First time or repeated?
4. Correlate with XDR - What process initiated this?
5. Decision - Block, allow, or investigate further

Tips for Success

1. High-port to high-port traffic is often suspicious
2. Connections to IPs without DNS resolution deserve scrutiny
3. Internal hosts connecting to many other internal hosts = lateral movement
4. Look for geographic anomalies (connections to unexpected countries)