Application flows

The application's FLOWS tab enables you to manage an application's traffic flows.

Flows describe traffic to and from servers, which are represented by network objects, via a specific service. Flows may also specify a user or network application, and include other fields, such as comments.

Flow types

AppViz applications include the following types:

Application flows Flows that are custom-built for a specific application.
Shared flows

A semi-custom flow that can be relevant for many applications.

Shared flows are templates with empty source and destination values, which are provided by a subscribing application.

Note: For shared flows when user awareness is enabled, the User field will be treated the same way as the Source field. When the source is the place holder, the user will also be a place holder.
Subscribed flows An instance of a shared flow that's customized for a specific application, with its source and destination fields provided by the application.

Back to top

FLOWS tab interface

The FLOWS tab displays all of your application's flows and details in a series of tables.

Do any of the following:

  • Click a column heading to sort the table by that column, and click it again to reverse the sort order.
  • Hover over a network object or service to display its contents.
  • Click a network object to display further details, including its name, type, origin, and addresses.

For more details, see:

Note: Adding, removing, or editing an application's flows changes the application's revision to draft. The flow is not updated in the related network security policy until the draft revision is returned to active. For more details, see Application dashboard.

Tip: AppViz also enables you to import flows from a discovery server or a CSV file. Importing flows also matches, or updates matching details, with AppViz applications. For more details, see Discover applications.

Back to top

Flow connectivity status

Every flow has a connectivity status. The traffic each flow represents may be allowed or blocked by the current network security policy. The flows tab indicates the connectivity status of each flow with colored strips on each side of the flow. Additionally, hovering over the strip reveals a tool tip with the connectivity status for the flow.

Note: The connectivity status of each flow contributes to the connectivity status of the application. For more details, see Business applications.

Allowed

If AppViz is configured to differentiate between unprotected traffic and traffic that is explicitly allowed, the green strips for unprotected traffic are striped. For more details, see Configure advanced AppViz properties

Blocked or Partially blocked.

Note: You can determine whether the flow is blocked or only partially blocked by hovering over the strip. The tool tip which appears is specific.

No strip

No connectivity information

Note: Abstract flows are indicated with pale blue stripes, but this is not a connectivity status for the flow. An abstract flow is a flow that does not represent any real traffic. Therefore, connectivity information is not relevant. For details, see View a network object.

Back to top

Add flows to your application

This procedure describes how to add an application or shared flow to your application.

Tip: Alternately, subscribe to another application's shared flows. For more details, see Subscribe to another application's shared flows .

Do the following:

  1. View the application for which you want to add a flow.

  2. Click the FLOWS tab, and then click Edit Flows.

    All the flows for the application appear in an editable format.

  3. In the +Add Flow drop-down menu, select the flow type.

    An empty flow appears at the bottom of the relevant list for the selected flow type.

  4. To re-order flows, drag and drop the desired flows up or down.

  5. For a shared flow, select the placeholder.

    The placeholder is the field that is customizable for any application subscribing to it.

    Note: When user awareness is enabled, the User field will be treated the same way as the Source field. When the source is the placeholder, the user will also be a placeholder.

  6. Complete the fields as needed. For details, see Flow fields.

  7. Click Save Changes.

    The Save Changes window appears.

    • To save changes, click Save Changes.

      The flow is updated, and this version of the application is saved as a draft revision.

    • To save changes and apply the draft, do the following:

      1. Click Save and Apply Draft.

        The Apply Draft dialog box appears, describing the FireFlow change request that will be created to add or remove traffic flows for the application in the network security policy. If traffic flows have been removed from the application, but the traffic intersects the needs of another application, a FireFlow change request will not be created to remove the traffic.

      2. Click OK.

        The flows are updated and the draft is applied. This may take a few minutes.

Note: The Save and Apply Draft option is disabled when the application has a revision pending implementation.

Name

Type the name of the flow.

Source

Type the flow's source, or utilize the following features to aid you in selecting a source:

  • Click the field to view recent objects, and then select the source from the list.
  • Start typing, and then select the source from the list of auto-completed options.
  • Use the Network object lookup wizard. For details, see Business applications.
  • Create a new object. For details, see Add a new network object.

User

Type the flow's user, or utilize the following features to aid you in selecting a user:

  • Click the field to view recent users, and then select the user from the list.
  • Start typing, and then select the user from the list of auto-completed options.

Note: "Any" is the default value in the User field.

This field only appears when user awareness is enabled. For more details, see Configure applications.

Destination

Type the flow's destination, or utilize the following features to aid you in selecting a destination:

  • Click the field to view recent objects, and then select the destination from the list.
  • Start typing, and then select the destination from the list of auto-completed options.
  • Use the Network object lookup wizard. For details, see Business applications.
  • Create a new object and add it to the flow. For details, see Add a new network object.

Service

Type the flow's service, or utilize the following features to aid you in selecting a service:

  • Click the field to view recent objects, and then select the service from the list.

  • Start typing, and then select the service from the list of auto-completed options.

  • Use the Service Lookup wizard. For details, see Business applications.

  • Create a new object and add it to the flow. For details, see Add a new service.

    Note: Additional services cannot be added to a flow that already has the application-default service (this service represents the default service behind selected network applications). You can click x in the Service column to remove this service.

Network Application

Type the flow's network application, or utilize the following features to aid you in selecting a network application:

  • Click the field to view recent network applications, and then select the network application from the list.
  • Start typing, and then select the network application from the list of auto-completed options.
  • Use the Network application lookup wizard. For details, see Business applications.

Note: "Any" is the default value in the Network Application field.

This field only appears when application awareness is enabled. For more details, see Configure applications.

Comments

Type a comment for the flow. This field is optional.

Any custom field

There may be other flow fields if custom fields have been added. For more details, see Custom fields.

To re-order the flows in the application, drag and drop a flow by this icon. The icon appears to the left of a flow when you hover over it.

To add a new network object:

  1. Click +New.

    The Add New Network Object window appears.

  2. Select the Type of network object: Host, Range, Group or Abstract. For more details, see Network objects.

  3. In the designated fields, type the following information for the new network object:
    • Name
    • IP Address, IP Addresses, or Members. Abstract objects do not have an address until conversion.)

  4. Click OK.

    The new network object is added to the field.

To add a service to a flow:

  1. Click Add New Service.

    The Add New Service window appears.

  2. In the designated fields, type the following information for the new service:

    • Name
    • Protocol
    • Port

    Note: If you've defined the Protocol as ICMP, use the Port field to define the ICMP type.

  3. To add additional services to the service object, do the following:

    1. Click Add new service.

      Additional Protocol and Port fields appear.

    2. Complete the fields.
    3. To remove a service, click .
  4. Click OK.

The new service object is added to the field.

Back to top

Edit an application's flows

To edit a flow:

  1. View the application for which you want to edit a flow. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click Edit Flows.

    All the flows for the application appear in an editable format.

  4. To re-order flows, drag and drop the desired flows up or down.
  5. Complete the fields as needed. For details, see Flow fields.

  6. Click Save Changes.

    The Save Changes Dialog box appears.

    • To save changes, click Save Changes.

      The flow is updated, and this version of the application is saved as a draft revision.

    • To save changes and apply the draft, do the following:

      Note: The Save and Apply Draft option is disabled when the application has a revision pending implementation.

      1. Click Save and Apply Draft.

        The Apply Draft dialog box appears, describing the FireFlow change request that will be created to add or remove traffic flows for the application in the network security policy. If traffic flows have been removed from the application, but the traffic intersects the needs of another application, a FireFlow change request will not be created to remove the traffic.

        For more details, see Business applications.

      2. Click OK.

        The flows are updated and the draft is applied. This may take a few minutes.

Back to top

Remove flows from your application

To remove a flow:

  1. View the application for which you want to remove a flow. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click Edit Flows.

    All the flows for the application appear in an editable format.

  4. Click on the row of the flow you want to remove.

  5. Click Save Changes.

    The Save Changes Dialog box appears.

    • To save changes, click Save Changes.

      The flow is updated, and this version of the application is saved as a draft revision.

    • To save changes and apply the draft, do the following:

      Note: The Save and Apply Draft option is disabled when the application has a revision pending implementation.

      1. Click Save and Apply Draft.

        The Apply Draft dialog box appears, describing the FireFlow change request that will be created to add or remove traffic flows for the application in the network security policy. If traffic flows have been removed from the application, but the traffic intersects the needs of another application, a FireFlow change request will not be created to remove the traffic.

        For more details, see Business applications.

      2. Click OK.

        The flows are updated and the draft is applied. This may take a few minutes.

Back to top

Subscribe to another application's shared flows

Applications can subscribe to another application's shared flows. The subscribing application specifies a custom value for the shared flow's placeholder/missing field. For more details, see Add flows to your application.

By default, the application containing the shared flow is responsible for all of the shared flow's subscriptions. If desired, you can configure AppViz to treat the applications subscribed to the shared flow as responsible for the traffic. For more details, see Configure advanced AppViz properties

To subscribe to an application:

  1. View the application for which you want to add subscribed flows (the "subscriber" application). For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click Edit Flows.

    All the flows for the application appear in an editable format.

  4. Next to the Add Flow button, click the Subscribe to application... link.

    The Add Subscribed Flows window appears.

  5. To subscribe to an entire application (all of its shared flows), select the desired applications.
  6. To subscribe to individual flows, do the following:

    1. Next to the desired application, click .

      The applications flows appear.

    2. Select the desired flows.

  7. Click Add Subscriptions.

    The subscribed flows appear in the application's Flows tab.

  8. Complete the required fields as needed. For details, see Add a new network object.

  9. Click Save Changes.

    A confirmation message appears.

  10. Click Save.

Back to top

Verify flow connectivity

Verifying flow connectivity checks whether the network security policy allows the traffic that the flow specifies. It also contributes to creating and updating Business application visibility.

To verify flow connectivity:

  1. View the application which contains the flow for which you want to verify flow connectivity. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click next to the flow.

    AppViz checks whether the network security policy allows the traffic flow. This may take a few minutes, depending on the complexity of the flow and network policy.

    If the flow is blocked, red stripes appear around the flow.

  4. To view details regarding the flow's connectivity, click the Connectivity link.

    A new window opens with details of the traffic simulation query from AlgoSec Firewall Analyzer.

    Note: If the Connectivity link is not enabled for a flow, the last connectivity check failed or has expired. If you run a new check, the link will be re-enabled.

    Back to top

Export an application's flows

You can export an application's flows to a CSV file.

Note: If desired, you can configure all flow exports to include connectivity information. For more details, see Configure advanced AppViz properties

To export an application's flows:

  1. View the application for which you want to add a flow. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click .

    The CSV file is exported.

    Your browser will prompt you to open or save the file.

Back to top