Application flows

The application's FLOWS tab enables you to manage an application's traffic flows.

Flows describe traffic to and from servers, which are represented by network objects, via a specific service. Flows may also specify a user or network application, and include other fields, such as comments.

Accessing application flows

  1. From the AppViz home screen, click Applications in the left navigation.
    The applications are listed in the left navigation.

  2. Click on the required application.
    The application's dashboard is displayed.

  3. Click on the Flows tab.
    The three tables of Application Flows are displayed (Application flows, Shared Flows, Subscribed Flows) with an indication of the number of flows of each type.

Tip: Expand or collapse each table section to expose or hide the table.

Back to top

Flow types

AppViz application flows include the following types:

Application flows Flows that are custom-built for a specific application.
Shared flows

A semi-custom flow that can be relevant for many applications.

Shared flows are templates with empty source and destination values, which are provided by a subscribing application.

Note: For shared flows when user awareness is enabled, the User field will be treated the same way as the Source field. When the source is the place holder, the user will also be a place holder.
Subscribed flows An instance of a shared flow that's customized for a specific application, with its source and destination fields provided by the application.

Back to top

Flows tab interface

As mentioned, the FLOWS tab displays application's flows of one application and their details in a series of tables (Application Flows, Shared Flows, Subscribed Flows) which you can expand to view or collapse.

An expanded table looks like this:

On an expanded table, you can:

  • Click a column heading to sort the table by that column, and click it again to reverse the sort order.
  • Hover over a network object or service to display its protocol and port.
  • Click a network object to display further details, including its name, type, origin, and addresses.
  • Use the features listed here:
Button Description

Edit a flow.
After making changes click:
to keep the changes or

to discard the changes.

Delete a flow.
Check connectivity of an application flow by clicking the test connectivity to the right of each flow.
Opens the reorder flows interface window. Drag and drop the flows in the required order.
Export the flows to a CSV

For more details, see:

Note: Adding, removing, or editing an application's flows changes the application's revision to draft. The flow is not updated in the related network security policy until the draft revision is returned to active. For more details, see Application dashboard.

Tip: AppViz also enables you to import flows from a discovery server or a CSV file. Importing flows also matches, or updates matching details, with AppViz applications. For more details, see Discover applications.

Back to top

Flow connectivity status

Every flow has a connectivity status. The traffic each flow represents may be allowed or blocked by the current network security policy. For each flow for which the connectivity status is available, the flow is encircled with a with a red or green outline. See the colors table below.

Note: The connectivity status of each flow contributes to the connectivity status of the application. For more details, see Business applications.

Allowed

Blocked or Partially blocked.

No strip

No connectivity information

Note: Abstract flows are indicated with pale blue stripes, but this is not a connectivity status for the flow. An abstract flow is a flow that does not represent any real traffic. Therefore, connectivity information is not relevant. For details, see View a network object.

Back to top

Add flows to your application

This procedure describes how to add an application or shared flow to your application.

Tip: Alternately, subscribe to another application's shared flows. For more details, see Subscribe to another application's shared flows .

Do the following:

  1. In the left panel, click on the application to which you want to add a flow.

  2. Click the FLOWS tab, and then, in the relevant section, click +New application flow, +Add shared flow or +Add subscribed flow.

    A blank editable flow form is displayed above the other flows (if existing) of the relevant section. The other flows for the section are displayed as disabled for editing.

  3. After editing and accepting the new flow, you can re-order the flows:

    1. display by clicking on the .

    2. In the window that opens, drag-drop objects into their new display order.

    3. Click Done.

Adding a shared flow

  1. For a shared flow, select the placeholder, follow the instructions above. Note that the empty form for the new shared flow is different than that for the new application flow.

    The placeholder is the field that is customizable for any application subscribing to it.

    Note: When user awareness is enabled, the User field will be treated the same way as the Source field. When the source is the placeholder, the user will also be a placeholder.

  2. Complete the fields as needed. For details, see Flow fields.

    Note: Whenever a flow is added or updated, the application is saved as a draft revision.

Name

Type the name of the flow.

Source

Type the flow's source, or utilize the following features to aid you in selecting a source:

  • Click the field to view recent objects, and then select the source from the list.
  • Start typing, and then select the source from the list of auto-completed options.
  • Use the Network object lookup wizard. For details, see Business applications.
  • Create a new object. For details, see Add a new network object.

User

Type the flow's user, or utilize the following features to aid you in selecting a user:

  • Click the field to view recent users, and then select the user from the list.
  • Start typing, and then select the user from the list of auto-completed options.

Note: "Any" is the default value in the User field.

This field only appears when user awareness is enabled. For more details, see Configure applications.

Destination

Type the flow's destination, or utilize the following features to aid you in selecting a destination:

  • Click the field to view recent objects, and then select the destination from the list.
  • Start typing, and then select the destination from the list of auto-completed options.
  • Use the Network object lookup wizard. For details, see Business applications.
  • Create a new object and add it to the flow. For details, see Add a new network object.

Service

Type the flow's service, or utilize the following features to aid you in selecting a service:

  • Click the field to view recent objects, and then select the service from the list.

  • Start typing, and then select the service from the list of auto-completed options.

  • Use the Service Lookup wizard. For details, see Business applications.

  • Create a new object and add it to the flow. For details, see Add a new service.

    Note: Additional services cannot be added to a flow that already has the application-default service (this service represents the default service behind selected network applications). You can click x in the Service column to remove this service.

Network Application

Type the flow's network application, or utilize the following features to aid you in selecting a network application:

  • Click the field to view recent network applications, and then select the network application from the list.
  • Start typing, and then select the network application from the list of auto-completed options.
  • Use the Network application lookup wizard. For details, see Business applications.

Note: "Any" is the default value in the Network Application field.

This field only appears when application awareness is enabled. For more details, see Configure applications.

Comments

Type a comment for the flow. This field is optional.

Any custom field

There may be other flow fields if custom fields have been added. For more details, see Custom fields.

To re-order the flows in the application, drag and drop a flow by this icon. The icon appears to the left of a flow when you hover over it.

To add a new network object:

  1. Click +New.

    The Add New Network Object window appears.

  2. Select the Type of network object: Host, Range, Group or Abstract. For more details, see Network objects.

  3. In the designated fields, type the following information for the new network object:
    • Name
    • IP Address, IP Addresses, or Members. Abstract objects do not have an address until conversion.)

  4. Click OK.

    The new network object is added to the field.

To add a service to a flow:

  1. Click Add New Service.

    The Add New Service window appears.

  2. In the designated fields, type the following information for the new service:

    • Name
    • Protocol
    • Port

    Note: If you've defined the Protocol as ICMP, use the Port field to define the ICMP type.

  3. To add additional services to the service object, do the following:

    1. Click Add new service.

      Additional Protocol and Port fields appear.

    2. Complete the fields.
    3. To remove a service, click .
  4. Click OK.

The new service object is added to the field.

Back to top

Remove flows from your application

To remove a flow:

  1. View the application for which you want to remove a flow. For more details, see Business applications.

  2. Click the Flows tab to view the flows.

  3. Click on the row of the flow you want to remove.
    A confirmation message is displayed.

  4. Click OK if you are sure you want to remove the application flow from the specified application.

Back to top

Subscribe to another application's shared flows

Applications can subscribe to another application's shared flows. The subscribing application specifies a custom value for the shared flow's placeholder/missing field. For more details, see Add flows to your application.

By default, the application containing the shared flow is responsible for all of the shared flow's subscriptions. If desired, you can configure AppViz to treat the applications subscribed to the shared flow as responsible for the traffic. For more details, see Configure advanced AppViz properties

To subscribe to an application:

  1. View the application for which you want to add subscribed flows (the "subscriber" application). For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click Edit Flows.

    All the flows for the application appear in an editable format.

  4. In the Subscribed flows section, click +Add subscription flow.

    The Add Subscribed Flows window is displayed.

  5. To subscribe to an entire application(s) (all of its shared flows), select the desired application(s).
  6. To subscribe to individual flows, do the following:

    1. Next to the desired application, click .

      The applications flows appear.

    2. Select the desired flows.

  7. Click Add Subscriptions.

    The subscribed flows appear in the application's Flows tab.

  8. Complete the required fields as needed. For details, see Add a new network object.

  9. Click Save Changes.

    A confirmation message appears.

  10. Click Save.

Back to top

Verify flow connectivity

Verifying flow connectivity checks whether the network security policy allows the traffic that the flow specifies. Additionally, it creates and updates the business application field of the flow (a.k.a. rule) visible throughout ASMS systems with AppViz.

See Business application visibility.

To verify flow connectivity:

  1. View the application which contains the flow for which you want to verify flow connectivity. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab appears.

  3. Click next to the flow.

    AppViz checks whether the network security policy allows the traffic flow. This may take a few minutes, depending on the complexity of the flow and network policy.

    If the flow is blocked, red stripes appear around the flow.

    Note: Clicking the connectivity check icon also sets or updates Business Application Visibility throughout ASMS. See Business application visibility.

  4. To view details regarding the flow's connectivity, click the Connectivity link.

    A new window opens with details of the traffic simulation query from AlgoSec Firewall Analyzer.

    Note: If the Connectivity link is not enabled for a flow, the last connectivity check failed or has expired. If you run a new check, the link will be re-enabled.

    Back to top

Export an application's flows

You can export an application's flows to a CSV file.

Note: If desired, you can configure all flow exports to include connectivity information. For more details, see Configure advanced AppViz properties

To export an application's flows:

  1. View the application for which you want to add a flow. For more details, see Business applications.

  2. Click the Flows tab.

    The Flows tab is displayed.

  3. Click .

    The CSV file is exported.

    Your browser will prompt you to open or save the file.

Back to top