Threat Map

The threat map displays global threat distribution with details, including distribution and attack details of the attack source and destination regions.

Context

The supported threat maps and the dependency between the threat map and storage media on the USG6000E are as follows:

For the USG6000E device except the USG6510E/6510E-POE and USG6530E, this window is always displayed, no matter whether the hard disk/SD card is available.
For devices USG6510E/6510E-POE and USG6530E, this window is displayed only when the SD card is available.

The threat map can display global distribution of threats detected by the device by attack region and victim region.

Attack region map: displays the attack distribution and details of regions that launch attacks.
Casualty region map: displays the attack distribution and details of attacked regions.

Before querying threat maps, you have run the log type threat enable command to enable the recording of threat logs.

If the region that IP addresses belong to is modified, the historical map displays information based on regions configured before the modification.

If the threat map has nothing to display, this function is not customized. Click Customize Now and select threat map options in Customize Report and Map Display. Then, the customized content is displayed in this tab.

Virtual systems do not support this map customization function. You can contact the administrator for customization in the root system.

Procedure

Choose Monitor > Threat Map.

You can select filtering conditions above the map.

Item	Description
TOPN	TOP N regions by threat quantity on the map, including TOP10 and TOP20.
Display dimension	Map display dimensions, including Attacked Region and Casualty Region.
Threat type	You can select the following types: Virus Intrusion Botnet, Trojan horse, and Worm Attack All Threat Advanced Threats Only the USG6615E/6625E and USG6575E-B/6605E-B support.
Statistics period	Statistics period by which the map is displayed. The period can be Today, Last Three Days, or Last Month.

Regions are displayed in different colors by threat quantity scale. For details, refer to the risk level legend on the lower left of the map. Darker color indicates a higher risk level.

The following map is only an example.

Mechanism for displaying the regions of devices on the UI: The system checks the regions where the interfaces on the Network > Interface page reside. If the first interface IP address of the device is assigned to a specific region, the location of the device is displayed as the region of the interface address on the map. If the first interface IP address of the device is in an unknown region, the system continues to search for interfaces until it finds an interface in a fixed region, and the location of the device is displayed as the region of the interface address on the map. If none of the interfaces is assigned to a region, the system displays the longitude and latitude (0,0) of the device by default.

The overall threat situation of China is displayed by default. For provincial and municipal details, you can click China region to display China map.

Traffic statistics of unknown regions on the page are not included in traffic statistics of specified regions.

User-defined regions are displayed on the map only when the regions have traffic passing through. The location is determined by the configured longitude and latitude.

Optional: You can click a region on the map to display attacker and victim details.
Optional: Click to export the threat data in CSV format so that you can view the data offline.
- Export based on the attacking area, threat type, and time: Export the ranking of threats of a specified threat type based on the attacking area within a given time range.
- Export based on the attacked area, threat type, and time: Export the ranking of threats of a specified threat type based on the attacked area within a given time range.
You can view the threat data within predefined and user-defined time. As for user-defined time, you need to enter Start time and End time.

The FW supports the export of up to 10,000 threat data entries.

This function is supported only when a hard disk is in position.

Follow-up Procedure

The guidance for more operations is described as follows.

If you need to know the regional distribution of threats targeting at the enterprise intranet, you can display the threat map. You can also click a region to display detailed attack sources and take the following security measures:

Configure a Security Policy to block access to regions not related to services.
Configure a specific defense policy based on attack sources and types.

If the location of some threat data is incorrect, the IP address may be added to an incorrect region. You can add the IP address to the correct region. For details, see Modifying a Predefined Region.