Reports the usage of apps defined by Entitlements with broad access rights. Up to 5000 apps can be discovered on a system with a limit of 5000 users per application. There is a limit of 5000 user groups per application.
Background information
This is part of Application Discovery which is a separately licensable option. For information about how licensing works, refer to Licenses.
For more information refer to Application Discovery.
NOTE
Until there has been traffic through the Entitlement(s) with the broad host definitions and the analysis has run at 00:00 UTC, the Discovered Apps list will remain empty. It can take up to 15 minutes for discovered apps to appear as values are sent at 15-minute intervals.
Actions
Use the Actions dropdown menu at the top-right of the Discovered App page to perform the following actions:
Configure. Opens the Configure Discovered Apps window. This allows you to filter your view of Discovered Apps with the following fields:
Minimum User Count. Enter a value for minimum number of users.
Originating Entitlements. Select All Entitlements with broad host definitions or Only specific Entitlements. Selecting Only specific Entitlements allows you to add the desired Entitlement(s).
App Data Options. Select or deselect Include public IPs or Include apps without DNS hostnames.
Run Analysis. Analysis is usually run at 00:00 UTC, however it is possible to run it immediately (but is limited to once per hour due to the processing required).
Troubleshoot. Show you when the three data sets used in the analysis were last updated.
Action Buttons
Action buttons are accessed by clicking the three dots to the right of each line item in the table or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item.
Reset user data. Removes all the user data related to the app. The app will still be listed but with 0 users.
Delete all data. Removes the app and the related user data.
Discovered Apps
The list of discovered apps displays the following information
Host. The hostname of the discovered app. The hostname displayed is a best guess since the traffic encountered by the Gateways is IP based. The use of zone transfer is strongly recommended to get the best result for 'Host'. When this is not enabled the following will be used:
A reverse DNS lookup using the Site or Appliance DNS server.
The port 443 certificate name on public IPs.
Port. The TCP port being accessed
Users. The number of users that have accessed this app.
Generated Entitlement.
Last Accessed. Last date (UTC) that the app was accessed.
Status.
No action taken: No rules created.
Action taken: Access rules created.
Alias. The name of any created Policy and Entitlement for this app.
Last Modified. Last time (UTC) that the created Policy or Entitlement was modified.
Clicking one of the Discovered Apps will show the Discovered App Details.
Discovered App Details
Configure Access
Selecting the Configure Access button will open the Configure Access - Create Entitlement modal. Enter values in the following fields to create the Entitlement:
Entitlement Name. Enter a name for the created Entitlement.
Status. Select Enabled or Disabled.
Tags. Select +Add to add tags to the Entitlement.
Select Create to finish creating the Entitlement. In the Configure Access - Summary modal that appears, select Add to Policy to add the Entitlement to a Policy.
In the Configure Access - Add Entitlement to Policy modal, select the checkbox(es) for the Group(s) you want to add to the Policy. Use the dropdown to select a policy. When you are finished, click Save.
NOTE
As the mapping to the “groups” User Claim is string based, it is important to take into consideration the AD (or other IdP) used in the Appgate SDP IdP configuration when multiple IdPs are listed. There is a chance that the same group name occurs in two different ADs.
NOTE
The port 443 certificate name lookup on public IPs can result in a glob hostname (*.xx.yy) if it is a wildcard certificate. It is possible to create entitlements for these hostnames, but then a DNS forwarder needs to be configured on the site.
Discovered App Details also provides the following additional information:
Rule. The rule in the Entitlement Action that matched the traffic: allow, allow_report, block, block_report, alert or exclude.
Protocol. This value is TCP, but may be expanded in the future.
Last Modified. The last time the Discovered App was modified.
Last Accessed. The last time the Discovered App was accessed.
Generated Entitlement. A link to the created Entitlement (based on the Discovered App).
Generated Access Policy. A link to the created Policy (based on the Discovered App).
There are also three tabs which contain:
Hits per Day. A histogram showing the total number of connections per day to the Discovered App.
Users. Displays a list of users with the following information:
Username. The username the user used to sign in to Appgate SDP.
Identity Provider. The name of the IdP that the user used to sign in to Appgate SDP.
Last Accessed. The last date (UTC) when the user accessed the Discovered App.
Download as CSV. This button is used to export the list of users. This can be used to verify that those users are allowed to access the App and then go on to create a new AD group based on the list.
Groups. A list of groups with the following information:
Name. The name that is mapped to the “groups” User Claim.
Identity Provider. The name of the IdP used to sign in to Appgate SDP. This can be one or multiple depending on which IdPs were used to access the Discovered App.
Percentage of Accessing Users. The percentage of group users accessing Appgate SDP.
Additional Data. Displays Originating Entitlements and IPs.
NOTE:
There will not be any groups in common when AD groups (or whatever other AD property is used to group users) are mapped to a User Claim other than “groups”.