The Discovered Apps page (Usage > Discovered Apps) reports the usage of apps defined by entitlements with broad access rights. Up to 5,000 apps can be discovered on a system with a limit of 5,000 users per application. If you are on version 6.5 or earlier, there is a limit of 5,000 user groups per application. In version 6.6 and beyond, the limit is 200 user groups.
Background information
Discovered Apps is part of Application Discovery, a separately licensable option. For information about how licensing works, see the Licenses section.
For more information, see the Application Discovery section.
NOTE
Until there has been traffic through the entitlement(s) with the broad host definitions, and the analysis has run at 00:00 UTC, the Discovered Apps list will remain empty. It can take up to 15 minutes for discovered apps to appear as values are sent at 15-minute intervals.
Actions
Use the Actions dropdown menu at the top-right of the Discovered Apps page to perform the following actions:
Configure. Opens the Configure Discovered Apps window. This allows you to change how discovered app data is collected and presented for all users. Configure the following:
Custom App Types. Enter a name and port(s).
Claim for Usage Data. Select Use Default or Override with custom claim. Selecting Override with custom claim will open a dropdown from which you can select a claim.
Troubleshoot. Displays the last time the three data sets used in the analysis were updated.
Action Buttons
Action buttons are accessed by clicking the three dots icon (
) to the right of each line item in the page or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item. The Action button in the Discovered Apps page displays the following options:
Reset user data. Removes all the user data related to the app. The app will still be listed but with 0 users.
Delete all data. Removes the app and the related user data.
Discovered Apps
The list of discovered apps displays the following information:
Host. The hostname of the discovered app. The hostname displayed is a best guess since the traffic encountered by the Gateways is IP based. The use of zone transfer is strongly recommended to get the best result for 'Host'. When this is not enabled the following will be used:
A reverse DNS lookup using the Site or appliance DNS server.
The port 443 certificate name on public IPs.
Port/Type. The TCP port being accessed. The name of the port will appear next to it in parenthesis.
Users. The number of users that have accessed this app.
Connected Entitlement. The entitlement connected to the app.
Last Accessed. Last date (UTC) that the app was accessed.
Last Modified. Last time (UTC) that the created policy or entitlement was modified.
Clicking one of the discovered apps will open the Discovered App Details page.
Pinning searches
If you use the advanced filter fields to perform a search in the Discovered Apps page, you can pin that search for later use. After filtering, use the pin icon on the right side of the search details to pin the search. The pin icon color becomes solid when the search has been pinned.
Once a search is pinned, you will see those results each time you return to the Discovered Apps page.
Discovered App Details
Configure Access
The fields under Complete These Tasks to Configure Access will allow you to define an entitlement and add that entitlement to a policy. Perform the following steps to create the entitlement:
Click on Define Entitlement. The dropdown will display the included ports and open the Related Apps tab. If you need to add more ports:
Under the Related Apps tab, select the checkbox of the port(s) you want to add, or use the Add Port Range fields to add a range of ports.
When you have confirmed the included ports, click Continue. The Define Entitlement window will open.
In the Define Entitlement window, select Yes, create a new Entitlement, or No, add action to an existing Entitlement.
If you select Yes, enter values in the following fields:
Entitlement Name. Enter a name for the created entitlement.
Status. Select Enabled or Disabled.
Tags. Select +Add to add tags to the entitlement.
If you select No, add action to existing Entitlement, use the dropdown to select an existing entitlement.
The Ports field will be populated with the ports you previously included.
Click Save to save your entitlement. You will see a confirmation window that the app details have been added as an action entry in the entitlement.
To add the entitlement to a policy:
Select Add to Policy under Complete These Tasks to Configure Access. The Groups tab will open.
In the Groups tab, select the checkbox(es) for the group(s) you want to have access, then click Continue.
In the Add to Policy window, use the dropdown to select an existing policy, or begin typing to create a new policy. When you have selected a policy or entered a name for a new policy, click Save.
After you save the policy settings, the Changes Detected window appears, recommending that you clear usage data before the next analysis. This ensures that the next analysis does not include data from the groups selected for the policy to which you just added the entitlement. Select the checkbox and click Confirm to remove the data from the current app and all related apps that were selected when the entitlement was defined.
NOTE
As the mapping to the “groups” user claim is string based, it is important to take into consideration the AD (or other IdP) used in the AppGate ZTNA IdP configuration when multiple IdPs are listed. There is a chance that the same group name occurs in two different ADs.
Discovered App Details also provides the following additional information:
Rule. The rule in the entitlement action that matched the traffic: allow, allow_report, block, block_report, alert or exclude.
Port/Type. The TCP port being accessed. The name of the port will appear next to it in parenthesis.
Protocol. This value is TCP, but may be expanded in the future.
Last Modified. The last time the discovered app was modified.
Last Accessed. The last time the discovered app was accessed.
The following tabs are displayed in the bottom half of the page:
Hits per Day. A histogram showing the total number of connections per day to the discovered app. Pressing the tab key focuses on the first dot in the histogram. Use arrow keys to navigate to the other dots to see their details.
Show as Text. Enable this toggle to replace the line chart with a descriptive list. The date of hits are listed with the most recent at the top.
Related Apps. Lists other discovered apps on that host. You can use the Add Port Range chart to view the range of accessed ports. You can then add a custom range to the Port Range fields and use the Add Range button to add it to the Define Entitlement window above. The range of ports you entered will be included in the entitlement you configure.
Users. Displays a list of users with the following information:
Username. The username the user used to sign in to AppGate ZTNA.
Identity Provider. The name of the IdP that the user used to sign in to AppGate ZTNA.
Last Accessed. The last date (UTC) when the user accessed the discovered app.
Download as CSV. This button is used to export the list of users. This can be used to verify that those users are allowed to access the App and then go on to create a new AD group based on the list.
Groups. A list of groups with the following information:
Name. The name that is mapped to the “groups” user claim.
Identity Provider. The name of the IdP used to sign in to AppGate ZTNA. This can be one or multiple depending on which IdPs were used to access the discovered app.
Percentage of Accessing Users. The percentage of group users accessing AppGate ZTNA.
Additional Data. Displays originating entitlements and IPs.
NOTE
There will not be any groups in common when AD groups (or whatever other AD property is used to group users) are mapped to a user claim other than “groups”.