icon-unified.svg
Experience Center

Accessing Protocol Discovery Diagnostics

You can view and filter Protocol Discovery data for the ports enabled with application segments associated with AppProtection.

Accessing Protocol Discovery Diagnostics

To view diagnostics for Protocol Discovery data:

  1. Go to Logs > Insights > Diagnostics.
  2. Under Log Type, choose Protocol Discovery.

By default, the detailed activity for all application protocols is displayed for events that occurred in the last 24 hours. To change the time range, click the Calendar menu and select a preset range or specify a custom start and end date. If you use a Custom Range, the start date must be within the last 14 days. To change the time zone, click the current Time Zone button.

Zscaler retains logs for rolling periods of at least 14 days during your subscription term. To learn more, see Customer Logs and Data.

Protocol Discovery Diagnostics Time Range

Viewing Logs

Log activity is automatically displayed after selecting the Protocol Discovery log type.

By default, the table displays the Total number of Protocol Discovery logs generated for domains with application segments that have AppProtection disabled. The logs are generated for domains with relevant protocol traffic (KRB, LDAP, SMB, TLS, and HTTP). You can change this by choosing one of the following filters:

  • TCP: The total number of Protocol Discovery logs associated with application segments configured for detecting and inspecting traffic with TCP ports.
  • UDP: The total number of Protocol Discovery logs associated with application segments configured for detecting and inspecting traffic with UDP ports.

Filtering Protocol Discovery Logs

On the Protocol Discovery page, you can apply filters or drill down further into the log data using the Query Builder. By default, no filters are applied. If you want to view and filter Protocol Discovery logs for real-time events, use Live Logs.

To configure filters using the Query Builder:

  1. Click Add Filters and select a filter from the drop-down menu:

Some of the following filter options only appear with specific Protocol Discovery log types selected:

  • App Connector Name: See logs by a specific App Connector you’ve configured.
  • Application Protocol: See requests by the Application Protocol log type.
  • Domain Name: See requests by the domain name.
  • Segment Name: See requests by application segment name as configured in the Admin Portal.
  • Server Port: See requests for connections using a specific port.
  • Transport: See requests based on TCP or UDP transport.
  • Connection ID: See requests by the ID associated with the application request.
Close

  1. Select an operator from the drop-down menu (e.g., Contains, Ends With, Equals, Not Equals, Starts With). The operators available are determined by the filter you are configuring.
  2. Select the fields from the drop-down menu, or enter the values required for the filter. The field or value required is determined by the filter you are configuring.

Filters using the Contains operator allow a maximum of 7 entries. All filters using operators that require text input must use a semicolon (;) to separate multiple entries (e.g., 137; 138; 139). When configuring multiple text entries and using the Less Than operator, the results show transactions starting from the largest entry provided. When configuring multiple text entries and using the Greater Than operator, the results show transactions starting from the smallest entry provided.

  1. Click Apply.
Filters for the Protocol Discovery Logs table on the Protocol Discovery Diagnostics page

To apply more filters, click Add Filters again or click on the Apply Filter icon () within the table. The filter query section within the page updates automatically to include the proper filter for the field name you selected, along with the applicable operator configuration for that field.

To remove an added filter, click the Close icon then Apply. To remove all filters, click Clear All.

You can also click the Copy icon to save the filter query details. If you or another admin access Diagnostics, you can paste the query into the field by clicking the Clipboard icon.

The table displays the following data for Protocol Discovery-related requests:

    • Protocol Discovery Time: The time that the inspection of the application occurred.
    • Connection ID: The ID associated with the application request. You can click the Copy icon to copy the ID to your clipboard.
    • Total Request Bytes: The total number of bytes that were requested from the client to the server.
    • Total Response Bytes: The total number of bytes that responded to the request from server to client.
    • Connection Status Log: View, download, and copy the raw JSON for the request:
      • Click the View icon to view details about the connection status log in JSON format.
      • Click the Download icon to download this JSON file.
      • Click the Copy icon to copy the raw JSON text for the request to your clipboard.
    Close
    • Protocol Class: The protocol type associated with the application segment domain and port that logged in to Zscaler Client Connector (KRB, LDAP, SMB, HTTP, and TLS).
    • Traffic Class: Displays Classified if the App Connector identified the protocol. It is displayed as Unclassified if the App Connector is unable to identify the protocol.
    • Transport: Displays the connection as either TCP or UDP transport.
    Close
    • App Connector Name: The name of the App Connector.
    • App Connector ID: The ID associated with the application. You can click the Copy icon to copy the ID to your clipboard.
    • App Connector Group Name: The name of the group the App Connector is included in. You can click on the name to open the Edit App Connector Group window.
    • App Connector Group ID: The internal ID for the App Connector group. You can click the Copy icon to copy the ID to your clipboard.
    Close
    • Application: Port & Transport: The application domain of the end user who logged in to Zscaler Client Connector.
    • Application Segment: The application segment name as configured in the Admin Portal. You can click on the name to open the Edit Application Segment window, which includes the defined application.
    • Application ID: The ID associated with the application. You can click the Copy icon to copy the ID to your clipboard.
    • Application Domain: The domain of the application in the transaction request.
    Close

You can expand each row to see more details, or click the Expand/Collapse icon to expand or collapse all rows within the table. By default, the table displays 20 transactions. You can scroll to load more transactions.

Related Articles
Viewing the Browser Protection DashboardViewing the API Protection DashboardViewing the AppProtection DashboardAccessing AppProtection DiagnosticsAccessing AD Protection DiagnosticsAccessing Clientless Access DiagnosticsAccessing Application Protocol DiagnosticsAccessing API Protection DiagnosticsViewing the Protocol Discovery DashboardAccessing Protocol Discovery DiagnosticsViewing the Active Directory Protection Dashboard