Reference

Pulse User Manual

Complete reference for every feature in Pulse.

Contents

  1. Dashboard
  2. Importing Logs
  3. Live Syslog
  4. Threat Detection
  5. Analytics
  6. Connection Map
  7. VPN Sessions
  8. Log Search
  9. Compliance Reports
  10. Executive Reports
  11. Asset Discovery
  12. IP Intelligence
  13. Custom Detection Rules
  14. Alerts & Notifications
  15. PSA Integration
  16. Client Portal
  17. Fleet Dashboard
  18. Log Archiving
  19. Settings
  20. User Management
  21. Feature Tiers

1. Dashboard

The dashboard shows a real-time summary of your firewall environment, refreshed every 15 seconds via a live server connection.

Health Score

A composite security rating (0–100) based on drop rate, threat count, active rules, log freshness, and geo-risk. Grade A (90+) to F (below 40).

Live counters

  • Total Logs — all log entries in the database
  • Active Threats — unacknowledged detected threats
  • Drop Rate — percentage of traffic blocked in the last 5 minutes
  • Connected Firewalls — firewalls that sent logs in the last 15 minutes

Firewall status indicators

Online — logs in last 15 min  Stale — last 15 min–2 h  Offline — no logs in 2+ hours

2. Importing Logs

Go to the Import tab. Drag a file onto the drop zone or click Browse.

Supported file formats

  • SonicWall CSV export (.csv)
  • FortiGate syslog text (.log, .txt)
  • Palo Alto, Cisco ASA, Sophos XG, WatchGuard, pfSense / OPNsense syslog
  • Generic RFC 3164 / RFC 5424 syslog
  • Previously archived Pulse CSV files

Pulse auto-detects the vendor from the log format. Threat detection runs automatically within 5 minutes of import.

Large files (1M+ rows) may take 1–5 minutes to import. A progress bar shows insertion count in real time. Do not close the browser tab during import.

3. Live Syslog

Go to Settings → Syslog. Click Start Listener to receive logs on UDP port 514. Logs appear in the dashboard within seconds.

Ensure Windows Firewall allows inbound UDP port 514 for the Pulse process. See the installation guide for firewall-specific configuration.

Professional tier and above.

4. Threat Detection

Pulse runs 21 built-in detection rules automatically every 5 minutes. Click 🔍 Run Detection to run immediately.

Built-in detection rules

  • Port scan · Brute force · C2 beaconing · SYN flood · DDoS / DoS
  • Data exfiltration · Lateral movement · DNS tunneling
  • Suspicious port activity · Credential stuffing · ICMP flood
  • Blacklisted country traffic · Off-hours access · New device detected
  • Bandwidth spike · Management port probe · Multi-protocol attack
  • Tor / proxy usage · Crypto mining · Impossible travel · Anomaly detection

Severity levels

Each threat is rated: Critical, High, Medium, or Low.

Acknowledging threats

Click ✓ Acknowledge to mark a threat as reviewed. Acknowledged threats move to a separate section. Use ↩ Reopen to move a threat back to active.

AI Explain

Click AI Explain on any threat card for a plain-English explanation, likely cause, and recommended response. Requires an Anthropic API key in Settings → AI. Professional tier and above.

5. Analytics

The Analytics tab provides visualisations based on the last 30 days of data relative to your most recent log entry.

  • Traffic timeline — hourly chart of total logs, drops, and forwards
  • Action breakdown — drop vs allow vs forward (doughnut chart)
  • Protocol mix — traffic distribution by protocol
  • Top source IPs — highest-volume sources with drop counts
  • Top destination IPs — most-contacted external addresses
  • Traffic by zone — breakdown by firewall security zone
  • Country breakdown — geographic traffic origin (requires GeoIP enrichment)
Run 🌍 Enrich GeoIP from the Analytics tab if country data is empty. GeoIP lookups are free — no API key required.

Professional tier and above.

6. Connection Map

The Map tab shows a force-directed graph of connections between source and destination IPs. Node size represents traffic volume. Red edges indicate dropped connections.

  • Click a node to open the IP Intelligence panel
  • Drag nodes to rearrange the layout
  • Use the time selector to view last 1h, 6h, or 24h
  • Private (RFC 1918) IPs shown in blue · Public IPs in orange

Professional tier and above.

7. VPN Sessions

The VPN tab summarises VPN activity parsed from your logs. Supported types: SonicWall VPN policies, FortiGate IPSec and SSL-VPN, and any firewall with ssl-vpn / ipsec / tunnel in the log message.

The table shows per-user summaries including tunnel type (colour-coded), data transferred, active days, and last seen time.

9. Compliance Reports

Go to Reports → Compliance. One-click PDF reports available for:

  • PCI DSS v4 — payment card industry requirements
  • HIPAA — healthcare data protection
  • SOC 2 — service organisation controls
  • Cyber Insurance — insurance questionnaire evidence

Each report includes evidence tables, pass/fail assessments, and recommendations based on your actual log data. Professional tier and above.

10. Executive Reports

Go to Reports → Executive for a one-page board-ready PDF showing health score, top threats, traffic statistics, and recommended actions. Select the client name and date range, then click Generate Report.

11. Asset Discovery

The Assets tab shows all IP addresses that have appeared in your logs, classified as internal (RFC 1918) or external. Click any IP to add a label (e.g. DC01 — Domain Controller). Labels appear throughout the dashboard.

12. IP Intelligence

Click any IP address to open the intelligence panel:

  • GeoIP location and country flag (free, no API key)
  • Connection history, traffic volume, drop rate
  • AbuseIPDB abuse score 0–100 — requires AbuseIPDB API key
  • VirusTotal detection count — requires VirusTotal API key
  • Shodan open ports and CVEs — requires Shodan API key
  • Greynoise classification — free community tier available

Configure API keys in Settings → Threat Intel. All keys are optional.

13. Custom Detection Rules

Go to the ⚙ Custom Rules tab to create rules beyond the 21 built-ins.

  1. Click + New Rule
  2. Enter a name, description, and severity
  3. Add conditions — field + operator + value (equals, contains, regex, greater than, is private IP, and more)
  4. Optionally set aggregation: alert only when event count exceeds a threshold within a time window
  5. Set an alert message template using placeholders: {src_ip}, {dst_port}, etc.
  6. Click Save Rule

Custom rules run every 5 minutes alongside built-in rules and can be enabled or disabled individually. Enterprise tier.

14. Alerts & Notifications

Email alerts

Configure SMTP in Settings → Alerts → Email. Works with Gmail, Microsoft 365, and on-premises mail servers.

Webhook alerts

Configure webhook URLs in Settings → Alerts → Webhooks. Compatible with Slack, Microsoft Teams, PagerDuty, and any webhook platform.

Daily security digest

A summary email sent at 7:00 AM local time covering overnight threats, health score, and top attackers. Configure the recipient in Settings → Alerts → Digest.

15. PSA Integration

Automatically create tickets when high-severity threats are detected. Supported platforms: ConnectWise Manage and Autotask (Datto).

Configure in Settings → Integrations → PSA. You can also create tickets manually from any threat card by clicking 🎫 Create Ticket. Professional tier and above.

16. Client Portal

Generate a read-only, branded portal link to share with clients. The portal shows a security dashboard with their firewall data — no Pulse credentials required.

Configure in Settings → Client Portal. Set your logo, company name, and accent colour, then generate a unique URL per client. Professional tier and above.

17. Fleet Dashboard

The Fleet tab shows a card for every firewall or client site Pulse has seen. Each card displays the site name, client name, security score, grade, and online status.

Viewing data for a specific site

Click any fleet card to drill into that site. Pulse immediately filters every tab — Threats, Analytics, Logs, VPN, Connection Map, Compliance Reports — to show only data from that firewall. A blue border on the card and a badge in the top navigation bar confirms which site you are currently viewing.

Click the card again, or click the ✕ badge in the top bar, to clear the filter and return to the all-sites view.

How firewalls appear in Fleet

Pulse automatically detects every firewall it receives logs from and adds it to the Fleet view. Each unique serial number or firewall IP address becomes its own entry. No manual configuration is required for firewalls connected via syslog or file import.

Adding remote Pulse sites

MSPs running Pulse at multiple client locations can add remote sites using the Add Remote Site form at the bottom of the Fleet tab. Enter the site name, client name, and the IP address and port of the remote Pulse instance. Pulse will poll the remote instance for its health score and status.

Remote site polling requires the remote Pulse instance to be reachable on the network. The default port is 5000. Ensure firewall rules allow the connection between Pulse instances.

Enterprise tier only.

18. Log Archiving

Go to Reports → Archive. Archiving exports logs older than a selected number of days to CSV then removes them from the database.

Manual archive

Select the retention period and click 📦 Archive & Prune. CSVs are saved to the archives\ folder inside the Pulse install directory.

Auto-archive

Enable auto-archive to archive logs older than 1 day at midnight daily. Recommended when live syslog is running continuously.

Reimporting archived files

Archived CSV files can be reimported on the Import tab. Pulse detects the archive format automatically.

19. Settings Reference

Settings → SyslogStart/stop live syslog listener, set port
Settings → Alerts → EmailSMTP configuration for email alerts and daily digest
Settings → Alerts → WebhooksWebhook URLs for Slack, Teams, PagerDuty, etc.
Settings → Threat IntelAPI keys for AbuseIPDB, VirusTotal, Shodan, Greynoise
Settings → AIAnthropic API key for AI Explain and natural language search
Settings → Integrations → PSAConnectWise or Autotask API credentials
Settings → Client PortalWhite-label configuration and portal link generation
Settings → Blocked CountriesCountries to flag in threat detection
Settings → LicenseLicense status, seat count, and activation details

20. User Management

Go to Settings → Users to manage Pulse accounts.

  • Admin — full access including settings and user management
  • Analyst — threat acknowledgement, ticket creation; no settings access
  • Viewer — read-only access to dashboard and reports

Starter: up to 3 users · Professional: up to 10 users · Enterprise: unlimited.

Change the default admin password immediately via Settings → Users → Change Password.

21. Feature Tiers

FeatureStarterProfessionalEnterprise
Threat detection (21 rules)
Log import & search
Health score
Email alerts
PDF reports
GeoIP enrichment
VPN sessions
Rule analysis
Bandwidth analysis
Users (up to)310Unlimited
Live syslog
Analytics & charts
Connection map
PCI / HIPAA / SOC 2 reports
Threat intel (VirusTotal, Shodan)
PSA integration
AI Explain / AI search
Client portal
White label
Fleet dashboard
Custom detection rules

View full pricing →