Policy Configuration : Configuring Flow Activity
Connection Report Settings
This section allows the network administrator to configure conditions under which a connection is reported.
Report Connections—Select from All or Interface-based or Firewall/App Rules-based connection reporting. Note that this option is applicable to both internal and external flow reporting.
All—Selecting this check box enables any connection reporting.
Interface-based—Selecting this check box enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface screen. If an interface has its flow reporting disabled, then flows associated with that interface are skipped. Firewall/App Rules-based—Selecting this check box enables flow reporting based on already existing firewall rules. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per firewall rule is selected. Every firewall rule has a check box to enable flow reporting. If a flow matching a firewall rule is to be reported, this enabled check box forces it to verify if firewall rules have flow reporting enabled or not. Note that if this option is enabled and no rules have the flow reporting option enabled, no data is reported. This option is an additional way to control which flows need to be reported.
Report on Connection OPEN—Enable this to report flows when the connection is open. This is typically when a connection is established.
Report on Connection CLOSED—Enable this to report flows when the connection is closed.
Report Connection on Active Timeout—Enable this to report connections based on an Active Timeout sessions.
Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The default setting is 60 seconds. You can set from 1 second to 999 seconds for the Active Timeout.
Report Connection on Kilo BYTES Exchanged—Enable this to report flows based on a specific number of traffic, in kilobytes, is exchanged. This option is ideal for flows that are active for a long time and need to be monitored.
Kilobytes Exchanged—When the previous option is enabled, specify the number of kilobytes exchanged to be reported.
Report ONCE—When Report Connection on Kilo BYTES exchanged is enabled, enabling this option sends the report only one time. Leave it deselected if you want reports sent periodically.
Report Connections on Following Updates—Select from the pull-down menu to enable connection reporting for the following:
Threat Detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
Application Detection—Enable this to report flows specific to applications. Upon completing a deep packet inspection, the SonicWALL appliance is able to detect if a flow is part of a certain application. After identified, the flow is reported again.
User Detection—Enable this to report flows specific to users. The SonicWALL appliance associates flows to a user-based detection based on its login credentials. After identified, the flow is reported again.
VPN Tunnel Detection—Enable this to report flows sent through the VPN tunnel. After flows sent over the VPN tunnel are identified, the flow is reported again.