AppFlow : Managing Flow Reporting Statistics
External Collector Tab
The External Collector tab provides configuration settings for AppFlow reporting to an external IPFIX collector.
 
Send Flows and Real-Time Data To External Collector—Selecting this checkbox enables the SonicWALL device to send both AppFlow data and real-time data to an external flow collector. This option is disabled by default.
* 
NOTE: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
External AppFlow Reporting Format—If you enabled the Send Flows and Real-Time Data To External Collector option, you must specify the flow reporting type from the drop-down menu:
NetFlow version-5 (default)
NetFlow version-9
IPFIX
IPFIX with extensions
For Netflow versions and IPFIX reporting types, only connection-related flows are reported.
For IPFIX with extensions, connection-related flows are reported with SonicWALL-specific data types, as well as various other dynamic tables for connections, users, applications, threats (viruses/spyware/intrusion), URLs, logs, real-time health (memory/CPU/iface statistics), VPN tunnels, devices, SPAMs, wireless devices, and locations. Flows reported in this mode can either be viewed by another SonicWALL firewall configured as a collector (especially in an HA pair with the idle firewall acting as a collector) or a SonicWALL Linux collector. Some third-party collectors can also use this mode to display applications when using standard IPFIX support,
* 
NOTE: Not all reports are visible when using a third-party collector.
* 
NOTE: If the reporting type is set to Netflow versions 5 or 9 or IPFIX, then any third-party collector can be used to show flows reported from the SonicWALL device as it uses standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then only collectors that are SonicWALL flow aware, such as SonicWALL Scrutinizer, can be used.
External Collector’s IP Address—Specify the external collector’s IP address to which the SonicWALL device will send flows via Netflow/IPFX. This IP address must be reachable from the SonicWALL firewall. If the collector is reachable via a VPN tunnel, then the source IP must be specified.
Source IP To Use for Collector On A VPN Tunnel—If the external collector specified in External Collector’s IP Address must be reached by a VPN tunnel, specify the source IP for the correct VPN policy.
* 
NOTE: Select a source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets will always take the VPN path.
External Collector’s UDP Port Number—Specify the UDP port number on which the external collector is listening for Netflow/IPFIX packets. The default port is 2055.
Send IPFIX/Netflow Templates at Regular Intervals—Selecting this checkbox will enable the appliance to send Template flows at regular intervals. Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you may disable the option. This option is disabled by default.
* 
NOTE: This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only. The checkbox is dimmed if Netflow version-5 is selected.
Send Static AppFlow at Regular Interval—Enable this option if the external collector requires static flows to be sent at regular intervals. When enabled, this option generates IPFIX records hourly for all the static tables specified in Send Static AppFlow for Following Tables. This option is disabled by default.
* 
NOTE: This option is available with IPFIX with extensions only and must be enabled if SonicWALL Scrutinizer is used as an external collector.
Send Static AppFlow for Following Tables—Select the static mapping tables to be generated to a flow from the drop-down menu:
Applications *
Viruses *
Spyware *
Intrusions *
Location Map
Services *
Rating Maps *
Table Map
Column Map
* 
NOTE: Items with an asterisk (*) are selected by default.
For more information on static tables, refer to NetFlow Tables .
When running in IPFIX with extensions mode, the SonicWALL firewall reports multiple types of data to an external device to correlate User, VPN, Application, Virus, and Spyware information. In this mode, data is both static and dynamic. Static tables are needed only once as they rarely change. Depending on the capability of the external collector, not all static tables are needed.
In IPFIX with extension mode the SonicWALL firewall can asynchronously generate static mapping tables to bring the external collector in sync. This is synchronization is needed when the external collector is initialized later than the SonicWALL firewall. To generate these tables, select the needed mapping tables and then click the Generate Static AppFlow Data button. Only flows for those tables selected in Send Static AppFlow for Following Tables will be generated.
Send Dynamic AppFlow for Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down menu:
Connections *
Users *
URLs *
URL Ratings *
VPNs *
Devices
SPAMs
Locations
VOIPs *
* 
NOTE: Items with an asterisk (*) are selected by default.
For more information on dynamic tables, refer to NetFlow Tables .
* 
NOTE: This option is available with IPFIX with extensions only.
* 
NOTE: In IPFIX with extension mode, the SonicWALL firewall can be configured to generated reports for selected tables. As the firewall doesn’t cache this information, some of the flows not sent may create a failure in correlating flows with other data.
Include Following Additional Reports via IPFIX—When running in IPFIX with extensions mode, SonicWALL is capable of reporting data that is not related to connection and flows. These tables are grouped under this option. Statistics are reported every 5 seconds.
Select additional IPFIX reports to be generated to a flow from the drop-down menu (none are selected by default):
Top 10 Apps—Generates the top 10 applications.
Interface Stats—Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
Core Utilization—Generates per-core utilization as a percentage.
Memory Utilization—Generates the status of available memory, used memory, and memory used by the AppFlow collector.
Depending on the capability of the external collector, not all additional tables are needed.
* 
NOTE: This option is available with IPFIX with extensions only.
Report On Connection OPEN—If enabled, the SonicWALL firewall will report when a new connection is opened. All associated data related to that connection may not be available when the connection is opened. Thus, flows will show up on the external collector as soon as a new connection is opened. This option is enabled by default.
Report On Connection CLOSE—If enabled, the SonicWALL firewall will report when a connection is closed. This is the most efficient way of reporting flows to the AppFlow Server. All associated data related to that connection are available and reported. This option is enabled by default.
Report Connection on Active Timeout—Enable this to have the firewall report an active connection every Active Timeout period set in Number of Seconds. This option is disabled by default.
Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The default setting is 60 seconds. You can set from 1 second to 999 seconds for the Active Timeout.
Report Connection on Kilo BYTES Exchanged—Enable this to have the firewall report an active connection whenever the specified amount of bidirectional data is exchanged on the active connection, This option is ideal for flows that are active for a long time and need to be monitored. This option is disabled by default.
* 
NOTE: This option is available with IPFIX with extensions only.
Kilobytes Exchanged—When the Report Connection on Kilo BYTES Exchanged option is enabled, specify the amount of data, in kilobytes, to be transferred on a connection before the connection is reported. The default value is 100 kilobytes.
When this option is enabled, the same flow is reported whenever the specifies amount of data is transferred over the connection, which can cause a large amount of IPFIX packet generation on a loaded system. To report this flow only once, select the Report ONCE option.
Report ONCE—When the Report Connection on Kilo BYTES exchanged option is enabled, enabling this option will send the report only once regardless of how many kilobytes of data are exchanged. Leave the option unselected if you want multiple reports sent. This option is disabled by default.
Report Connections On Following Updates—The SonicWALL firewall will report when it detects of the following that you have selected from the drop-down menu (all are selected by default):
threat detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
application detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the firewall is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
user detection—Enable this to report flows specific to users. The Dell SonicWALL network security appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
VPN tunnel detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.
Actions—Generate templates and static-flow data asynchronously with these buttons:
Click the Generate ALL Templates button to begin building templates on the IPFIX server; this will take up to two minutes.
Click the Generate Static AppFlow Data button to begin generating a large amount of flows to the IPFIX server; this will take up to two minutes.