The
Log > Flow Reporting
page includes settings for configuring the SonicWALL to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal and external flow reporting.
This chapter contains the following sections:
The Flow Reporting Statistics apply to all external flows. This section shows reports of the flows
that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.
The App Flow Reporting Statistics apply to all internal flows. Similar to the Flow Reporting
Statistics, this section shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of static flows removed from the queue, internal errors, and the total number of flows within the internal database.
The Settings section has configurable options for internal flow reporting, external flow reporting,
and the IPFIX collector. You can also configure the settings for what is reported to an external controller.
|
|
•
|
Enable Flow Reporting and Visualization
—This is a global checkbox that enables or disables the complete flow reporting feature. Selecting this checkbox enables flow reporting, which you can view on the Dashboard screen. When this is disabled, both internal and external flow reporting are also disabled.
|
|
|
•
|
Report to EXTERNAL flow collector
—Selecting this checkbox enables the specified flows to be reported to an external flow collector. Some options include another SonicWALL appliance configured as a collector, a SonicWALL Linux collector, or a third party collector. Note that not all collectors will work with all modes of flow reporting.
|
|
|
•
|
Enable INTERFACE Based Reporting (advanced)
—Selecting this checkbox enables flow reporting based on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network>Interface screen. If an interface has its flow reporting disabled, then flows associated with that interface are skipped. By default, flow reporting is disabled by default on interfaces.
|
|
|
•
|
Enable firewall/app rules based reporting (advanced)
—Selecting this checkbox enables flow reporting based on already existing firewall rules. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per firewall rule is selected. Every firewall rule has a checkbox to enable flow reporting. If a flow matching a firewall rule is to be reported, this enabled checkbox will force to verify if firewall rules have flow reporting enabled or not. Note that if this option is enabled and no rules have the flow reporting option enabled, no data will be reported to the App Flow Monitor. This option is an additional way to control which flows need to be reported. Note that this option is applicable to both internal and external flow reporting.
|
|
|
–
|
External Flow Reporting Type
—If the “Report to EXTERNAL Flow Collector” option is selected, you must specify the flow reporting type from the provided list in the dropdown menu: NetFlow version-5, NetFlow version-9, IPFIX, or IPFIX with extensions. If the reporting type is set to Netflow versions 5, 9, or IPFIX, then any third-party collector can be used to show flows reported from the device. It uses standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then the collectors that are SonicWALL flow aware can only be used.
|
The following are recommended options for collectors:
For Netflow versions and IPFIX reporting types, only connection related flows are
reported per the standard. For IPFIX with extensions, connection related flows are reported with SonicWALL specific data type, as well as various other tables to correlate flows with Users, Applications, Viruses, VPN, and so on.
|
|
–
|
External Collector’s IP Address
—Specify the external collector’s IP address. This IP address must be reachable from the SonicWALL firewall in order for the collector to generate flow reports.
|
|
|
–
|
Source IP to Use for Collector on a VPN Tunnel
—If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy. Note:
Select
Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX
flow packets will always take the VPN path
.
|
|
|
•
|
Send Templates at Regular Intervals
—Selecting this checkbox will enable the appliance to send Template flows at regular intervals. Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector is not needed, you may disable it here. This option is available with Netflow version-9, IPFIX, and IPFIX
with extensions only.
|
|
|
•
|
Send Static Flows for Following Tables
—
Select the static mapping tables to be generated to a flow from the dropdown list. Values include: Applications, Viruses, Spyware, Intrusions, Location Maps, Services, Rating Maps, Table Maps, and Column Maps.Selecting the Send Static Flows at Regular Intervals checkbox enables the sending of these specified static flows.
|
When running in IPFIX with extensions mode, SonicWALL reports multiple types of
data to an external device in order to correlate User, VPN, Application, Virus, etc. In this mode, data is both static and dynamic. Static tables are needed once since they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this section. This
option is available with IPFIX with extensions only.
|
|
•
|
Send Dynamic Flows for Following Tables
—Select the dynamic mapping tables to be generated to a flow from the dropdown list. Values include: Connections, Users, URLs, URL Ratings, VPNs, Devices, SPAMs, Locations, and VoIPs.
|
When running in IPFIX with extensions mode, SonicWALL reports multiple types of
data to an external device in order to correlate User, VPN, Application, Virus, etc. In this mode, data is both static and dynamic. Static tables are needed once since they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this section. This
option is available with IPFIX with extensions only.
When running in IPFIX with extensions mode, SonicWALL is capable of reporting
more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. In this section, users can select tables that are needed. This option is available with IPFIX with extensions only.
|
|
•
|
IPFIX external reporter's IP address
—In collector mode, the IP address of the external reporting server must be configured. Enter the IP address of the server that will transmit IPFIX packets.
|
This section allows you to configure flow reporting settings, such as realtime, real time with
bulk, or periodic reporting. Note that modifying this section does not have an effect on internal reporting settings.
|
|
•
|
Flow Reporting Mode
—Select from the dropdown list to have your SonicWALL appliance generate Netflow or IPFIX packets in one of the following values:
|
|
|
–
|
Realtime
—One flow record is sent per packet
|
|
|
–
|
Periodic
—A report is sent at a regular interval
|
Typically, the SonicWALL flow reporting subsystem receives flows and other table data
asynchronously from other parts of the firewall. This section specifies how and when that data needs to be reported.
|
|
•
|
Flow Reporting Period (in seconds)
—When Periodic
is selected, specify the number of seconds to wait before reporting the collected flows. In this mode, SonicWALL collects all flows from the firewall and waits until the time is elapses. Once the time elapses, the flows are reported externally to the collector.
|
|
|
•
|
Number of Flows Reported per Period
—When Periodic
is selected, specify the number of flows to be reported within each period. If the SonicWALL appliance collects more flows than what is specified in this field, the first n
will be collected and reported. For example, if 10 is the specified number of flows reported, but the SonicWALL collects 20, the first 10 will be reported.
|
|
|
•
|
Report TOP-TALKERS only
—When Periodic
is selected, select this checkbox to enable the SonicWALL to report flows with the maximum amount of traffic. Among the collected flows, the SonicWALL selects those based on traffic, then sends them in descending order.
|
The Event Settings section allows you to configure the conditions under which a flow is
reported. Note that this section only applies to Connection related flows.
|
|
•
|
Report Flows on Threat Detection
—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
|
|
|
•
|
Report Flows on Application Detection
—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the SonicWALL appliance is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
|
|
|
•
|
Report Flows on User Detection
—Enable this to report flows specific to users. The SonicWALL appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
|
|
|
•
|
Report Flows on Kilo BYTES exchanged
—Enable this to report flows based on a specific number of traffic, in kilobytes, is exchanged. This option is ideal for flows that are active for a long time and need to be monitored.
|
|
|
–
|
Kilobytes exchanged
—When the above option is enabled, specify the number of kilobytes exchanged to be reported.
|
|
|
–
|
Report Once
—When the Report Flows on Kilo BYTES exchanged
option is enabled, enabling this option will send the report only once. Leave it unselected if you want reports sent periodically.
|
|
|
•
|
Report DROPPED Flows
—Enable this to report dropped flows. This applies to flows that are dropped due to firewall rules.
|
|
|
•
|
Skip Reporting of STACK Flows (connections)
—Enable this to skip the reporting of STACK flows for connections. Note that all flows as a result of traffic initiated or terminated by the firewall itself are considered stack traffic.
|
|
|
•
|
Include following URL types
—Select the type of URLS to be generated into a flow. Select values from the dropdown list. Values include: Gifs, Jpegs, Pngs, Js, Xmls, Jsons, Css, Htmls, Aspx, and Cms. This option is applies to both App Flow (internal) and external
reporting when used with IPFIX with extensions.
|
SonicWALL recommends careful planning of NetFlow deployment with NetFlow services
activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:
NetFlow is in general an ingress measurement technology which should be deployed on
appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (i.e. interface by interface) and strategically (i.e. on well chosen routers) —instead of widespread deployment of NetFlow on every router in the network.
Depending on the type of flows you are collecting, you will need to determine which type of
reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as configuring a second appliance to act as a collector.
To configure typical Netflow version 5 flow reporting, follow the steps listed below.
|
Step 1
|
Select the checkbox to
Enable flow reporting
. Note that if this is disabled, both internal and external flow reporting are also disabled.
|
|
Step 2
|
Select the
Report to EXTERNAL flow collector
checkbox to enable flows to be reported to an external flow collector. Note that you may enable this option if you prefer to receive external flows, rather than the SonicWALL visualization. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Enable INTERFACE based reporting
by selecting the checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional
.
|
|
Step 4
|
Enable Firewall-Rules Based Reporting
by selecting the checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional
, but is required if flow reporting is done on selected interfaces.
|
|
Step 5
|
Select
Netflow version-5
as the External Flow Reporting Type
from the dropdown list if the Report to EXTERNAL flow collector
option is selected. Next, specify the External
Collector’s IP address
in the provided field.
|
|
Step 6
|
For the
Source IP to Use for Collector on a VPN Tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 7
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055.
|
To configure Netflow version 9 flow reporting, follow the steps listed below.
|
Step 1
|
Select the checkbox to
Enable flow reporting
. Note that if this is disabled, both internal and external flow reporting are also disabled.
|
|
Step 2
|
Select the
Report to EXTERNAL flow collector
checkbox to enable flows to be reported to an external flow collector. Note that you may enable this option if you prefer to receive external flows, rather than the SonicWALL visualization. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Enable INTERFACE based reporting
by selecting the checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional
.
|
|
Step 4
|
Enable Firewall-Rules Based Reporting
by selecting the checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional
, but is required if flow reporting is done on selected interfaces.
|
|
Step 5
|
Select
Netflow version-9
as the External Flow Reporting Type
from the dropdown list if the Report to EXTERNAL flow collector
option is selected. Next, specify the External
Collector’s IP address
in the provided field.
|
|
Step 6
|
For the
Source IP to Use for Collector on a VPN Tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 7
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055.
|
|
Step 8
|
Enable the option to
Send templates at regular intervals
by selecting the checkbox. Note that Netflow version-9 uses templates that must be known to an external collector before sending data. After enabling this option, you can Generate ALL Templates
by clicking the button in the topmost toolbar.
|
To configure IPFIX, or NetFlow version 10, flow reporting, follow the steps listed below.
|
Step 1
|
Select the checkbox to
Enable flow reporting
. Note that if this is disabled, both internal and external flow reporting are also disabled.
|
|
Step 2
|
Select the
Report to EXTERNAL flow collector
checkbox to enable flows to be reported to an external flow collector. Note that you may enable this option if you prefer to receive external flows, rather than the SonicWALL visualization. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Enable INTERFACE based reporting
by selecting the checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional
.
|
|
Step 4
|
Enable Firewall-Rules Based Reporting
by selecting the checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional
, but is required if flow reporting is done on selected interfaces.
|
|
Step 5
|
Select
IPFIX
as the External Flow Reporting Type
from the dropdown list if the Report to
EXTERNAL flow collector
option is selected. Next, specify the External Collector’s IP
address
in the provided field.
|
|
Step 6
|
For the
Source IP to Use for Collector on a VPN Tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 7
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055.
|
|
Step 8
|
Enable the option to
Send templates at regular intervals
by selecting the checkbox. Note that Netflow version-9 uses templates that must be known to an external collector before sending data. After enabling this option, you can Generate ALL Templates
by clicking the button in the topmost toolbar.
|
To configure IPFIX with extensions flow reporting, follow the steps listed below.
|
Step 1
|
Select the checkbox to
Enable flow reporting
. Note that if this is disabled, both internal and external flow reporting are also disabled.
|
|
Step 2
|
Select the
Report to EXTERNAL flow collector
checkbox to enable flows to be reported to an external flow collector. Note that you may enable this option if you prefer to receive external flows, rather than the SonicWALL visualization. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 5
|
Select
IPFIX with extensions
as the External Flow Reporting Type
from the dropdown list if the Report to EXTERNAL flow collector
option is selected. Next, specify the External
Collector’s IP address
in the provided field.
|
|
Step 6
|
For the
Source IP to Use for Collector on a VPN Tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel.
|
|
Step 7
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055.
|
|
Step 8
|
Enable the option to
Send templates at regular intervals
by selecting the checkbox. Note that Netflow version-9 uses templates that must be known to an external collector before sending data. After enabling this option, you can Generate ALL Templates
by clicking the button in the topmost toolbar.
|
|
Step 9
|
Enable the option to
Send static flows at regular intervals
by selecting the checkbox. After enabling this option, you can Generate Static Flows
by clicking the button in the topmost toolbar.
|
After configuring the Settings section to what best suits your App Flow, External, or IPFIX
collector configuration, continue through this section to specify Flow Reporting Settings. Refer to the “Report Settings” section
for more information about each setting.
|
Step 1
|
Select the
Flow reporting mode
from the dropdown list. Note that Realtime with bulk
is the default setting.
|
For
Realtime
or Realtime with bulk
, continue to “Configuring Event Settings” section
.
For
Periodic
, continue to Step 2.
|
Step 2
|
Specify the
Flow reporting period
. This is the number of seconds the appliance will wait before reporting the collected amount of flows. The default value is 10 seconds.
|
|
Step 4
|
Select the
Report TOP-TALKERS only
checkbox to enable the SonicWALL appliance to report flows with the maximum amount of traffic.
|
After configuring the Report Settings, continue through this section to configure the conditions
under which a flow is reported. Selecting a checkbox will enable the configuration. Refer to the “Event Settings” section
for more information about each setting.
One external flow reporting option that works with Netflow with Extensions is the third-party
collector called Plixer Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWALL flow aware.
To verify your Netflow with Extensions reporting configurations, perform the following steps.
|
Step 1
|
Navigate to the SonicWALL
Log > Flow Reporting
screen. Enable the Report to EXTERNAL
flow collector
option on the Settings section.
|
|
Step 2
|
Specify the
External collector’s IP address
and respective UDP Port Number
.
|
The following section describes the various NetFlow tables. Also, this section describes in
detail the IPFX with extensions tables that are exported when the SonicWALL is configured to report flows.
This section includes the following sub-sections:
Static Tables are tables with data that does not change over time. However, this data is required
to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported:
|
|
•
|
Table Layout Map
—
This table reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
|
|
|
•
|
Column Map
—
This table represents SonicWALL’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.
|
|
|
•
|
Rating Map
—
This table represents SonicWALL’s list of Rating IDs and the Name of the Rating Type.
|
|
|
•
|
Location Map
—
This table represents SonicWALL’s location map describing the list of countries and regions with their IDs.
|
|
|
•
|
Applications Map
—
This table reports all applications the SonicWALL appliance identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
|
|
|
•
|
Intrusions Map
—
This table reports all intrusions detected by the SonicWALL appliance.
|
|
|
•
|
Viruses Map
—
This table reports all viruses detected by the SonicWALL appliance.
|
|
|
•
|
Spyware Map
—
This table reports all spyware detected by the SonicWALL appliance.
|
|
|
•
|
Services Map
—
This table represents SonicWALL’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
|
Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly,
based on the activity of the SonicWALL appliance. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. The following is a list of Dynamic IPFIX tables that may be exported:
|
|
•
|
Flow Table
—
This table reports SonicWALL connections. The same flow tables can be reported multiple times by configuring triggers.
|
|
|
•
|
Location
—
This table reports the Locations and Domain Names of an IP address.
|
|
|
•
|
Users
—
This table reports users logging in to the SonicWALL appliance via LDAP/RADIUS, Local, or SSO.
|
|
|
•
|
URLs
—
This table reports URLs accessed through the SonicWALL appliance.
|
|
|
•
|
Log
—
This table reports all unfiltered logs generated by the SonicWALL appliance.
|
|
|
•
|
Interface Statistics
—
This table reports statistics for all interfaces including VLANs. The statistics include Interface ID, Interface Name, Interface IP, Interface MAC, Interface Status, Interface Speed, Interface Mode, Interface Counters, and Interface Rolling Average Rate.
|
|
|
•
|
Memory Utilization
—
This table reports all Memory utilization (Free, Used, Used by DB) of the SonicWALL appliance.
|
|
|
•
|
VoIP
—
This table reports all VoIP/H323 calls through the SonicWALL appliance.
|
|
|
•
|
SPAM
—
This table reports all email exchanges through the SPAM service.
|
|
|
•
|
Connected Devices
—
This table reports the list of all devices connected through the SonicWALL appliance, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
|
|
|
•
|
VPN Tunnels
—
This table reports all VPN tunnels established through the SonicWALL appliance.
|
|
|
•
|
URL Rating
—
This table reports Rating IDs for all URLs accessed through the SonicWALL appliance.
|
The following section shows examples of the type of Netflow template tables that are exported.
You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics
screen, and click the Download Report
button in the “Tech Support Report” section.
The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP
to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and will follow the format of the tables listed below.
NetFlow version 5 Header Format
NetFlow version 5 Flow Record Format
An example of a NetFlow version 9 template is displayed below.
The following table details the NetFlow version 9 Template FlowSet Field Descriptions.
An example of an IPFIX (NetFlow version 10) template.
The following table details the IPFIX Template FlowSet Field Descriptions.
IPFIX with extensions exports templates that are a combination of NetFlow fields from the
aforementioned versions and SonicWALL IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs. Note that the SonicWALL Specific Enterprise ID (EntID) is defined as 8741.
The following Name Template is a standard for the IPFIX with extensions templates. The values
specified are static and correlate to the Table Name of all the NetFlow exportable templates.
The following template is an example of an IPFIX with extensions template.