The
Log > Flow Reporting
page includes settings for configuring the SonicWALL to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal and external flow reporting.
This chapter contains the following sections:
The External Flow Reporting Statistics apply to all external flows. This section shows reports
of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.
The App Flow Reporting Statistics apply to all internal flows. Similar to the Flow Reporting
Statistics, this section shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non reported to the server. This section also includes the number of static flows removed from the queue, internal errors, and the total number of flows within the internal database.
The
Settings
section has options for enabling visualization for App Flow Monitor and Real-Time Monitor. You can also configure individual real-time data collection options.
|
|
•
|
Enable Real-Time Data Collection
—This setting enables real-time data collection on your SonicWALL appliance. When this setting is disabled, the Real-Time Monitor does not collect or display streaming data.
|
|
|
•
|
Top Apps
—Displays the Applications graph.
|
The
External Collector Settings
section has configurable options for AppFlow reporting to an IPFIX or other external collector.
|
|
•
|
Send AppFlow and Real-Time Data to EXTERNAL Collector
—This is a global checkbox that enables or disables flow reporting to an external collector, such as IPFIX. Selecting this checkbox enables flow reporting to IPFIX or other external collectors. When this is enabled or disabled, you may need to reboot the appliance.
|
|
|
•
|
External Flow Reporting Format
—This drop-down list allows you to select the format of the flows to be reported to an external flow collector. If the reporting type is set to Netflow
versions 5
, 9
, or IPFIX
, then any third-party collector can be used to show flows reported from the device using standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then only collectors that are SonicWALL flow aware should be used.
|
AppFlows can be reported in the following formats:
|
|
–
|
IPFIX
(with standard fields)
|
|
|
–
|
IPFIX with extensions
—These SonicWALL extensions include dynamic tables for connections, users, applications, threats (viruses/spyware/intrusions), URLs, logs, real-time health (memory/CPU/interface statistics), VPN tunnels, devices, SPAM, wireless devices and locations. Flows reported in this mode can be viewed by another SonicWALL firewall configured as a collector, such as the idle firewall in an HA pair, or a SonicWALL Linux collector running the SonicWALL provided package. Some third party collectors, such as Plixer Scrutinizer, can also use this mode to display applications if using standard IPFIX support. Not all reports are visible when using third party collectors.
|
|
|
•
|
External Collector’s IP address
—Type in the external collector IP address to which the appliance will generate flow reports. This IP address must be reachable from the firewall. If this IP address is over a VPN tunnel, then the source IP must also be specified.
|
|
|
•
|
Source IP To Use For Collector On A VPN tunnel
—If the collector specified in the previous field is reachable via a VPN tunnel, then type in the source IP address that matches the correct VPN policy. Use the source IP from the local network specified in the VPN policy. If this field has a value entered, Netflow and IPFIX packets will always take the VPN path.
|
|
|
•
|
Send IPFIX/Netflow Templates At Regular Interval
—Select this checkbox to send IPFIX templates at regular intervals. This is available for reporting modes IPFIX
or IPFIX with
extensions
. IPFIX uses templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector is not needed, you may disable it here. The default is enabled.
|
|
|
•
|
Send Static AppFlow At Regular Interval
—Select this checkbox to send IPFIX static tables at regular intervals. This is available for the IPFIX with extensions
reporting mode. The default is enabled.
|
|
|
–
|
Send Static AppFlow For Following Tables
—In IPFIX with extensions
mode, the firewall can asynchronously generate these static mapping tables to bring the external collector in sync. This is necessary when the collector is initialized later than the firewall.
|
When running in
IPFIX with extensions
mode, SonicWALL reports multiple types of data to an external device in order to correlate User, VPN, Application, Virus, etc. In this mode, data is both static and dynamic. Static tables are needed once since they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this section.
If
Send Static AppFlow At Regular Interval
is selected, then only the selected flows will be generated. Select any of the following mapping tables from this drop-down list and then click Generate Static AppFlow Data
at the top of the screen:
|
|
•
|
Send Dynamic AppFlow For Following Tables
—In IPFIX with extensions
mode, the firewall can be configured to generate reports for selected tables. Because the firewall does not cache this information, some flows that are not sent may create failures in correlating flows with related data. Select any of the following tables to send:
|
|
|
–
|
Top 10 Apps
—Generate information about the top ten applications seen.
|
|
|
–
|
Interface Stats
—Generate interface statistics such as interface name, interface bandwidth utilization, MAC address, link status. The TSR provides details about these.
|
|
|
–
|
Memory utilization
—Generate status of available memory, used memory, and memory used by the AppFlow collector.
|
In the Connection Report Settings area, you can configure the conditions under which a
connection is reported. These settings do not apply to all non-connection related AppFlow data.
|
|
–
|
All
—Reports all flows to the AppFlow collector.
|
|
|
–
|
Interface-based
—In this mode, only connections from selected interfaces are reported to the AppFlow collector. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface > Advanced screen. If an interface has its flow reporting disabled, then flows associated with that interface are skipped. By default, flow reporting is disabled on interfaces.
|
|
|
–
|
Firewall/App Rules-based
—In this mode, flows matching selected Firewall Rules or App Rules will be reported to the flow collector. If enabled, the flows are verified against the per Firewall Rule or per App Rule flow reporting configuration, located in the Firewall > Access Rules or Firewall > App Rules screens. If this option is enabled and no rules have the flow reporting option enabled, no data will be reported to the AppFlow collector. This option is an additional way to control which flows are reported internally or externally.
|
|
|
•
|
Report On Connection OPEN
—Select this checkbox to report flows when a connection is opened. This is typically when a connection is established. Enabled by default.
|
|
|
•
|
Report Connection On Kilo BYTES Exchanged
—Select this checkbox to report flows when the configured number of kilobytes are transferred on the connection. This option is useful for flows that are active for a long time and need to be monitored. Supported in IPFIX with extensions mode.
|
|
|
–
|
Kilobytes Exchanged
—Enter the number of kilobytes of data to be transferred on a connection before being reported. Once enabled, the same flow is reported multiple times whenever this number of kilobytes of data is transferred over the connection. This could cause a large amount of IPFIX packet generation on a loaded system.
|
|
|
–
|
Report ONCE
—To avoid the multiple reports described above in the Kilobytes
Exchanged
field, select the Report ONCE
checkbox to report only once per connection for bytes based reporting. Leave it unselected if you want reports sent periodically.
|
This section allows configuration of other conditions under which a connection is reported. This
section only applies to connection related flows.
|
|
•
|
Report DROPPED Connection
—Enable this to report flows that are dropped due to DENY/BLOCK firewall rules. Enabling this option can cause a large amount of flow generation for all kinds of non-TCP/UDP based traffic that is always denied.
|
|
|
•
|
Skip Reporting STACK Connections
—Enable this to skip the reporting of flows that are used by the system stack for connections. All traffic initiated by the firewall itself is considered stack traffic.
|
|
|
•
|
Include Following URL Types
—Use this drop-down list to select the type of URLs to be reported. To skip reporting for specific types of URLs, clear the associated checkbox. This option applies to both App Flow (internal) and external reporting when using IPFIX with
extensions
. Select from the following:
|
|
|
•
|
Enable Geo-IP and Domain Resolution
—Select this checkbox to enable Geo-IP and Domain resolution. Clear it to disable this function. If disabled, App Flow monitor will not group flows based on domain or country under the initiator and responder tabs. If Geo-IP blocking or Botnet blocking is enabled, then this checkbox is ignored.
|
SonicWALL recommends careful planning of NetFlow deployment with NetFlow services
activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:
NetFlow is in general an ingress measurement technology which should be deployed on
appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (i.e. interface by interface) and strategically (i.e. on well chosen routers) —instead of widespread deployment of NetFlow on every router in the network.
Depending on the type of flows you are collecting, you will need to determine which type of
reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as a section on viewing reports in Scrutinizer.
To configure typical Netflow version 5 flow reporting, follow the steps listed below.
|
Step 2
|
In External Collector Settings, select the
Send AppFlow and Real-Time Data To EXTERNAL
Collector
checkbox to enable flows to be reported to an external flow collector. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Select
Netflow version-5
from the External Flow Reporting Format
drop-down list.
|
|
Step 4
|
Specify the
External Collector’s IP address
in the provided field.
|
|
Step 5
|
For the
Source IP to Use For Collector on a VPN tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 6
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055. In Connection Report Settings, for Report Connections
, do one of the following:
|
|
|
•
|
Select
All
to report all flows.
|
|
|
•
|
Select the
INTERFACE-based
option. Once enabled, the flows reported are based on the initiator or responder interface.
|
|
|
•
|
Select the
Firewall/App Rules-based
option. Once enabled, the flows reported are based on already existing firewall rules.
|
To configure Netflow version 9 flow reporting, follow the steps listed below.
|
Step 2
|
In External Collector Settings, select the
Send AppFlow and Real-Time Data To EXTERNAL
Collector
checkbox to enable flows to be reported to an external flow collector. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Select
Netflow version-9
from the External Flow Reporting Format
drop-down list.
|
|
Step 4
|
Specify the
External Collector’s IP address
in the provided field.
|
|
Step 5
|
For the
Source IP to Use For Collector on a VPN tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 6
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055. Select the Send IPFIX/Netflow Templates At Regular Interval
checkbox. Note that Netflow version-9 uses templates that must be known to an external collector before sending data.
|
|
Step 7
|
Click the
Generate ALL Templates
button in the topmost toolbar.
|
|
|
•
|
Select
All
to report all flows.
|
|
|
•
|
Select the
INTERFACE-based
option. Once enabled, the flows reported are based on the initiator or responder interface.
|
|
|
•
|
Select the
Firewall/App Rules-based
option. Once enabled, the flows reported are based on already existing firewall rules.
|
To configure IPFIX, or NetFlow version 10, flow reporting, follow the steps listed below.
|
Step 2
|
In External Collector Settings, select the
Send AppFlow and Real-Time Data To EXTERNAL
Collector
checkbox to enable flows to be reported to an external flow collector. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Select
IPFIX
from the External Flow Reporting Format
drop-down list.
|
|
Step 4
|
Specify the
External Collector’s IP address
in the provided field.
|
|
Step 5
|
For the
Source IP to Use For Collector on a VPN tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 6
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055. Select the Send IPFIX/Netflow Templates At Regular Interval
checkbox.
|
|
Step 7
|
Click the
Generate ALL Templates
button in the topmost toolbar.
|
|
|
•
|
Select
All
to report all flows.
|
|
|
•
|
Select the
INTERFACE-based
option. Once enabled, the flows reported are based on the initiator or responder interface.
|
|
|
•
|
Select the
Firewall/App Rules-based
option. Once enabled, the flows reported are based on already existing firewall rules.
|
To configure IPFIX with extensions flow reporting, follow the steps listed below.
|
Step 2
|
In External Collector Settings, select the
Send AppFlow and Real-Time Data To EXTERNAL
Collector
checkbox to enable flows to be reported to an external flow collector. Remember, not all collectors will work with all modes of flow reporting.
|
|
Step 3
|
Select
IPFIX with extensions
from the External Flow Reporting Format
drop-down list.
|
|
Step 4
|
Specify the
External Collector’s IP address
in the provided field.
|
|
Step 5
|
For the
Source IP to Use For Collector on a VPN tunnel
, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional
.
|
|
Step 6
|
Specify the
External Collector’s UDP port number
in the provided field. The default port is 2055. Select the Send IPFIX/Netflow Templates At Regular Interval
checkbox.
|
|
Step 7
|
Click the
Generate ALL Templates
button in the topmost toolbar.
|
|
|
•
|
Select
All
to report all flows.
|
|
|
•
|
Select the
INTERFACE-based
option. Once enabled, the flows reported are based on the initiator or responder interface.
|
|
|
•
|
Select the
Firewall/App Rules-based
option. Once enabled, the flows reported are based on already existing firewall rules.
|
|
Step 9
|
Select the
Send static AppFlow At Regular Interval
checkbox.
|
|
Step 10
|
Click the
Generate Static Flows
button in the topmost toolbar.
|
One external flow reporting option that works with IPFIX with Extensions is the third-party
collector called Plixer Scrutinizer. This collector displays a range of reporting and analysis that is both IPFIX and SonicWALL flow aware.
To view your IPFIX with Extensions reporting in Scrutinizer, perform the following steps.
|
Step 2
|
Enable the
Send AppFlow and Real-Time Data To EXTERNAL Collector
option in the External Collector Settings section.
|
|
Step 3
|
Specify the
External Collector’s IP address
and respective External Collector’s UDP Port
Number
.
|
The following section describes the various NetFlow tables. Also, this section describes in
detail the IPFX with extensions tables that are exported when the SonicWALL is configured to report flows.
This section includes the following sub-sections:
Static Tables are tables with data that does not change over time. However, this data is
required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported:
|
|
•
|
Table Layout Map
—
This table reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
|
|
|
•
|
Column Map
—
This table represents SonicWALL’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.
|
|
|
•
|
Rating Map
—
This table represents SonicWALL’s list of Rating IDs and the Name of the Rating Type.
|
|
|
•
|
Location Map
—
This table represents SonicWALL’s location map describing the list of countries and regions with their IDs.
|
|
|
•
|
Applications Map
—
This table reports all applications the SonicWALL appliance identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
|
|
|
•
|
Intrusions Map
—
This table reports all intrusions detected by the SonicWALL appliance.
|
|
|
•
|
Viruses Map
—
This table reports all viruses detected by the SonicWALL appliance.
|
|
|
•
|
Spyware Map
—
This table reports all spyware detected by the SonicWALL appliance.
|
|
|
•
|
Services Map
—
This table represents SonicWALL’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
|
Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly,
based on the activity of the SonicWALL appliance. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. The following is a list of Dynamic IPFIX tables that may be exported:
|
|
•
|
Flow Table
—
This table reports SonicWALL connections. The same flow tables can be reported multiple times by configuring triggers.
|
|
|
•
|
Location
—
This table reports the Locations and Domain Names of an IP address.
|
|
|
•
|
Users
—
This table reports users logging in to the SonicWALL appliance via LDAP/RADIUS, Local, or SSO.
|
|
|
•
|
URLs
—
This table reports URLs accessed through the SonicWALL appliance.
|
|
|
•
|
Log
—
This table reports all unfiltered logs generated by the SonicWALL appliance.
|
|
|
•
|
Interface Statistics
—
This table reports statistics for all interfaces including VLANs. The statistics include Interface ID, Interface Name, Interface IP, Interface MAC, Interface Status, Interface Speed, Interface Mode, Interface Counters, and Interface Rolling Average Rate.
|
|
|
•
|
Memory Utilization
—
This table reports all Memory utilization (Free, Used, Used by DB) of the SonicWALL appliance.
|
|
|
•
|
VoIP
—
This table reports all VoIP/H323 calls through the SonicWALL appliance.
|
|
|
•
|
SPAM
—
This table reports all email exchanges through the SPAM service.
|
|
|
•
|
Connected Devices
—
This table reports the list of all devices connected through the SonicWALL appliance, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
|
|
|
•
|
VPN Tunnels
—
This table reports all VPN tunnels established through the SonicWALL appliance.
|
|
|
•
|
URL Rating
—
This table reports Rating IDs for all URLs accessed through the SonicWALL appliance.
|
The following section shows examples of the type of Netflow template tables that are exported.
You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics
screen, and click the Download Report
button in the “Tech Support Report” section.
The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP
to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and will follow the format of the tables listed below.
NetFlow version 5 Header Format
NetFlow version 5 Flow Record Format
An example of a NetFlow version 9 template is displayed below.
The following table details the NetFlow version 9 Template FlowSet Field Descriptions.
An example of an IPFIX (NetFlow version 10) template.
The following table details the IPFIX Template FlowSet Field Descriptions.
IPFIX with extensions exports templates that are a combination of NetFlow fields from the
aforementioned versions and SonicWALL IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs. Note that the SonicWALL Specific Enterprise ID (EntID) is defined as 8741.
The following Name Template is a standard for the IPFIX with extensions templates. The values
specified are static and correlate to the Table Name of all the NetFlow exportable templates.
The following template is an example of an IPFIX with extensions template.