Log_logFlowReportingView

AppFlow > Flow Reporting

The AppFlow > Flow Reporting page includes settings for configuring the SonicWALL appliance to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal reporting and appflow server reporting.

This chapter contains the following sections:

Flow Reporting Statistics
Settings
AppFlow Server Settings
External Collector Settings
Connection Report Settings
NetFlow Activation and Deployment Information
User Configuration Tasks
NetFlow Tables
Dynamic Tables

Flow Reporting Statistics

This section shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non-reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.

NetFlow/IPFIX Packets Sent	Total number of IPFIX/NetFlow packets sent to the external collector.
AppFlow for Connections Enqueued	Total number of connection related flows that is collected so far.
AppFlow for Connections Dequeued	Total number of connection related flows that have been reported either to internal collectors or external collectors.
AppFlow for Connections Dropped	Total number of collected connection related flows that failed to get reported.
AppFlow for Connections Skipped Reporting	Total number of connection related flows that skipped reporting. This can happen when running in periodic mode where collected flows are more than configured value for reporting.
Non-connection related AppFlow Enqueued	Total number of all non-connection related flows that have been collected.
Non-connection related AppFlow Dequeued	Total number of all non-connection related flows that have been reported either to external collectors or internal collectors.
Non-connection related AppFlow Dropped	Total number of all non-connection related flows dropped due to too many requests.
NetFlow/IPFIX Templates Sent	Total number of templates that has been reported to the external collector.
Non-connection related static AppFlow Reported	Total number of static non-connection related flows that have been reported. This includes lists of applications/viruses/spyware/intrusions/table-map/column-map/location map.

Settings

The Settings section has configurable options for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector.

Send AppFlow To Local Collector—This setting enables AppFlow reporting collection to an internal server on your SonicWALL appliance.
Enable Real-Time Data Collection—This settings enable real-time data collection on your SonicWALL appliance. When this setting is disabled, the Real-Time Monitor does not collect or display streaming data.
Collect Real-Time Data For—Select from this pull-down menu the streaming-graphs to display on the Real-Time Monitor page:
Top Apps—Displays the Applications graph.
Bits per second—Displays the Bandwidth graph.
Packets per second—Displays the Packet Rate graph.
Average packet size—Displays the Packet Size graph.
Connections per second—Displays the Connection Rate and Connection Count graphs.
Core utility—Displays the Multi-Core Monitor graph.
Memory utility—Displays the Memory Usage graph.
Enable Aggregate AppFlow Report Data Collection—This setting enables AppFlow Reports collection on your SonicWALL appliance. When this setting is disabled, the AppFlow Reports does not collect or display data.

AppFlow Server Settings

This section provides the network administrator the ability to start sending AppFlow data and Real-Time data to an external SonicWALL AppFlow Server.

Send AppFlow To SonicWALL AppFlow Server—This setting allows you to start sending AppFlow records to an external AppFlow Server.
Send Real-Time Data To SonicWALL AppFlow Server—This setting allows you to start sending real-time records to an external AppFlow Server.

External Collector Settings

This section provides configuration settings for AppFlow reporting to an external IPFIX collector.

Send AppFlow and Real-Time Data To External Collector—Selecting this checkbox enables the specified flows to be reported to an external flow collector.
External AppFlow Reporting Format—If the “Report to EXTERNAL Flow Collector” option is selected, you must specify the flow reporting type from the provided list in the drop-down menu: NetFlow version-5, NetFlow version-9, IPFIX, or IPFIX with extensions. If the reporting type is set to Netflow versions 5, 9, or IPFIX, then any third-party collector can be used to show flows reported from the device. It uses standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then the collectors that are SonicWALL flow aware can only be used.

Note: When using IPFIX with extensions, select a third-party collector that is SonicWALL flow aware, such as SonicWALL Scrutinizer.

For Netflow versions and IPFIX reporting types, only connection related flows are reported per the standard. For IPFIX with extensions, connection related flows are reported with SonicWALL specific data type, as well as various other tables to correlate flows with Users, Applications, Viruses, VPN, and so on.

: : : : External Collector’s IP Address—Specify the external collector’s IP address. This IP address must be reachable from the SonicWALL firewall in order for the collector to generate flow reports.
Source IP to Use for Collector on a VPN Tunnel—If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy. Note: Select Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets will always take the VPN path.
External Collector’s UDP Port Number—Specify the UDP port number that Netflow/IPFIX packets are being sent over. The default port is 2055.
Send IPFIX/Netflow Templates at Regular Intervals—Selecting this checkbox will enable the appliance to send Template flows at regular intervals. Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you may disable it here. This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.
Send Static AppFlow at Regular Interval—Selecting this checkbox enables the sending of these specified appflows.
Send Static AppFlow for Following Tables—Select the static mapping tables to be generated to a flow from the drop-down list. Values include: Applications, Viruses, Spyware, Intrusions, Location Map, Services, Rating Maps, Table Map, and Column Map. For more information on static tables, refer to the NetFlow Tables.

When running in IPFIX with extensions mode, SonicWALL reports multiple types of data to an external device in order to correlate User, VPN, Application, Virus, and Spyware information. In this mode, data is both static and dynamic. Static tables are needed only once since they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this section. This option is available with IPFIX with extensions only.

Send Dynamic AppFlow for Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down list. Values include: Connections, Users, URLs, URL Ratings, VPNs, Devices, SPAMs, Locations, and VoIPs. For more information on dynamic tables, refer to the NetFlow Tables.
Include Following Additional Reports via IPFIX—Select additional IPFIX reports to be generated to a flow. Select values from the drop-down list. Values include: Top 10 Apps, Interface Stats, Core Utilization, and Memory Utilization.

When running in IPFIX with extensions mode, SonicWALL is capable of reporting more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. In this section, users can select tables that are needed. This option is available with IPFIX with extensions only.

Actions—Click the Generate ALL Templates button to begin building templates on the IPFIX server, this will take up to two minutes to generate. Click the Generate Static AppFlow Data button to begin generate a large amount of flows to the IPFIX server, this will take up to two minutes to generate.

Connection Report Settings

This section allows the network administrator to configure conditions under which a connection is reported.

Report Connections—Select from All or Interface-based or Firewall/App Rules-based connection reporting. Note that this option is applicable to both internal and external flow reporting.
All—Selecting this checkbox enables any connection reporting.
Interface-based—Selecting this checkbox enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface screen. If an interface has its flow reporting disabled, then flows associated with that interface are skipped. Firewall/App Rules-based—Selecting this checkbox enables flow reporting based on already existing firewall rules. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per firewall rule is selected. Every firewall rule has a checkbox to enable flow reporting. If a flow matching a firewall rule is to be reported, this enabled checkbox will force to verify if firewall rules have flow reporting enabled or not. Note that if this option is enabled and no rules have the flow reporting option enabled, no data will be reported. This option is an additional way to control which flows need to be reported.
Report on Connection OPEN—Enable this to report flows when the connection is open. This is typically when a connection is established.
Report on Connection CLOSED—Enable this to report flows when the connection is closed.
Report Connection on Active Timeout—Enable this to report connections based on an Active Timeout sessions.
Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The default setting is 60 seconds. You can set from 1 second to 999 seconds for the Active Timeout.
Report Connection on Kilo BYTES Exchanged—Enable this to report flows based on a specific number of traffic, in kilobytes, is exchanged. This option is ideal for flows that are active for a long time and need to be monitored.
Kilobytes Exchanged—When the above option is enabled, specify the number of kilobytes exchanged to be reported.
Report ONCE—When the Report Connection on Kilo BYTES exchanged option is enabled, enabling this option will send the report only once. Leave it unselected if you want reports sent periodically.
Report Connections on Following Updates—Select from the pull-down menu to enable connection reporting for the following:
Threat Detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
Application Detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the SonicWALL appliance is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
User Detection—Enable this to report flows specific to users. The SonicWALL appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
VPN Tunnel Detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.

Other Report Settings

This section allows the network administrator to configure conditions under which a connection is reported.

Report DROPPED Connections—Enable this to report dropped connections. This applies to connections that are dropped due to firewall rules.
Skip Reporting of STACK Connections—Enable this to skip the reporting of STACK connections. Note that all flows as a result of traffic initiated or terminated by the SonicWALL appliance are considered stack traffic.
Include following URL types—Select the type of URLS to be generated into a flow. Select values from the drop-down list. Values include: Gifs, Jpegs, Pngs, Js, Xmls, Jsons, Css, Htmls, Aspx, and Cms. This option applies to both AppFlow (internal) and external reporting when used with IPFIX with extensions.

NetFlow Activation and Deployment Information

SonicWALL recommends careful planning of NetFlow deployment with NetFlow services activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:

Understanding your application-driven data collection requirements: accounting applications may only require originating and terminating router flow information whereas monitoring applications may require a more comprehensive (data intensive) end-to-end view
Understanding the impact of network topology and routing policy on flow collection strategy: for example, avoid collecting duplicate flows by activating NetFlow on key aggregation routers where traffic originates or terminates and not on backbone routers or intermediate routers which would provide duplicate views of the same flow information
NetFlow can be implemented in the SonicOS management interface to understand the number of flow in the network and the impact on the router. NetFlow export can then be setup at a later date to complete the NetFlow deployment.

NetFlow is in general an ingress measurement technology which should be deployed on appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (i.e. interface by interface) and strategically (i.e. on well chosen routers) —instead of widespread deployment of NetFlow on every router in the network.

User Configuration Tasks

Depending on the type of flows you are collecting, you will need to determine which type of reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as configuring a second appliance to act as a collector.

NetFlow Version 5 Configuration Procedures
NetFlow Version 9 Configuration Procedures
IPFIX (NetFlow Version 10) Configuration Procedures
IPFIX with Extensions Configuration Procedures

NetFlow Version 5 Configuration Procedures

To configure typical Netflow version 5 flow reporting, follow the steps listed below.

In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
Select Netflow version-5 as the External Flow Reporting Format from the drop-down list.
Specify the External Collector’s IP address in the provided field.
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.

NetFlow Version 9 Configuration Procedures

To configure Netflow version 9 flow reporting, follow the steps listed below.

In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
Select Netflow version-9 as the External Flow Reporting Format from the drop-down list.
Specify the External Collector’s IP address in the provided field.
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
Note that Netflow version-9 uses templates that must be known to an external collector before sending data. In External Collector Settings and Actions, click the Generate ALL Templates button to begin generating templates.

IPFIX (NetFlow Version 10) Configuration Procedures

To configure IPFIX, or NetFlow version 10, flow reporting, follow the steps listed below.

In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
Select IPFIX as the External Flow Reporting Format from the drop-down list.
Specify the External Collector’s IP address in the provided field.
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
Note that IPFIX uses templates that must be known to an external collector before sending data. In External Collector Settings and Actions, click the Generate ALL Templates button to begin generating templates.

IPFIX with Extensions Configuration Procedures

To configure IPFIX with extensions flow reporting, follow the steps listed below.

In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
Select IPFIX with extensions as the External Flow Reporting Format from the drop-down list.
Specify the External Collector’s IP address in the provided field.
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
Note that IPFIX uses templates that must be known to an external collector before sending data. Click the Generate ALL Templates button to begin generating templates. Enable the option to Send static flows at regular intervals by selecting the checkbox. After enabling this option, click the Generate Static Flows button.
Select the tables you wish to receive static flows for from the Send Static AppFlow For Following Tables drop-down list.
Select the tables you wish to receive dynamic flows for from the Send Dynamic AppFlow For Following Tables drop-down list.
Select any additional reports to be generated to a flow from the Include Following Additional Reports via IPFIX drop-down list.

Configuring Netflow with Extensions with SonicWALL Scrutinizer

One external flow reporting option that works with Netflow with Extensions is the third-party collector called SonicWALL Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWALL flow aware.

To verify your Netflow with Extensions reporting configurations, perform the following steps.

In Visualization Dashboard Settings and Collector To User For AppFlow Monitor Page, select the AppFlow Server checkbox.
In AppFlow Server Settings, enable the Send AppFlow To SonicWALL AppFlow Server checkbox to enable flows to be reported to an external flow collector.
In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
Select IPFIX with extensions as the External Flow Reporting Format from the drop-down list.
Specify the External Collector’s IP address in the provided field.
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
Select the tables you wish to receive static flows for from the provided drop-down list. Then, click Accept.

Note: Currently, Scrutinizer supports Applications and Threats only. Future versions of Plixer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map.

Next, navigate to the Network > Interfaces screen.
Confirm that Flow Reporting is enabled per interface by clicking the Configure icon of the interface you are requesting data from.
On the Advanced tab, select the checkbox to Enable flow reporting. Then, click OK.
Login to SonicWALL Scrutinizer. The data displays within minutes.

NetFlow Tables

The following section describes the various NetFlow tables. Also, this section describes in detail the IPFX with extensions tables that are exported when the SonicWALL is configured to report flows.

This section includes the following sub-sections:

Static Tables
Dynamic Tables
Templates
NetFlow Version 5
NetFlow Version 9
IPFIX (NetFlow Version 10)
IPFIX with Extensions

Static Tables

Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported:

Applications Map—This table reports all applications the SonicWALL appliance identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
Viruses Map—This table reports all viruses detected by the SonicWALL appliance.
Spyware Map—This table reports all spyware detected by the SonicWALL appliance.
Intrusions Map—This table reports all intrusions detected by the SonicWALL appliance.
Location Map—This table represents SonicWALL’s location map describing the list of countries and regions with their IDs.
Services Map—This table represents SonicWALL’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
Rating Map—This table represents SonicWALL’s list of Rating IDs and the Name of the Rating Type.
Table Layout Map—This table reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
Column Map—This table represents SonicWALL’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.

Dynamic Tables

Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly, based on the activity of the SonicWALL appliance. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. The following is a list of Dynamic IPFIX tables that may be exported:

Connections—This table reports SonicWALL connections. The same flow tables can be reported multiple times by configuring triggers.
Users—This table reports users logging in to the SonicWALL appliance via LDAP/RADIUS, Local, or SSO.
URLs—This table reports URLs accessed through the SonicWALL appliance.
URL ratings—This table reports Rating IDs for all URLs accessed through the SonicWALL appliance.
VPNs—This table reports all VPN tunnels established through the SonicWALL appliance.
Devices—This table reports the list of all devices connected through the SonicWALL appliance, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
SPAMs—This table reports all email exchanges through the SPAM service.
Locations—This table reports the Locations and Domain Names of an IP address.
VoIPs—This table reports all VoIP/H323 calls through the SonicWALL appliance.

Templates

The following section shows examples of the type of Netflow template tables that are exported. You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics screen, and click the Download Report button in the “Tech Support Report” section.

NetFlow Version 5

The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and will follow the format of the tables listed below.

Bytes	Contents	Description
0-1	version	NetFlow export format version number
2-3	count	Number of flows exported in this packet (1-30)
4-7	SysUptime	Current time in milliseconds since the export device booted
8-11	unix_secs	Current count of seconds since 0000 UTC 1970
12-15	unix_nsecs	Residual nanoseconds since 0000 UTC 1970
16-19	flow_sequence	Sequence counter of total flows seen
20	engine_type	Type of flow-switching engine
20	engine_id	Slot number of the flow-switching engine
22-23	sampling_interval	First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval

NetFlow Version 5 Header Format

Bytes	Contents	Description
0-3	srcaddr	Source IP address
4-7	dstaddr	Destination IP address
8-11	nexthop	IP address of the next hop router
12-13	input	SNMP index of input interface
14-15	output	SNMP index of output interface
10-19	dPkts	Packets in the flow
20-23	dOctets	Total number of Layer 3 bytes in the packets of the flow
24-27	First	SysUptime at start of flow
28-31	Last	SysUptime at the time the last packet of the flow was received
32-33	srcport	TCP/UDP source port number or equivalent
34-35	dstport	TCP/UDP destination port number or equivalent
36	pad1	Unused (zero) bytes
37	tcp_flags	Cumulative OR of TCP flags
38	prot	IP protocol type (for example, TCP=6; UDP=17)
39	tos	IP type of service (ToS)
40-41	src_as	Autonomous system number of the source, either origin or peer
42-43	dst_as	Autonomous system number of the destination, either origin or peer
44	src_mask	Source address prefix mask bits
45	dst_mask	Destination address prefix mask bits
46-47	pad2	Unused (zero) bytes

NetFlow Version 5 Flow Record Format

NetFlow Version 9

An example of a NetFlow version 9 template is displayed below.

The following table details the NetFlow version 9 Template FlowSet Field Descriptions.

Field Name	Description
Template ID	The SonicWALL appliance generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.
Name	The name of the NetFlow template.
Number of Elements	The amount of fields listed in the NetFlow template.
Total Length	The total length in bytes of all reported fields in the NetFlow template.
Field Type	The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.
Field bytes	The length of the specific Field Type, in bytes.

IPFIX (NetFlow Version 10)

An example of an IPFIX (NetFlow version 10) template.

The following table details the IPFIX Template FlowSet Field Descriptions.

Field Name	Description
Template ID	The SonicWALL appliance generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.
Name	The name of the NetFlow template.
Number of Elements	The amount of fields listed in the NetFlow template.
Total Length	The total length in bytes of all reported fields in the NetFlow template.
Field Type	The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.
Field bytes	The length of the specific Field Type, in bytes.

IPFIX with Extensions

IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWALL IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs. Note that the SonicWALL Specific Enterprise ID (EntID) is defined as 8741.

The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates.

The following template is an example of an IPFIX with extensions template.