icon in the upper right corner of the AppFlow > Flow Reporting page.Managing Flow Reporting Statistics
This section covers managing the firewall’s flow reporting statistics and configurable settings for sending AppFlow and real-time data to the local collector or an external AppFlow server. AppFlow provides support for external AppFlow reporting formats, such as NetFlow version-5, NetFlow version-9, IPFIX, and IPFIX with extensions.
Topics:
The AppFlow > Flow Reporting page includes statistics and settings for configuring the Dell SonicWALL appliance to view statistics based on Flow Reporting and Internal Reporting. From this page, you can also configure settings for internal reporting, GMSFlow server, AppFlow server, and external collector reporting.
You can access the Dashboard > AppFlow Monitor page by clicking on the icon in the upper right corner of the AppFlow > Flow Reporting page.
You can clear all the AppFlow settings by clicking on the Clear Button. You can reset all the AppFlow settings to default values by clicking on the Default button.
The AppFlow > Flow Reporting page has these tabs:
• Statistics – Displays reporting statistics in four tables
• Settings – Allows the enabling of various real-time data collection and AppFlow report collection
• GMSFlow Server – Enables the sending of various real-time data collection and AppFlow report collection to the GMSFlow server
• AppFlow Server – Enables the sending of various real-time data collection and AppFlow report collection to the AppFlow server
• External Collector – Allows the configuring of AppFlow reporting to an IPFIX collector
Topics:
• NetFlow Activation and Deployment Information
The Statistic tab shows reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non-reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.
Topics:
• External Flow Reporting Statistic
• Internal AppFlow Reporting Statistics
External Flow Reporting Statistic
|
Internal AppFlow Reporting Statistics
|
The IPFIX statistics are displayed in two tables at the bottom of the Statistics tab:
• NetFlow/IPFIX Packets Sent Statistics
• Non-Connection Related Flows Sent to External Collector Statistics
NetFlow/IPFIX Packets Sent Statistics
|
Non-Connection Related Flows Sent to External Collector Statistics
|
|
The Settings tab has configurable options for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector.
The Settings tab has these sections:
• Settings
The Settings section of the Settings tab allows you to enable real-time data collection and AppFlow report collection.
• Report Collections—Enables AppFlow reporting collection according to one of these modes:
– All — Selecting this radio button reports all flows. This option is selected by default.
– Interface-based — Selecting this radio button enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface page. If an interface has its flow reporting disabled, then flows associated with that interface are skipped.
– Firewall/App Rules-based — Selecting this radio button enables flow reporting based on already existing firewall Access and App rules configuration, located on the Firewall > Access Rules page and the Firewall > App Rules page, respectively. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per firewall rule is selected.
Every firewall Access and App rule has a checkbox to enable flow reporting. If a flow matching a rule is to be reported, this enabled checkbox will force verification that firewall rules have flow reporting enabled or not.
Note If this option is enabled but no rules have the flow reporting option enabled, no data will be reported. This option is an additional way to control which flows need to be reported.
• Enable Real-Time Data Collection—This setting enables real-time data collection on your Dell SonicWALL appliance for real-time statistics. Individual items can be enabled/disabled in the Collect Real-Time Data For drop-down menu. This setting is enabled by default.
When this setting is disabled, the Real-Time Monitor does not collect or display streaming data as the real-time graphs displayed in the Dashboard > Real-Time Monitor page are disabled.
– Collect Real-Time Data For—Select from this pull-down menu the streaming graphs to display on the Dashboard > Real-Time Monitor page:
: •: Top Apps—Displays the Applications graph.
: •: Bits per sec.—Displays the Bandwidth graph.
: •: Packets per sec.—Displays the Packet Rate graph.
: •: Average packet size—Displays the Packet Size graph.
: •: Connections per sec.—Displays the Connection Rate and Connection Count graphs.
: •: Core utility—Displays the Multi-Core Monitor graph.
• Enable Aggregate AppFlow Report Data Collection—When enabled, the firewall will start collecting data for an aggregate report. Individual reports can be enabled/disabled in the Collect Report Data For drop-down menu. This setting is enabled by default.
When this setting is disabled, the AppFlow Reports does not collect or display data.
Tip By clicking the 
icon, you can display the Dashboard > AppFlow Reports page.
– Collect Real-Time Data For—Select from this drop-down menu the streaming graphs to display on the Real-Time Monitor page. By default, all reports are selected.
: •: Apps Report
: •: User Report
: •: IP Report
: •: Threat Report
: •: Geo-IP Report
: •: URL Report
The Local Server Settings section allows you to enable AppFlow reporting to an internal collector.
• Send AppFlow To Local Collector—This setting enables AppFlow reporting collection to an internal server on your Dell SonicWALL appliance. If this option is disabled, the tabbed displays on Dashboard > AppFlow Monitor are disabled. By default, this option is enabled.
Note When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
The options in the Other Report Settings section configure conditions under which a connection is reported. This section does not apply to all non-connection-related flows.
• Report DROPPED Connection—If enabled, connections that are dropped due to firewall/app rules are not reported. This option is enabled by default.
• Skip Reporting STACK Connections—If enabled, the firewall will not report all connections initiated or responded to by the firewall’s TCP/IP stack. By default, this option is enabled.
• Include Following URL Types—From the drop-down menu, select the type of URLs that need to be reported. To skip a particular type of URL reporting, uncheck (disable) the URL. Only the following types are enabled by default: Gifs, Jpegs, Pngs, Htmls, and Aspx.
Note This setting applies to both AppFlow reporting (internal) and external reporting when using IPFIX with extensions.
• Enable Geo-IP Resolution—Enables Geo-IP resolution. If disabled, the AppFlow Monitor will not group flows based on country under initiator and responder tabs. This setting is unchecked (disabled) by default.
Note If Geo-IP blocking or Botnet blocking is enabled, this option is ignored.
• AppFlow Report Upload Timeout (sec)—Specify the timeout, in seconds, when connecting to the AppFlow upload server. The minimum timeout is 5 seconds, the maximum is 120 seconds, and the default value is 30 seconds.
You enable the sending of AppFlow and real-time data to the GMSFlow server by displaying the GMSFlow Server tab.
• Send AppFlow to SonicWALL GMSFlow Server—If enabled, the SonicWALL firewall will send AppFlow data via IPFIX to the SonicWALL GMSFlow Server. If disabled, the SonicWALL GMSFlow server will not show the AppFlow Monitor, AppFlow report, and Dashboard > AppFlow Monitor chart on the GMSFlow server or via redirection on the SonicWALL device. This option is disabled by default.
Note When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
• Send Real-Time Data to SonicWALL GMSFlow Server—If enabled, the SonicWALL firewall will send real-time data via IPFIX to the SonicWALL GMSFlow Server. If disabled, the SonicWALL GMSFlow server will not show the real-time chart on the GMSFlow server or via redirection on the SonicWALL device. This option is disabled by default.
• Report On Connection OPEN—If enabled, the SonicWALL firewall will report when a new connection is opened. All associated data related to that connection may not be available when the connection is opened. Thus, flows will show up on the GMSFlow Server as soon as a new connection is opened. This option is disabled by default.
• Report On Connection CLOSE—If enabled, the SonicWALL firewall will report when a connection is closed. This is the most efficient way of reporting flows to the GMSFlow Server. All associated data related to that connection are available and reported. This option is enabled by default.
• Report Connections On Following Updates—The SonicWALL firewall will report when it detects of the following that you have selected from the pull-down menu (none are selected by default):
– threat detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
– application detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the firewall is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
– user detection—Enable this to report flows specific to users. The Dell SonicWALL network security appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
– VPN tunnel detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.
• Send Dynamic AppFlow For Following Tables—In IPFIX with extension mode, the firewall can be controlled to generate reports for the following tables that you have selected from the pull-down menu (all are selected by default):
– Connections
– Users
– URLs
– URL ratings
– VPNs
– Devices
– SPAMs
– Locations
– VOIPs
Note As the firewall doesn’t cache this information, some of the flows not sent may create a failure in correlating flows with other data.
You enable the sending of AppFlow and real-time data to the GMSFlow server by displaying the GMSFlow Server tab.
• Send AppFlow to SonicWALL AppFlow Server—If enabled, the SonicWALL firewall will send AppFlow data via IPFIX to the SonicWALL AppFlow Server. If disabled, the SonicWALL AppFlow Server will not show the AppFlow Monitor, AppFlow report, and Dashboard > AppFlow Monitor chart on the AppFlow Server or via redirection on the SonicWALL device. This option is disabled by default.
Note When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
• Send Real-Time Data to SonicWALL AppFlow Server—If enabled, the SonicWALL firewall will send real-time data via IPFIX to the SonicWALL AppFlow Server. If disabled, the SonicWALL AppFlow Server will not show the real-time chart on the AppFlow Server or via redirection on the SonicWALL device. This option is disabled by default.
• Report On Connection OPEN—If enabled, the SonicWALL firewall will report when a new connection is opened. All associated data related to that connection may not be available when the connection is opened. Thus, flows will show up on the AppFlow Server as soon as a new connection is opened. This option is disabled by default.
• Report On Connection CLOSE—If enabled, the SonicWALL firewall will report when a connection is closed. This is the most efficient way of reporting flows to the AppFlow Server. All associated data related to that connection are available and reported. This option is enabled by default.
• Report Connections On Following Updates—The SonicWALL firewall will report when it detects of the following that you have selected from the pull-down menu (none are selected by default):
– threat detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
– application detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the firewall is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
– user detection—Enable this to report flows specific to users. The Dell SonicWALL network security appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
– VPN tunnel detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.
• Send Dynamic AppFlow For Following Tables—In IPFIX with extension mode, the firewall can be controlled to generate reports for the following tables that you have selected from the pull-down menu (all are selected by default):
– Connections
– Users
– URLs
– URL ratings
– VPNs
– Devices
– SPAMs
– Locations
– VOIPs
Note As the firewall doesn’t cache this information, some of the flows not sent may create a failure in correlating flows with other data.
The External Collector tab provides configuration settings for AppFlow reporting to an external IPFIX collector.
• Send Flows and Real-Time Data To External Collector—Selecting this checkbox enables the SonicWALL device to send both AppFlow data and real-time data to an external flow collector. This option is disabled by default.
Note When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
• External AppFlow Reporting Format—If you enabled the Send Flows and Real-Time Data To External Collector option, you must specify the flow reporting type from the drop-down menu:
– NetFlow version-5 (default)
– NetFlow version-9
– IPFIX
– IPFIX with extensions
: •: For Netflow versions and IPFIX reporting types, only connection-related flows are reported.
: •: For IPFIX with extensions, connection-related flows are reported with SonicWALL-specific data types, as well as various other dynamic tables for connections, users, applications, threats (viruses/spyware/intrusion), URLs, logs, real-time health (memory/CPU/iface statistics), VPN tunnels, devices, SPAMs, wireless devices, and locations. Flows reported in this mode can either be viewed by another SonicWALL firewall configured as a collector (especially in an HA pair with the idle firewall acting as a collector) or a SonicWALL Linux collector. Some third-party collectors can also use this mode to display applications when using standard IPFIX support,
Note Not all reports are visible when using a third-party collector.
Note If the reporting type is set to Netflow versions 5 or 9 or IPFIX, then any third-party collector can be used to show flows reported from the SonicWALL device as it uses standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then only collectors that are SonicWALL flow aware, such as SonicWALL Scrutinizer, can be used.
• External Collector’s IP Address—Specify the external collector’s IP address to which the SonicWALL device will send flows via Netflow/IPFX. This IP address must be reachable from the SonicWALL firewall. If the collector is reachable via a VPN tunnel, then the source IP must be specified.
• Source IP To Use for Collector On A VPN Tunnel—If the external collector specified in External Collector’s IP Address must be reached by a VPN tunnel, specify the source IP for the correct VPN policy.
Note Select a source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets will always take the VPN path.
• External Collector’s UDP Port Number—Specify the UDP port number on which the external collector is listening for Netflow/IPFIX packets. The default port is 2055.
• Send IPFIX/Netflow Templates at Regular Intervals—Selecting this checkbox will enable the appliance to send Template flows at regular intervals. Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you may disable the option. This option is disabled by default.
Note This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only. The checkbox is dimmed if Netflow version-5 is selected.
• Send Static AppFlow at Regular Interval—Enable this option if the external collector requires static flows to be sent at regular intervals. When enabled, this option generates IPFIX records hourly for all the static tables specified in Send Static AppFlow for Following Tables. This option is disabled by default.
Note This option is available with IPFIX with extensions only and must be enabled if SonicWALL Scrutinizer is used as an external collector.
– Send Static AppFlow for Following Tables—Select the static mapping tables to be generated to a flow from the drop-down menu:
: •: Applications *
: •: Viruses *
: •: Spyware *
: •: Intrusions *
: •: Location Map
: •: Services *
: •: Rating Maps *
: •: Table Map
: •: Column Map
Note Items with an asterisk (*) are selected by default.
For more information on static tables, refer to NetFlow Tables.
When running in IPFIX with extensions mode, the SonicWALL firewall reports multiple types of data to an external device to correlate User, VPN, Application, Virus, and Spyware information. In this mode, data is both static and dynamic. Static tables are needed only once as they rarely change. Depending on the capability of the external collector, not all static tables are needed.
In IPFIX with extension mode the SonicWALL firewall can asynchronously generate static mapping tables to bring the external collector in sync. This is synchronization is needed when the external collector is initialized later than the SonicWALL firewall. To generate these tables, select the needed mapping tables and then click the Generate Static AppFlow Data button. Only flows for those tables selected in Send Static AppFlow for Following Tables will be generated.
• Send Dynamic AppFlow for Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down menu:
– Connections *
– Users *
– URLs *
– URL Ratings *
– VPNs *
– Devices
– SPAMs
– Locations
– VOIPs *
Note Items with an asterisk (*) are selected by default.
For more information on dynamic tables, refer to NetFlow Tables.
Note This option is available with IPFIX with extensions only.
Note In IPFIX with extension mode, the SonicWALL firewall can be configured to generated reports for selected tables. As the firewall doesn’t cache this information, some of the flows not sent may create a failure in correlating flows with other data.
• Include Following Additional Reports via IPFIX—When running in IPFIX with extensions mode, SonicWALL is capable of reporting data that is not related to connection and flows. These tables are grouped under this option. Statistics are reported every 5 seconds.
Select additional IPFIX reports to be generated to a flow from the drop-down menu (none are selected by default):
– Top 10 Apps—Generates the top 10 applications.
– Interface Stats—Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
– Core Utilization—Generates per-core utilization as a percentage.
– Memory Utilization—Generates the status of available memory, used memory, and memory used by the AppFlow collector.
Depending on the capability of the external collector, not all additional tables are needed.
Note This option is available with IPFIX with extensions only.
• Report On Connection OPEN—If enabled, the SonicWALL firewall will report when a new connection is opened. All associated data related to that connection may not be available when the connection is opened. Thus, flows will show up on the external collector as soon as a new connection is opened. This option is enabled by default.
• Report On Connection CLOSE—If enabled, the SonicWALL firewall will report when a connection is closed. This is the most efficient way of reporting flows to the AppFlow Server. All associated data related to that connection are available and reported. This option is enabled by default.
• Report Connection on Active Timeout—Enable this to have the firewall report an active connection every Active Timeout period set in Number of Seconds. This option is disabled by default.
– Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The default setting is 60 seconds. You can set from 1 second to 999 seconds for the Active Timeout.
• Report Connection on Kilo BYTES Exchanged—Enable this to have the firewall report an active connection whenever the specified amount of bidirectional data is exchanged on the active connection, This option is ideal for flows that are active for a long time and need to be monitored. This option is disabled by default.
Note This option is available with IPFIX with extensions only.
– Kilobytes Exchanged—When the Report Connection on Kilo BYTES Exchanged option is enabled, specify the amount of data, in kilobytes, to be transferred on a connection before the connection is reported. The default value is 100 kilobytes.
When this option is enabled, the same flow is reported whenever the specifies amount of data is transferred over the connection, which can cause a large amount of IPFIX packet generation on a loaded system. To report this flow only once, select the Report ONCE option.
– Report ONCE—When the Report Connection on Kilo BYTES exchanged option is enabled, enabling this option will send the report only once regardless of how many kilobytes of data are exchanged. Leave the option unselected if you want multiple reports sent. This option is disabled by default.
• Report Connections On Following Updates—The SonicWALL firewall will report when it detects of the following that you have selected from the pull-down menu (all are selected by default):
– threat detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
– application detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the firewall is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
– user detection—Enable this to report flows specific to users. The Dell SonicWALL network security appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
– VPN tunnel detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.
• Actions—Generate templates and static-flow data asynchronously with these buttons:
– Click the Generate ALL Templates button to begin building templates on the IPFIX server; this will take up to two minutes.
– Click the Generate Static AppFlow Data button to begin generating a large amount of flows to the IPFIX server; this will take up to two minutes.
NetFlow Activation and Deployment Information
SonicWALL recommends careful planning of NetFlow deployment with NetFlow services activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:
• Understanding your application-driven data collection requirements: accounting applications may only require originating and terminating router flow information whereas monitoring applications may require a more comprehensive (data intensive) end-to-end view
• Understanding the impact of network topology and routing policy on flow collection strategy: for example, avoid collecting duplicate flows by activating NetFlow on key aggregation routers where traffic originates or terminates and not on backbone routers or intermediate routers which would provide duplicate views of the same flow information
• NetFlow can be implemented in the SonicOS management interface to understand the number of flow in the network and the impact on the router. NetFlow export can then be setup at a later date to complete the NetFlow deployment.
NetFlow is in general an ingress measurement technology which should be deployed on appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (that is, interface by interface) and strategically (that is, on well chosen routers) —instead of widespread deployment of NetFlow on every router in the network.
Depending on the type of flows you are collecting, you will need to determine which type of reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as configuring a second appliance to act as a collector.
• NetFlow Version 5 Configuration Procedures
• NetFlow Version 9 Configuration Procedures
• IPFIX (NetFlow Version 10) Configuration Procedures
NetFlow Version 5 Configuration Procedures
To configure typical Netflow version 5 flow reporting, follow the steps listed below.
1. In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
2. Select Netflow version-5 as the External Flow Reporting Format from the drop-down list.
3. Specify the External Collector’s IP address in the provided field.
4. For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
5. Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
6. In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
7. In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
NetFlow Version 9 Configuration Procedures
To configure Netflow version 9 flow reporting, follow the steps listed below.
1. In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
2. Select Netflow version-9 as the External Flow Reporting Format from the drop-down list.
3. Specify the External Collector’s IP address in the provided field.
4. For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
5. Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
6. In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
7. In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
8. Note that Netflow version-9 uses templates that must be known to an external collector before sending data. In External Collector Settings and Actions, click the Generate ALL Templates button to begin generating templates.
IPFIX (NetFlow Version 10) Configuration Procedures
To configure IPFIX, or NetFlow version 10, flow reporting, follow the steps listed below.
1. In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
2. Select IPFIX as the External Flow Reporting Format from the drop-down list.
3. Specify the External Collector’s IP address in the provided field.
4. For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel. Note that this step is optional.
5. Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
6. In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
7. In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
8. Note that IPFIX uses templates that must be known to an external collector before sending data. In External Collector Settings and Actions, click the Generate ALL Templates button to begin generating templates.
IPFIX with Extensions Configuration Procedures
To configure IPFIX with extensions flow reporting, follow the steps listed below.
1. In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
2. Select IPFIX with extensions as the External Flow Reporting Format from the drop-down list.
3. Specify the External Collector’s IP address in the provided field.
4. For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
5. Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
6. In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
7. In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
8. Note that IPFIX uses templates that must be known to an external collector before sending data. Click the Generate ALL Templates button to begin generating templates.
Enable the option to Send static flows at regular intervals by selecting the checkbox. After enabling this option, click the Generate Static Flows button.
10. Select the tables you wish to receive static flows for from the Send Static AppFlow For Following Tables drop-down list.
Select the tables you wish to receive dynamic flows for from the Send Dynamic AppFlow For Following Tables drop-down list.
Select any additional reports to be generated to a flow from the Include Following Additional Reports via IPFIX drop-down list.
Configuring Netflow with Extensions with SonicWALL Scrutinizer
One external flow reporting option that works with Netflow with Extensions is the third-party collector called SonicWALL Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWALL flow aware.
To verify your Netflow with Extensions reporting configurations, perform the following steps.
1. In Visualization Dashboard Settings and Collector To User For AppFlow Monitor Page, select the AppFlow Server checkbox.
2. In AppFlow Server Settings, enable the Send AppFlow To SonicWALL AppFlow Server checkbox to enable flows to be reported to an external flow collector.
3. In External Collector Settings, select the Send AppFlow and Real-Time Data To External Collector checkbox.
4. Select IPFIX with extensions as the External Flow Reporting Format from the drop-down list.
5. Specify the External Collector’s IP address in the provided field.
6. For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
7. Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
8. In the Connection Report Settings and Report Connections, select the Interface-based checkbox. Once enabled, the flows reported are based on the initiator or responder interface. Note that this step is optional.
9. In the Connection Report Settings and Report Connections, select the Firewall/App Rules-based checkbox. Once enabled, the flows reported are based on already existing firewall rules. Note that this step is optional, but is required if flow reporting is done on selected interfaces.
10. Select the tables you wish to receive static flows for from the provided drop-down list. Then, click Accept.
Currently, Scrutinizer supports Applications and Threats only. Future versions of Plixer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map.
11. Next, navigate to the Network > Interfaces screen.
12. Confirm that Flow Reporting is enabled per interface by clicking the Configure icon of the interface you are requesting data from.
13. On the Advanced tab, select the checkbox to Enable flow reporting. Then, click OK.
14. Login to SonicWALL Scrutinizer. The data displays within minutes.
The following section describes the various NetFlow tables. Also, this section describes in detail the IPFX with extensions tables that are exported when the SonicWALL is configured to report flows.
This section includes the following sub-sections:
Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. The following is a list of Static IPFIX tables that may be exported:
• Applications Map—This table reports all applications the firewall identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
• Viruses Map—This table reports all viruses detected by the firewall.
• Spyware Map—This table reports all spyware detected by the firewall.
• Intrusions Map—This table reports all intrusions detected by the firewall.
• Location Map—This table represents SonicWALL’s location map describing the list of countries and regions with their IDs.
• Services Map—This table represents SonicWALL’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
• Rating Map—This table represents SonicWALL’s list of Rating IDs and the Name of the Rating Type.
• Table Layout Map—This table reports SonicWALL’s list of tables to be exported, including Table ID and Table Names.
• Column Map—This table represents SonicWALL’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.
Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly, based on the activity of the firewall. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. The following is a list of Dynamic IPFIX tables that may be exported:
• Connections—This table reports SonicWALL connections. The same flow tables can be reported multiple times by configuring triggers.
• Users—This table reports users logging in to the firewall via LDAP/RADIUS, Local, or SSO.
• URLs—This table reports URLs accessed through the firewall.
• URL ratings—This table reports Rating IDs for all URLs accessed through the firewall.
• VPNs—This table reports all VPN tunnels established through the firewall.
• Devices—This table reports the list of all devices connected through the firewall, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
• SPAMs—This table reports all email exchanges through the SPAM service.
• Locations—This table reports the Locations and Domain Names of an IP address.
• VoIPs—This table reports all VoIP/H323 calls through the firewall.
The following section shows examples of the type of Netflow template tables that are exported. You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics screen, and click the Download Report button in the “Tech Support Report” section.
The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and will follow the format of the tables listed below.
|
NetFlow Version 5 Header Format
|
NetFlow Version 5 Flow Record Format
An example of a NetFlow version 9 template is displayed below.
The following table details the NetFlow version 9 Template FlowSet Field Descriptions.
|
An example of an IPFIX (NetFlow version 10) template.
The following table details the IPFIX Template FlowSet Field Descriptions.
|
IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWALL IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs. Note that the SonicWALL Specific Enterprise ID (EntID) is defined as 8741.
The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates.
The following template is an example of an IPFIX with extensions template.