• Enable Aggregate AppFlow Report Data Collection—This setting enables AppFlow Reports collection on your SonicWALL SuperMassive. When this setting is disabled, the AppFlow Reports does not collect or display data.

AppFlow Server Settings

This section provides the network administrator the ability to start sending AppFlow data and Real-Time data to an external SonicWALL AppFlow Server.

• Send AppFlow To SonicWALL AppFlow Server—This setting allows you to start sending AppFlow records to an external AppFlow Server.

• Send Real-Time Data To SonicWALL AppFlow Server—This setting allows you to start sending real-time records to an external AppFlow Server.

External Collector Settings

This section provides configuration settings for AppFlow reporting to an external IPFIX collector.

• Send AppFlow and Real-Time Data To External Collector—Selecting this checkbox enables the specified flows to be reported to an external flow collector.

• External AppFlow Reporting Format—If the “Report to EXTERNAL Flow Collector” option is selected, you must specify the flow reporting type from the provided list in the drop-down menu: NetFlow version-5, NetFlow version-9, IPFIX, or IPFIX with extensions. If the reporting type is set to Netflow versions 5, 9, or IPFIX, then any third-party collector can be used to show flows reported from the device. It uses standard data types as defined in IETF. If the reporting type is set to IPFIX with extensions, then the collectors that are SonicWALL flow aware can only be used.

When using IPFIX with extensions, select a third-party collector that is SonicWALL flow aware, such as SonicWALL Scrutinizer.

For Netflow versions and IPFIX reporting types, only connection related flows are reported per the standard. For IPFIX with extensions, connection related flows are reported with SonicWALL specific data type, as well as various other tables to correlate flows with Users, Applications, Viruses, VPN, and so on.

• External Collector’s IP Address—Specify the external collector’s IP address. This IP address must be reachable from the SonicWALL firewall in order for the collector to generate flow reports.

• Source IP to Use for Collector on a VPN Tunnel—If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy. Note: Select Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets will always take the VPN path.

• External Collector’s UDP Port Number—Specify the UDP port number that Netflow/IPFIX packets are being sent over. The default port is 2055.

• Send IPFIX/Netflow Templates at Regular Intervals—Selecting this checkbox will enable the appliance to send Template flows at regular intervals. Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you may disable it here. This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.

• Send Static AppFlow at Regular Interval—Selecting this checkbox enables the sending of these specified appflows.

– Send Static AppFlow for Following Tables—Select the static mapping tables to be generated to a flow from the drop-down list. Values include: Applications, Viruses, Spyware, Intrusions, Location Map, Services, Rating Maps, Table Map, and Column Map. When running in IPFIX with extensions mode, SonicWALL reports multiple types of data to an external device in order to correlate User, VPN, Application, Virus, and Spyware information. In this mode, data is both static and dynamic. Static tables are needed only once since they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this section. This option is available with IPFIX with extensions only.

• Send Dynamic AppFlow for Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down list. Values include: Connections, Users, URLs, URL Ratings, VPNs, Devices, SPAMs, Locations, and VoIPs.

• Include Following Additional Reports via IPFIX—Select additional IPFIX reports to be generated to a flow. Select values from the drop-down list. Values include: Top 10 Apps, Interface Stats, Core Utilization, and Memory Utilization.

• When running in IPFIX with extensions mode, SonicWALL is capable of reporting more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. In this section, users can select tables that are needed. This option is available with IPFIX with extensions only.

• Actions—Click the Generate ALL Templates button to begin building templates on the IPFIX server, this will take up to two minutes to generate. Click the Generate Static AppFlow Data button to begin generate a large amount of flows to the IPFIX server, this will take up to two minutes to generate.

Connection Report Settings

This section allows the network administrator to configure conditions under which a connection is reported.

• Report Connections—Select from All or Interface-based or Firewall/App Rules-based connection reporting. Note that this option is applicable to both internal and external flow reporting.

– All—Selecting this checkbox enables any connection reporting.

– Interface-based—Selecting this checkbox enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface screen. If an interface has its flow reporting disabled, then flows associated with that interface are skipped.

Firewall/App Rules-based—Selecting this checkbox enables flow reporting based on already existing firewall rules. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per firewall rule is selected. Every firewall rule has a checkbox to enable flow reporting. If a flow matching a firewall rule is to be reported, this enabled checkbox will force to verify if firewall rules have flow reporting enabled or not. Note that if this option is enabled and no rules have the flow reporting option enabled, no data will be reported. This option is an additional way to control which flows need to be reported.

• Report on Connection OPEN—Enable this to report flows when the connection is open. This is typically when a connection is established.

• Report on Connection CLOSED—Enable this to report flows when the connection is closed.

• Report Connection on Active Timeout—Enable this to report connections based on an Active Timeout sessions.

– Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The default setting is 60 seconds. You can set from 1 second to 999 seconds for the Active Timeout.

• Report Connection on Kilo BYTES Exchanged—Enable this to report flows based on a specific number of traffic, in kilobytes, is exchanged. This option is ideal for flows that are active for a long time and need to be monitored.

– Kilobytes Exchanged—When the above option is enabled, specify the number of kilobytes exchanged to be reported.

– Report ONCE—When the Report Connection on Kilo BYTES exchanged option is enabled, enabling this option will send the report only once. Leave it unselected if you want reports sent periodically.

• Report Connections on Following Updates—Select from the pull-down menu to enable connection reporting for the following:

– Threat Detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.

– Application Detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the SonicWALL appliance is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.

– User Detection—Enable this to report flows specific to users. The SonicWALL appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.

– VPN Tunnel Detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.

Other Report Settings

This section allows the network administrator to configure conditions under which a connection is reported.

• Report DROPPED Connections—Enable this to report dropped connections. This applies to connections that are dropped due to firewall rules.

• Skip Reporting of STACK Connections—Enable this to skip the reporting of STACK connections. Note that all flows as a result of traffic initiated or terminated by the SonicWALL SuperMassive are considered stack traffic.

• Include following URL types—Select the type of URLS to be generated into a flow. Select values from the drop-down list. Values include: Gifs, Jpegs, Pngs, Js, Xmls, Jsons, Css, Htmls, Aspx, and Cms. This option applies to both AppFlow (internal) and external reporting when used with IPFIX with extensions.