Resolution
Feature/Application:
The Log > Flow Reporting screen allows you to view statistics based on Flow Reporting and Internal Reporting. From this screen, you can also configure settings for internal and external flow reporting and
external flow reporting.
IPFIX with Extensions Configuration Procedures
To configure typical IPFIX with Extensions flow reporting, follow the steps listed below.
Step 1: Select the checkbox to Enable flow reporting.
Please Note: that if this option is disabled, both internal and external flow reporting are also disabled.
Step 2: Select the Report to EXTERNAL flow collector checkbox to enable flows to be reported to an external flow collector.
Note that you may enable this option if you prefer to receive external flows, rather than the SonicWall visualization. Remember, not all collectors will work with all modes of flow reporting.
Step 3: Enable INTERFACE based reporting by selecting the checkbox. Once enabled, the flows reported are based on the initiator or responder interface.
Note that this step is optional.
Step 4: Enable Firewall-Rules Based Reporting by selecting the checkbox. Once enabled, the flows reported are based on already existing firewall rules.
Note that this step is optional, but is required if flow reporting is done on selected interfaces.
Step 5: Select IPFIX with Extensions as the External Flow Reporting Type from the dropdown list if the Report to EXTERNAL flow collector option is selected. Next, specify the External Collector’s IP address in the provided field.
Step 6: For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
Note that this step is optional.
Step 7: Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
Step 8: Enable the option to Send templates at regular intervals by selecting the checkbox. Note that IPFIX uses templates that must be known to an external collector before sending data. After enabling this option, you can Generate ALL Templates by clicking the button in the topmost toolbar.
Step 9: Enable the option to Send static flows at regular intervals by selecting the checkbox. After enabling this option, you can Generate Static Flows by clicking the button in the topmost toolbar.
Step 10: Select the tables you wish to receive static flows for from the dropdown list.
Step 11: Select the tables you wish to receive dynamic flows for from the dropdown list.
Step 12: Select any additional reports to be generated to a flow from the dropdown list.
Configuring Report Settings
After configuring the Settings section to what best suits your App Flow, External, or IPFIX collector configuration, continue through this section to specify Flow Reporting Settings.
Step 1 Select the Flow reporting mode from the dropdown list. Note that Realtime with bulk is the default setting.
For Realtime or Realtime with bulk, For Periodic, continue to Step 2.
Step 2 Specify the Flow reporting period. This is the number of seconds the appliance will wait before reporting the collected amount of flows. The default value is 10 seconds.
Step 3 Next, specify the Number of flows reported per period.
Step 4 Select the Report TOP-TALKERS only checkbox to enable the SonicWall appliance to report flows with the maximum amount of traffic.
Configuring Event Settings
After configuring the Report Settings, continue through this section to configure the conditions under which a flow is reported. Selecting a checkbox will enable the configuration.
• Report Flows on Connection OPEN—Enable this to report flows when the Connection is open. This is typically when a connection is established.
• Report Flows on Threat Detection—Enable this to report flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
• Report Flows on Application Detection—Enable this to report flows specific to applications. Upon performing a deep packet inspection, the SonicWall appliance is able to detect if a flow is part of a certain application. Once identified, the flow is reported again.
• Report Flows on User Detection—Enable this to report flows specific to users. The SonicWall appliance associates flows to a user-based detection based on its login credentials. Once identified, the flow is reported again.
• Report Flows on VPN Tunnel Detection—Enable this to report flows sent through the VPN tunnel. Once flows sent over the VPN tunnel are identified, the flow is reported again.
• Report Flows on Kilo BYTES exchanged—Enable this to report flows based on a specific number of traffic, in kilobytes, is exchanged. This option is ideal for flows that are active for a long time and need to be monitored. – Kilobytes exchanged—When the above option is enabled, specify the number of kilobytes exchanged to be reported. – Report Once—When the Report Flows on Kilo BYTES exchanged option is enabled, enabling this option will send the report only once. Leave it unselected if you want reports sent periodically.
• Report Flows on Connection CLOSED—Enable this to report flows when the Connection is closed.
• Report DROPPED Flows—Enable this to report dropped flows. This applies to flows that are dropped due to firewall rules.
• Skip Reporting of STACK Flows (connections)—Enable this to skip the reporting of STACK flows for connections. Note that all flows as a result of traffic initiated or terminated by the firewall itself are considered stack traffic.
• Include following URL types—Select the type of URLS to be generated into a flow. Select values from the dropdown list. Values include: Gifs, Jpegs, Pngs, Js, Xmls, Jsons, Css, Htmls, Aspx, and Cms.
Note: This option is applies to both App Flow (internal) and external reporting when used with IPFIX with extensions.
Verifying Netflow with Extensions Configurations
One external flow reporting option that works with Netflow with Extensions is the third-party collector called Plixer Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWall flow aware.
Please Note: You will need an account with Plixer Scrutinizer.
To verify your Netflow with Extensions reporting configurations, perform the following steps.
Step 1: Navigate to the SonicWall Log > Flow Reporting screen. Enable the Report to EXTERNAL flow collector option on the Settings section.
Step 2: Specify the External collector’s IP address and respective UDP Port Number.
Step 3: Enable the option to Send templates at regular intervals.
Step 4: Enable the option to Send static flows at regular intervals.
Step 5: Select the tables you wish to receive static flows for from the provided dropdown list. Then, click Accept.
Note: Currently, Scrutinizer supports Applications and Threats only. Future versions of Plixer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map.
Step 6: Next, navigate to the Network > Interfaces screen.
Step 7: Confirm that Flow Reporting is enabled per interface by clicking the Configure icon of the interface you are requesting data from.
Step 8: On the Advanced tab, select the checkbox to Enable flow reporting. Then, click OK.
Step 9: Login to Plixer Scrutinizer. The data displays within minutes.
Templates
The following section shows examples of the type of Netflow template tables that are exported. You can perform a Diagnostic Report of your own Netflow Configuration by navigating to the System > Diagnostics screen, and click the Download Report button in the “Tech Support Report” section.
IPFIX with Extensions:
IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWall IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs. Note that the SonicWall Specific Enterprise ID (EntID) is defined as 8741.
The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates.
