en-US
search-icon

Analyzer 8.3 Admin Guide

Introduction

Introduction to Analyzer

This chapter provides an overview of SonicWall™ Analyzer and information about the user interface. See the following sections:

About this Guide

This guide provides the information you need to configure and use SonicWall Analyzer for monitoring SonicWall network security and other appliances. SonicWall Analyzer creates dynamic, Web-based network reports showing all activity on monitored appliances.

Overview of Analyzer

This section contains the following subsections:

What is Analyzer?

Monitoring critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels, is an essential component of network security. SonicWall Analyzer Reporting complements SonicWall's network security offerings by providing detailed and comprehensive reports of network activity.

The Analyzer Reporting Module is a software application that creates dynamic, Web-based network reports. The Analyzer Reporting Module generates both real-time and historical reports to offer a complete view of all activity through SonicWall network security appliances. With Analyzer Reporting, you can monitor network access, enhance security, and anticipate future bandwidth needs. The Analyzer Reporting Module:

Displays bandwidth use by IP address and service
Identifies inappropriate Web use
Provides detailed reports of attacks
Collects and aggregates system and network errors
Shows VPN events and problems
Presents visitor traffic to your Web site
Provides detailed daily logs to analyze specific events.

Key Features in Analyzer 8.3

This section describes the SonicOS enhancements included in the Analyzer 8.3 release:

Provides SonicOS 6.2.7 support — SonicOS Enhanced versions 6.2.7 and above are supported.

Key Features in Analyzer 8.2

This section describes the SonicOS enhancements included in the Analyzer 8.2 release:

Provides SonicOS 6.2.6 support — SonicOS Enhanced versions 6.2.6 and above are supported, including SonicPoint enhancements like Capture ATP policy configuration.

SonicOS 6.2.6.0 includes an important new feature that are supported by Analyzer 8.2:

Capture Advanced Threat Protection (Capture ATP)
About Capture ATP — Capture Advanced Threat Protection (ATP) is an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file contains a zero-day virus by transmitting a suspicious file to the Cloud where the Capture ATP service analyzes the file to determine if it contains a virus. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall.

The Capture ATP > Status page displays a graph chart that shows the percentages of benign and malicious files discovered, as well as the total number of files analyzed. It also displays a log table that shows the results of individual files submitted for analysis.

Capture ATP can also analyze files that you upload for analysis from the Capture ATP > Status page. After the files are analyzed they are listed in the table on the Status page. You can click on any file in the log table on the Status page and see the results from the detailed analysis of that file.

Note that Capture ATP is only supported on the following appliances. The smaller TZ appliances and the SOHO wireless appliance do not support Capture ATP.

Table 1.  

SuperMassive 9600
NSA 6600
TZ600
SuperMassive 9400
NSA 5600
TZ500 and TZ500 Wireless
SuperMassive 9200
NSA 4600

 

 

NSA 3600

 

 

NSA 2600

 

Key Features in Analyzer 8.1

This section describes the SonicOS enhancements included in the Analyzer 8.1 release:

Provides SonicOS 6.2.4 and 6.2.4.3 and above support — New features in SonicOS 6.2.4, 6.2.4.3 and above are supported.
Log > Settings enhancements — New fields added including: “Syslog ID,” “E-mail Format,” and “Include All Log Information.”
In the Syslog ID box, enter the Syslog ID that you want. A Syslog ID field is included in all generated Syslog messages, prefixed by “id=”. Thus, for the default value, firewall, all Syslog messages include “id=firewall.” The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.
* 
NOTE: The Syslog ID field is fixed to firewall when the Override Syslog Settings with Reporting Software Settings option is enabled, and therefore, cannot be modified.
Email Format — Select whether log emails will be sent in Plain Text, CSV Attachment, or HTML format from the drop-down menu.
Include All Log Information — Select to have all information included in the log report.
Solera Capture Stack — Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.
Firewall Action — Changes to the report database, table structure, and associated reports in the UI. Report can now include the firewall action for all events relating to the traffic that is traversing or being blocked by the firewall.
Reporting Database — Infobright with Postgres — The Analyzer 8.1 upgrade replaces the Infobright with MySQL database formerly used in earlier versions with Infobright with Postgres. The installer will ask if you want to perform the data migration to the new database.
Analyzer 8.1 Installation and Deployment Requirements — The license to distribute Infobright with MySQL, the reporting database used in Analyzer 8.0, expires on Dec 31, 2015. Infobright is replacing it with Infobright running the PostgresSQL engine instead. The basic premise for the changes is the restrictions and difficulties in negotiating the licensing agreements with Oracle MySQL.

Support for InfoBright with MySQL will continue and customers who have deployments as of Dec 31, 2015 will continue to receive upgrades, patches, and hot fixes until Dec 31, 2018. They will also be able to add new Agents to the existing deployments.

Backup and Restore Performance enhancements — Added two new fields to the UMH System > Backup/Restore screen to include “Free disk space required,” and “Auto disk space management.”
“Free disk space required” — Indicates the space required to perform the backup, and how much space is available for use on the resource. If available disk space is less than the estimated free disk space required, the backup process will not start. However, if the auto disk space management feature is enabled, the backup process deletes the previous backup files to free the disk space required for the backup process to begin.
“Auto disk space management” — Select to allow Analyzer to manage the disk space and backup requirements. Auto disk space management is a configurable option provided for you to automate recovering disk space by deleting previous backup files in case of a disk space shortage for the backup process. If there is sufficient disk space for the backup process to run, this feature does not have any impact.

Key Features in Analyzer 8.0

This section describes the SonicOS enhancements included in the Analyzer 8.0 release:

Provides SonicOS 6.2.4 support — Analyzer 8.0 supports the following SonicWall network security platforms for reporting:
TZ300 and TZ300 Wireless
TZ400 and TZ400 Wireless
TZ500 and TZ500 Wireless
TZ600 and TZ600 Wireless
SOHO and SOHO Wireless*

* The TZ appliances run SonicOS 6.2.3.1 or higher, while the SOHO runs SonicOS 5.9.1.3 or higher. Appliances running firmware newer than the SonicOS 6.2.3.1 or 5.9.1.3 releases can still have reports generated by Analyzer 7.2.

Java Applet Replacement — The TreeControl application (that displays all managed appliances) and the User Management application (Console > Management > Users) have now been replaced with non-Java versions. All Java applets in the front-end have been removed, except for NetMonitor and the “Login to Unit” feature from TreeControl.
SonicOS Support — New features in SonicOS 6.2 are supported.
Portuguese Support — The Login screen now includes version information and indicates Brazilian Portuguese support.
Reporting
Report Database Rebuild Utility — The Reporting Database Rebuild Utility allows you to submit a request to rebuild any specific month's report table if it were to become corrupt.
Report Data Optimization — In previous versions, report data optimization exported sorted report data into a file and reloaded that data back to the report database. In Analyzer 8.0, instead of using a file to upload the data, a temporary table is created that exports and reimports that data, leading to better performance.
Botnet Reports — Botnet reporting is added to the Reports panel and includes four report types: Attempts, Targets, Initiators, and Timeline.
Geo-IP Reports — Geo-IP reports contain information on blocked traffic that is based on the traffic's country of origin or destination. Geo-IP Reporting is added to the Reports panel and includes four report types: Attempts, Targets, Initiators, and Timeline.
MAC Address in Reporting — This feature shows the Media Access Control (MAC) address on the report page. This adds detail to the current device-specific information in the report panel and the PDF report. New columns “Initiator MAC” and “Responder MAC” are added to the following reports:
Data Usage > Initiators
Data Usage > Responders
Data Usage > Details
User Activity > Details
Web Activity > Initiators
Enhanced Reporting Database — The Reporting Database has been upgraded to a newer version that offers better performance and higher reliability.
Distributed Universal Scheduled Report — PDF report generation and uses an engine that can make better use of your CPU and RAM resources, resulting in faster delivery of scheduled reports with larger volumes and more rows of data.
Enhanced USR Template Manager — In addition to the PCI Report template, HIPAA and SOX templates are added to Universal Scheduled Reports as an aid for compliance audits.
USR-Customizing Sorting Option in PDF — Provides additional sorting options for Scheduled PDF reports
Log Analyzer — The Firewall > Reports > Analyzers > Log Analyzer page has been updated with an out-of-the-box default view.
Packet Data View for Signature Alerts
The disabling of default Syslog filters is allowed
Comments Possible for Syslog Filters
Number of Syslog messages per file configurable through UI
All Windows Modules of Analyzer 8.0 are now 64-bit — Provides better usage of system resources and better performance.
High-level User Interface Changes
Secure Remote Access (SRA) has been renamed to Secure Mobile Access (SMA).
The CDP tab is removed.
SMA (formally SRA) tabs are no longer shown by default, but can be activated on Console > Management > Settings.

Key Features in Analyzer 7.2

The following features were key to Analyzer 7.2:

IPv6 Support — IPv6 is supported in Analyzer 7.2, allowing you to:
Install Analyzer in an IPv6 network environment. Analyzer can now access various Network Elements using IPv6 addresses, such as: Firewalls, SMTP servers, RADIUS/LDAP Authentication Servers, SNMP Managers, WebServices, and so on.
Access Analyzer web interfaces on an IPv6 network.
Generate IPv6 based reports.
Scheduled Reports Permission Management — In 7.1, scheduled reports created by an end user can only be viewed and configured by the creator and Administrator. 7.2 gives the scheduled report creator the ability to manage permissions of the scheduled reports so other users in the deployment can view and configure the report.
Intrusion Reporting Enhancements — Two new reports are added at root level to the Intrusion reports:
Reports > Intrusions > Details
Reports > Intrusions > Alerts
Syslogs Sent by Appliances that are not under Reporting or Management — Some of the units which are no longer managed by Analyzer send syslogs that create NMM files which impact performance. In 7.2, you are notified if this occurs and they can make the unit stop sending syslog messages.
Application Level Data Archiving and Aging — In 7.1 data was not deleted from the application table such as logs and meta data tables, causing the number of rows to grow quickly in the tables, affecting overall performance of the application. In 7.2 the console logs and application meta data tables are aged and archived to fix this issue.
Localization — Support for the Korean language is included in 7.2.
Disable Archiving of Syslogs to File System — Added the option to disable storing of archived syslogs.
Reverse DNS Support — This feature enhances the quality of data by performing a reverse lookup on the private IP addresses (LAN Side) with a missing hostname sent by the firewall. The reverse lookup is performed by logging into the DNS server on the LAN side of the firewall. This functionality requires the Analyzer to be installed on the LAN side of the firewall, to be able to access the DNS Server.
Log Analyzer Enhancements — The Log Analyzer interface is customizable to allow expansion and easy distribution of columns for ease of navigation.

Deployment Requirements

SonicWall Analyzer does not require any additional node licenses.

* 
NOTE: Analyzer is not supported on laptops or tablets.

Topics:

Operating System Requirements

SonicWall Analyzer supports the following Microsoft Windows operating systems:

Windows Server 2012 Standard 64-bit
Windows Server 2012 R2 Standard 64-bit (English and Japanese language versions)
Windows Server 2012 R2 Datacenter
Windows 8.1 64-bit
Windows 7 64-bit

These Windows systems can either run in physical standalone hardware platforms, or as a virtual machine under Windows Server 2012 Hyper-V or VMware ESXi.

* 
TIP: For best performance and scalability, it is recommended to use a 64-bit Windows operating system. Bundled databases run in 64-bit mode on 64-bit Windows operating systems. All listed operating systems are supported in both virtualized and non-virtualized environments. In a Hyper-V virtualized environment, Windows Server is a guest operating system running on Hyper-V. Analyzer is then installed on the Windows Server virtual machine that is layered over Hyper-V.
* 
NOTE: Analyzer is not supported on MS-Windows Server virtual machines running in cloud services, such as Microsoft Azure and Amazon Web Services EC2.

Hardware Requirements for Windows Server

Use the Capacity Calculator 2 to determine the hardware requirements for your deployment.

* 
NOTE: A Windows 64-bit operating system with a RAM of at least 16GB of RAM is highly recommended for better performance of reporting modules.

SonicWall Analyzer Virtual Appliance Requirements

The elements of basic VMware structure must be implemented prior to deploying the SonicWall Analyzer Virtual Appliance. SonicWall Analyzer Virtual Appliance runs on the following VMware platforms:

ESXi 6.0 and 5.5

Use the following client applications to import the image and configure the virtual settings:

VMware vSphere – Provides infrastructure and application services in a graphical user interface for ESXi, included with ESXi. Allows you to specify Thin or Thick (Flat) provisioning when deploying the Virtual Appliance.
VMware vCenter Server – Centrally manages multiple VMware ESXi environments. Provides Thick provisioning when deploying the Virtual Appliance.

Virtual Appliance Deployment Considerations

Consider the following before deploying the SonicWall Analyzer Virtual Appliance:

SonicWall Analyzer management is not supported on Apple MacOS.
All modules are 64-bit.

Use the Capacity Calculator 2 to determine the hardware requirements for your deployment.

The performance of SonicWall Analyzer Virtual Appliance depends on the underlying hardware. It is highly recommended to dedicate all the resources that are allocated to the Virtual Appliance, especially the hard-disk (datastore). In environments with high volumes of syslogs, you need to dedicate local datastores to the Analyzer Virtual Appliance.
The 64-bit Virtual Appliances take advantage of the additional RAM available to it. A minimum of 8GB RAM is required. However, at least 16GB of RAM is highly recommended for better performance of reporting modules.
When using Thick or Flat provisioning as the storage type option, the entire amount of disk space is allocated when you import and deploy the SonicWall Analyzer Virtual Appliance file. When using Thin provisioning, the initial size is very small and grows dynamically as more disk space is needed by the SonicWall Analyzer Virtual Appliance application, until the maximum size is reached. After being allocated, the size does not shrink if the application space requirements are subsequently reduced.

Additional disk space provided to the SonicWall Analyzer Virtual Appliance in the virtual environment, beyond the respective limits of 250 GB or 950 GB, is not utilized.

MySQL Requirements

Previously, SonicWall Analyzer automatically installed MySQL as part of the base installation package. The SonicWall Analyzer 8.1 upgrade replaces the Infobright with MySQL database formerly used in earlier versions with Infobright with Postgres (IB-PG). The installer will ask if you want to perform the data migration to the new database. Separately installed instances of MySQL are not supported with the SonicWall Analyzer Virtual Appliance.

Browser Requirements

SonicWall Analyzer uses advanced browser technologies such as HTML5, which are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administration of the SonicWall Analyzer.

This release supports the following Web browsers:

Chrome 42.0 and higher (recommended browser for dashboard real-time graphics display)
Firefox 37.0 and higher
Internet Explorer 10.0 and higher (do not use compatibility mode)
* 
NOTE: Internet Explorer version 10.0 in Metro interfaces of Windows 8 is not currently supported.
* 
NOTE: Turn off Compatibility Mode when accessing Analyzer sites with Internet Explorer. For more information, see the Knowledge Base article located at: https://support.sonicwall.com/sonicwall-gms/kb/sw14003

Network Requirements

To complete the Analyzer deployment process documented in this guide, the following network requirements must be met:

The SonicWall Analyzer server must have access to the Internet
The SonicWall Analyzer server must have a static IP address
The SonicWall Analyzer server’s network connection must be able to accommodate at least 1 KB/s for each device under management. For example, if Global Management System is monitoring 100 SonicWall appliances, the connection must support at least 100 KB/s.
* 
NOTE: Depending on the configuration of SonicWall log settings and the amount of traffic handled by each device, the network traffic can vary dramatically. The 1 KB/s for each device is a general recommendation. Your installation requirements could vary.

SonicWall Appliance and Firmware Support

SonicWall Analyzer supports the following SonicWall appliances and firmware versions:

Component requirements 

SonicWall Platforms

SonicWall Firmware Version

Network Security Appliance

 

SuperMassive 10000 Series

SonicOS 6.0 or newer

NOTE: Only partial reporting support is currently available. Contact your SonicWall Sales representative through https://support.software.dell.com/ for more information.

SuperMassive 9000 Series

SonicOS 6.1 or newer

NSA Series

SonicOS 5.0 or newer

TZ and TZ Wireless Series

SonicOS 5.0 or newer

SonicWall SOHO and SOHO Wireless

SonicOS 6.2.5 or newer

Secure Mobile Access

 

SMA 100 Series (SMA 200/400)

SMA 8.1 or newer

SRA/SSL-VPN Series

SSL-VPN 2.0 or newer (management)

SSL-VPN 2.1 or newer (management and reporting)

E-Class SRA Series

E-Class SRA 9.0 or newer

SMA 1000 Series (SMA 6200/7200)

SMA 10.7.2 or newer

Email Security/Anti-Spam

 

Email Security Series

Email Security 7.2 or newer (management only)

* 
NOTE: Appliances running firmware newer than this SonicWall Analyzer release can still generate reports. However, the new features in the firmware release will be supported in an upcoming release of Analyzer.
* 
NOTE: Legacy SonicWall XPRS/XPRS2, SonicWall SOHO2, SonicWall Tele2, and SonicWall Pro/Pro-VX models are not supported for SonicWall Analyzer reporting. Appliances running SonicWall legacy firmware including SonicOS Standard 1.x and SonicWall legacy firmware 6.x.x.x are not supported for SonicWall Analyzer reporting.
* 
NOTE: SonicWall Analyzer can be connected to SSL-VPN 2000 and 4000 appliances. Use the Log > View Log page to set up the Analyzer connection (in addition to the configuration changes made on the Analyzer). In SonicWall SRA SSL-VPN 5.5 or later firmware versions, a Log > Analyzer page is provided for configuration of Analyzer settings.

SonicWall Analyzer Installation

Analyzer 8.3 can be installed as a fresh install or as an upgrade from Analyzer 8.2. If you wish to perform a fresh install of Analyzer 8.3, refer to the SonicWall Analyzer Getting Started Guide that relates to your Analyzer deployment.

Previously, Analyzer automatically installed MySQL as part of the base installation package. The Analyzer 8.3 upgrade replaces the Infobright with MySQL database formerly used in earlier versions with Infobright with Postgres (IB-PG). The installer will ask if you want to perform the data migration to the new database. Separately installed instances of MySQL are not supported with Analyzer.

All software components related to SonicWall Analyzer and SonicWall Global Management System (GMS), including the executable binary files for all services, and other necessary files, are installed using the Universal Management Suite (UMS) single-binary installer. All SonicWall Analyzer and SonicWall GMS files are installed as part of the Universal Management Suite, but no distinction is made between SonicWall Analyzer and SonicWall GMS during the installation. The initial installation phase takes just a few minutes for any type of installation, such as a SonicWall Analyzer server, a SonicWall GMS server, a database server, or any other role.

To install the Universal Management Suite from the single binary installer, refer to the SonicWall Analyzer Getting Started Guide.

License and Registration Requirements

SonicWall Analyzer is registered and licensed from the Windows server on which it is installed. SonicWall Analyzer registration is performed using the SonicWall Universal Management Host system interface.

Refer to the SonicWall Analyzer Getting Started Guide for detailed instructions on registering and licensing Analyzer on your system.

On SonicWall appliances that send reporting data to the Analyzer, SonicWall Analyzer is licensed and activated separately from the SonicWall appliances. MySonicWall provides a way to associate SonicWall appliances with the Analyzer instance installed on the Windows system. Licensing your SonicWall Analyzer application on a SonicWall appliance requires:

A MySonicWall account. A MySonicWall account allows you to manage your SonicWall products and purchase licenses for various services. Creating a MySonicWall account is fast, simple, and free. Simply complete an online registration form directly from your SonicWall security appliance management interface. Your MySonicWall account is also accessible at <https://www.mysonicwall.com> from any Internet connection with a Web browser. After you have an account, you can purchase SonicWall Analyzer and other licenses for your registered SonicWall security appliances.
A registered SonicWall security appliance with active Internet connection. You need to register your SonicWall security appliance to activate SonicWall Analyzer. Registering your SonicWall security appliance is a simple procedure done directly from the management interface. After your SonicWall security appliance is registered, you can activate SonicWall Analyzer by using an activation key or by synchronizing with mysonicwall.com.

Accessing the Correct Management Interface

SonicWall Analyzer includes two separate management interfaces:

SonicWall Universal Management Host (UMH) System Management Interface – Used for system management of the host server, including registration and licensing, setting the admin password, creating backups, restarting the system, configuring network settings, selecting the deployment role, and configuring other system settings.

Access the system management interface with the URL:

http://<IP_address>:<port_number>/appliance/

If you are using the standard HTTP port, 80, it is not necessary to append the port number to the IP address. If you are accessing the interface from the same system on which it is installed, use the following URL:

http://localhost/appliance/

SonicWall Analyzer Management Interface – Used to access the SonicWall Analyzer application that runs on the system. This interface is used to configure and view SonicWall Analyzer reporting on SonicWall appliances and for configuring Analyzer administrative settings. Access the SonicWall Analyzer management interface with one of the following URLs:

http://<IPaddress>:<port_number>/sgms/

http://localhost/sgms/

Switching Between Management Interfaces

You can easily switch between the SonicWall UMH system management interface and the SonicWall Analyzer application management interface.

One method is to change the URL by adding /sgms for the Analyzer application interface or adding /appliance for the UMH interface.

A second method involves clicking the Switch icon. While logged into either interface, you can switch to the login page of the other interface by clicking Switch in the top right corner of the page.

Log In to Analyzer

After registering your SonicWall Analyzer product, to log in into the SonicWall Analyzer management interface, either double-click on the SonicWall Analyzer icon on your desktop, or from a remote system, access the following URL from a web browser:

http://<IP_address>:<port_number>

The Analyzer login page appears by default in English. To change the language setting, click your language of choice at the bottom of the login page. The available language choices for SonicWall Analyzer include English, Japanese, Simplified Chinese, Traditional Chinese, Korean, and Portuguese.

To login to Analyzer,
1
Enter the SonicWall user ID (default: admin) and password (default: password). Select Local Domain as the domain (default).
2
Click Submit. The SonicWall Analyzer management interface displays.
* 
NOTE: For more information on installation, login procedures, and registration of your SonicWall Analyzer installation, refer to the appropriate Getting Started Guide, available at: https://support.sonicwall.com/sonicwall-analyzer/analyzer/technical-documents

Navigating the Analyzer User Interface

This section describes the Firewall, SMA, and Console panels in the SonicWall Analyzer user interface. For information about the Dashboard panel, see the Using the Universal Scheduled Reports Application.

Firewall Panel

The Firewall Panel is an essential component of network security that is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels. To open the Firewall Panel, click the Firewall tab at the top of the Analyzer user interface.

From the Firewall Panel, you can view the following for connected SonicWall appliances:

View general unit status, license status, and syslog settings.
View the SonicWall security dashboard. Dashboard reports display an overview of bandwidth, uptime, intrusions and attacks, and alerts for connected SonicWall firewall appliances. The Security Dashboard report provides data about worldwide security threats that can affect your network. The Dashboard also displays data about threats blocked by the SonicWall security appliance.
View custom reports of Internet activity or Website filtering at the unit level. Custom reports filter raw syslog data and you can specify start and end dates or a date range such as “Week to date.” You can filter by user, domain, protocol, traffic, and full URL categories, depending on the type of custom report. The search template can be saved for use again later with the same appliance.
View general bandwidth usage. These reports include a daily bandwidth summary report, a top users of bandwidth report, and over-time summary and top users reports.
View a services report. This report includes information about events and usage of protocols and megabytes.
View Web bandwidth usage. These reports include a daily bandwidth summary report, a top visited sites report, a top users of Web bandwidth report, a report that contains the top sites of each user, and a weekly summary report.
View the number of attempts that users made to access blocked websites. These reports include a daily summary report, a top blocked sites report, a top users report, a report that contains the top blocked sites of each user, and a weekly summary report.
View file transfer protocol (FTP) bandwidth usage. These reports include a daily FTP bandwidth summary report, a top users of FTP bandwidth report, and a weekly summary report.
View mail bandwidth usage. These reports include a daily mail summary report, a top users of mail report, and a weekly summary report.
View VPN usage. These reports include a daily VPN summary report, a top users of VPN bandwidth report, and a weekly summary report.
View reports on attempted attacks and errors. The attack reports include a daily attack summary report, an attack by category report, a top sources of attacks report, and a weekly attack summary report. The error reports include a daily error summary report and a weekly error summary report.
View reports on attempted virus attacks. Virus attacks reports are available for appliances that are licensed for SonicWall Gateway Anti-Virus. These reports include the most frequent virus attack attempts, virus attacks by top destinations, virus attacks over time, virus attacks over a period of time, and virus attacks by top destinations over time.
View reports on attempted spyware attacks. Anti-spyware reports are available for appliances that are licensed for SonicWall Anti-Spyware. These reports include spyware attacks by category, spyware attacks over time, and spyware attacks by category over time.
View reports on attempted intrusion attacks. Intrusion prevention reports are available for appliances that are licensed for SonicWall Intrusion Prevention Service. These reports include intrusion attacks by source IP address, intrusion attacks by category, intrusion attacks over time, and intrusion attacks by category over time.
View reports on traffic triggering Application Firewall policies. Application Firewall reports are available for SonicWall firewall appliances that are licensed for SonicWall Application Firewall. These reports include summary, over time, top applications, top users, and top policies.
View successful and unsuccessful user and administrator authentication attempts. These reports include a user authentication report, an administrator authentication report, and a failed authentication report.
View detailed logging information. The detailed logging information contains each transaction that occurred on the SonicWall appliance.
View current alerts and access alert settings.

SMA Panel

The SMA panel provides access to SSL VPN appliances and is similar to the Firewall panel. It is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels. To open the SMA Panel, click the SMA tab at the top of the Analyzer user interface.

From the SMA Panel, you can view the following for connected SonicWall SSL VPN appliances:

View general unit status, license status, and syslog settings.
View general bandwidth usage. These reports include a daily bandwidth summary report, a top users of bandwidth report, and over-time summary and top users reports.
View custom reports of custom reports of resource activity at the unit level. Custom reports filter raw syslog data and you can specify start and end dates or a date range such as “Week to date.” You can filter by user, protocol, destination IP, and source IP categories. The search template can be saved for use again later with the same appliance.
View a resources report. This report includes information about connections and the resource used to connect, such as HTTPS or NetExtender.
View successful and unsuccessful user authentication attempts. These reports include a user authentication report and a failed authentication report.
View detailed logging information. The detailed logging information contains each transaction that occurred on the SonicWall appliance.

Console Panel

The Console Panel is used to configure SonicWall Analyzer settings, view pending tasks, view the log, manage licenses, and configure alerts. To open the Console Panel, click the Console tab at the top of the SonicWall Analyzer user interface.

From the Console Panel, you can do the following:

Change the Analyzer password, adjust the amount of inactive time before you are automatically logged out of Analyzer, and set the maximum number of rows displayed on paginated screens.
Configure Web sites and Web users that are excluded from Web usage reports.
View the Analyzer log and delete old log messages. The Analyzer log contains information on alert notifications, failed Analyzer login attempts, and other events that apply to SonicWall Analyzer.
Manage SMTP settings, system email addresses, archive report settings, debug level for logs, and password security settings. You can set the schedule and server settings, and the email alert recipient schedule and preferred format.
Manage login sessions. You can view the status of user sessions and, if necessary, end them.
Configure report settings for sort options and maximum units with Log Viewer enabled. Enabling Log Viewer allows custom reports for the system, but is resource intensive.
Control summarizer settings, syslog and summarized data deletion schedules, and host name resolution settings.
Configure email archive settings and search settings for scheduled reports, and manage data archiving.
View summarizer diagnostics, useful for capacity planning.
Configure granular event management report settings, including threshold, schedule, and alert settings.
Configure Web services deployment settings and view Web services status.
View the version number, serial number, and database information for SonicWall Analyzer, and access links to all available tips and video tutorials.

Analyzer Views and Status

SonicWall Analyzer allows you to view status and reports for all appliances at once using GlobalView, or for a single unit at a time with the Unit view. Analyzer provides status information on the General > Status page of the Firewall or SMA panel.

GlobalView is a grouping of all the appliances you are monitoring with Analyzer. From the GlobalView of the Firewall or SMA panel, Summary and Over Time reports are available for all SonicWall appliances monitored by SonicWall Analyzer.

To open the My Reports view, click the GlobalView icon at the top of the left pane. To display the global status page, navigate to General > Status.

From the Unit view, reports contain detailed data for the selected SonicWall appliance. To specify the unit view, click any unit in the left pane. To display the unit status page, navigate to General > Status on the Firewall or SMA panel.

Understanding Analyzer Icons

This section describes the meaning of icons that appear next to managed appliances listed in the left pane of the Analyzer management interface.

Icon meaning 

Appliance Status

Description

One blue box indicates that the appliance is operating normally. The appliance is accessible from SonicWall Analyzer, and no tasks are pending or scheduled.

Three blue boxes indicate that all appliances in the global group of this type (Firewall/SMA) are operating normally.

Using the Analyzer TreeControl Menu

This section describes the content of the TreeControl menu within the SonicWall Analyzer user interface.

You can control the display of the TreeControl pane by selecting one of the appliance tabs at the top of the main window. For example, when you click the Firewall tab, the TreeControl pane displays all the connected SonicWall firewall appliance units. The two appliance tabs can display the following appliance types when Analyzer is monitoring these device types:

SonicWall firewall appliances
SMA and EX-Series SMA appliances

You can hide the entire TreeControl pane by clicking the sideways arrow icon, and redisplay the pane by clicking it again. This is helpful when viewing some reports or other extra-wide screens.

To open a TreeControl appliance menu, right-click GlobalView or a Unit icon.

The following options are available in the right-click menu:

Find – Opens a Find dialog box that allows you to search for units.
Refresh – Refreshes the Analyzer UI display.
Add Unit – Add a new unit to the Analyzer view. Requires unit IP and login information.
Rename Unit – (unit view only) Renames the selected SonicWall appliance.
Delete – Delete the selected unit
Modify Unit – (unit view only) Change basic settings for the selected unit, including unit name, IP and login information, and serial number.
Login to Unit – (unit view only) Log in to the selected unit using HTTPS protocols.

Provisioning and Adding SonicWall Appliances

This chapter describes how to provision and add SonicWall appliances to SonicWall Analyzer. All SonicWall appliances must be provisioned before adding them to SonicWall Analyzer.

This chapter contains the following sections:

Provisioning SonicWall Appliances

This section describes how to configure SonicWall appliances to support SonicWall Analyzer.

* 
NOTE: Prior to adding a unit to Analyzer, the provisioned SonicWall appliance needs to be registered with License Manager. And during registration, make sure the provisioned SonicWall appliance has a valid Analyzer license—one Analyzer license for each SonicWall appliance.

Provisioning a SonicWall Firewall Appliance

To provision a SonicWall firewall appliance for SonicWall Analyzer, complete the following steps:
1
Log in to the firewall appliance. Navigate to the Log > Syslog page.
2
In Syslog Servers, click Add.
3
Enter the Analyzer IP address to start sending syslogs. The Analyzer service should be activated. Set the log in UTC format and log category.
4
Navigate to the System > Time page, and enable Display UTC in logs (instead of local time).

Provisioning a SonicWall SMA SMB Appliance

To provision a SonicWall SMA SMB appliance for SonicWall Analyzer, complete the following steps:
1
Log in to the SMA SMB appliance. Navigate to the Log > Analyzer page.
2
In Analyzer Settings, click Enable Analyzer.
3
Click Add to add the Analyzer IP address, this starts sending syslogs.
4
Navigate to the System > Time page, and enable Display UTC in logs (instead of local time).

Provisioning a SonicWall E-Class SRA Series Appliance

Currently there is no Analyzer settings implementation in SonicWall E-Class SRA series appliances. To add Analyzer reporting support, use the Additional ViewPoint settings in the General > Configure Centralized Management screen, and enter the Analyzer IP address and port number to start sending syslog.

Adding SonicWall Appliances to Analyzer

SonicWall Analyzer checks with the SonicWall licensing server when you add an appliance, so it is important that SonicWall Analyzer has Internet access to the server.

SonicWall Analyzer communicates with SonicWall appliances using HTTPS protocol.

* 
NOTE: A SonicWall appliance might already be registered to a different MySonicWall account, in this case the “Register to MySonicWall.com” task cannot be executed, and remain in the scheduled tasks queue. To take full advantage of Analyzer managed appliances, it is important that either the managed appliance is not registered when it is added into Analyzer, or it is registered to the same MySonicWall.com account as the Analyzer system that is managing the appliance.

For information on adding, modifying, and deleting units, refer to the following sections:

Adding SonicWall Appliances

To add a SonicWall appliance using the SonicWall Analyzer management interface, complete the following steps:
1
Click the appliance tab that corresponds to the type of appliance that you want to add:
Firewall
SMA
2
Expand the SonicWall Analyzer tree and select the group to which you want to add the SonicWall appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open area in the left pane (TreeControl pane) of the SonicWall Analyzer management interface and select Add Unit or click the Add Unit icon in the tool bar.

The Add Unit dialog box appears:

3
Enter a descriptive name for the SonicWall appliance in the Unit Name field. Do not enter the single quote character (‘) in the Unit Name field.
4
Enter the serial number of the SonicWall appliance in the Serial Number field.
5
Enter the IP address of the SonicWall appliance in the IP Address field.
6
Enter the administrator login name for the SonicWall appliance in the Login Name field.
7
Enter the password used to access the SonicWall appliance in the Password field.
For Access Mode, select from the following:
1
The SonicWall appliances are connected with HTTPS by default.
2
Enter the port used to connect to the SonicWall appliance in the Management Port field (default port for is HTTPS: 443).
3
Click OK. The new SonicWall appliance appears in the Analyzer management interface. It has a yellow icon that indicates it has not yet been successfully acquired.
4
Analyzer then attempts to set up an HTTPS connection to access the appliance. Analyzer then reads the appliance configuration and acquires the SonicWall appliance for reporting. This takes a few minutes.
* 
NOTE: After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database.

Modifying SonicWall Appliance Settings

If you make a mistake or need to change the settings of an added SonicWall appliance, you can manually modify its settings or how it is managed.

To modify a SonicWall appliance, complete the following steps:
1
Right-click the appliance name in the left pane of the Analyzer UI and select Modify Unit from the pop-up menu. The Modify Unit dialog box appears.
2
The Modify Unit dialog box contains the same options as the Add Unit dialog box. For descriptions of the fields, see Adding SonicWall Appliances to Analyzer.
3
When you have finished modifying options, click OK. The SonicWall appliance settings are modified.

Deleting SonicWall Appliances from Analyzer

To delete a SonicWall appliance from SonicWall Analyzer, complete the following steps:
1
Right-click on a SonicWall appliance in the left pane and select Delete from the pop-up menu.
2
In the message that displays, click Yes. The SonicWall appliance is deleted from SonicWall Analyzer.
* 
NOTE: After deleting the SonicWall appliance from Analyzer, unprovision the unit as a best practice. To unprovision the unit, log in to the SonicWall appliance and disable Analyzer management to avoid sending unnecessary syslogs to the Analyzer host.