en-US
search-icon

SonicOS 5.9 Admin Guide

AppFlow

Managing Flow Reporting Statistics

* 
NOTE: AppFlow reporting is supported only on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

AppFlow Overview

You can manage the SonicWall security appliance’s flow reporting statistics and configurable settings for sending AppFlow and real-time data to local collector or external AppFlow servers. SonicWall AppFlow provides support for external AppFlow reporting formats, such as NetFlow version 5, NetFlow version 9, IPFIX, and IPFIX with extensions.

AppFlow > Flow Reporting

The AppFlow > Flow Reporting page includes statistics and settings for configuring the SonicWall appliance to view statistics based on Flow Reporting and Internal Reporting. From this page, you can also configure settings for internal reporting, appflow server reporting, and external collector reporting.

You can access the Dashboard > AppFlow Monitor page by clicking on the Show AppFlow Monitor icon in the upper right corner of the AppFlow > Flow Reporting page.

You can clear all the AppFlow settings to default values by clicking on the Default button at the top of the AppFlow > Flow Reporting page.

The AppFlow > Flow Reporting page has these tabs:

Statistics – Displays reporting statistics in four tables
Settings – Allows the enabling of various real-time data collection and AppFlow report collection
External Collector – Allows the configuring of AppFlow reporting to an IPFIX collector
Topics:

Statistics Tab

This tab displays reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non-reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.

Topics:

External Flow Reporting Statistic

 

External Flow Reporting Statistics

This statistic
Displays the total number of

Connection Flows Enqueued:

Connection-related flows collected so far.

Connection Flows Dequeued:

Connection-related flows that have been reported either to an internal AppFlow collector or external collectors.

Connection Flows Dropped:

Collected connection-related flows that failed to get reported.

Connection Flows Skipped Reporting:

Connection-related flows that skipped reporting. This can happen when running in periodic mode where collected flows are more than the configured value for reporting.

Non-Connection data Enqueued:

All non-connection-related flows that have been collected so far.

Non-Connection data Dequeued:

All non-connection-related flows that have been reported either to external collectors or an internal AppFlow collector.

Non-connection data Dropped:

All non-connection-related data dropped due to too many requests.

Non-connection related static data Reported:

Static non-connection-related static data that have been reported. This includes lists of applications/viruses/spyware/intrusions/table-map/column-map/location map.

Internal AppFlow Reporting Statistics

 

Internal AppFlow Reporting Statistics

This statistic
Displays the total number of

Data Flows Enqueued:

Connection-related flows that have been queued to the AppFlow collector.

Data Flows Dequeued:

All connection-related flows that have been successfully inserted into the database.

Data Flows Dropped:

Connection-related flows that failed to get inserted into the database due to a high connection rate.

Data Flows Skipped Reporting:

Connection-related flows that skipped reporting.

General Flows Enqueued:

All non-connection-related flows in the database queue.

General Flows Dequeued:

All non-connection-related flows successfully inserted into the database.

General Flows Dropped:

All non-connection-related flows that failed to be inserted into the database due to a high rate (too many requests).

General Static Flows Dequeued:

All non-connection-related static flows successfully inserted into the database.

AppFlow Collector Errors:

AppFlow database errors.

Total Flows in DB:

Connection-related flows in the database.

Total IPFIX Statistics

The IPFIX statistics are displayed in two tables at the bottom of the Statistics tab.

 

NetFlow/IPFIX Packets Sent Statistics

This statistic
Displays the total number of

Total NetFlow/IPFIX Packets Sent:

IPFIX/NetFlow packets sent to the all/external collector/AppFlow server/GMSFlow server collected so far.

NetFlow/IPFIX Packets Sent to External Collection:

IPFIX/NetFlow packets sent to the external collector so far.

NetFlow/IPFIX Templates Sent

IPFIX/NetFlow templates sent to the all/external collector/AppFlow server/GMSFlow serve.

Collection Flows Sent to External Collection

Connection/static/general flows that have been reported to the AppFlow collector, external collector, or GMSFlow server.

Non-Connection related Dynamic Flows Sent to External Collector:

IPFIX/netflow packets sent to all/external collector/AppFlow server so far.

Non-Connection related Static Flows Sent to External Collector:

Connection/static/general flows that have been reported to the AppFlow collector or external collector.

Settings Tab

The Settings tab has configurable options for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector.

The Settings tab has three sections:

Settings

The Settings section of the Settings tab allows you to enable real-time data collection and AppFlow report collection.

Report Collections—Enables AppFlow reporting collection according to one of these modes:
All — Selecting this check box reports all flows. This is the default setting.
Interface-based — Selecting this check box enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interface page.

If an interface has its flow reporting disabled, then flows associated with that interface are skipped.

Firewall/App Rules-based — Selecting this check box enables flow reporting based on already existing firewall Access and App rules configuration, located on the Firewall > Access Rules page and the Firewall > App Rules page, respectively. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per-firewall rule is selected.

Every firewall Access and App rule has a check box to enable flow reporting. If a flow matching a rule is to be reported, this enabled check box forces verification that firewall rules have flow reporting enabled or not.

* 
NOTE: If this option is enabled, but no rules have the flow-reporting option enabled, no data is reported. This option is an additional way to control which flows need to be reported.
Enable Real-Time Data Collection—Enables real-time data collection on your SonicWall appliance for real-time statistics. You can enable/disable Individual items in the Collect Real-Time Data For drop-down menu. This setting is enabled by default.

When this setting is disabled, the Real-Time Monitor does not collect or display streaming data as the real-time graphs displayed in the Dashboard > Real-Time Monitor page are disabled.

Collect Real-Time Data For—Select the streaming graphs to display on the Real-Time Monitor page. By default, all items are selected.
Top apps—Displays the Applications graph.
Bits per sec.—Displays the Bandwidth graphs.
Packets per sec.—Displays the Packet Rate graphs.
Average packet size—Displays the Packet Size graphs.
Connections per sec.—Displays the Connection Rate and Connection Count graphs.
Core util.—Displays the Multi-Core Monitor graph.
Memory util.—Displays the Memory Usage graph.
Enable Aggregate AppFlow Report Data Collection—Enables individual AppFlow Reports collection on your SonicWall appliance for display in Dashboard > Appflow Reports. You can enable/disable Individual items in the Collect Report Data For drop-down menu. This setting is enabled by default.

When this setting is disabled, the AppFlow Reports does not collect or display data.

* 
TIP: You can quickly display the Dashboard > AppFlow Reports page by clicking the Display icon by the Enable Aggregate AppFlow Report Data Collection check box.
Collect Report Data For—Select from this drop-down menu the data to display on the Dashboard > Appflow Reports page. By default, all reports are selected.
Apps Report
User Report
IP Report
Threat Report
Geo-IP Report
URL Report

Local Server Settings

The Local Server Settings section allows you to enable AppFlow reporting to an internal collector.

Enable AppFlow To Local Collector—Enables AppFlow reporting collection to an internal server on your SonicWall appliance. If this option is disabled, the tabbed displays on Dashboard > AppFlow Monitor are disabled. By default, this option is disabled.
* 
NOTE: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.

Other Report Settings

The options in the Other Report Settings section configure conditions under which a connection is reported. This section does not apply to all non-connection-related flows.

Report DROPPED Connection—If enabled, connections that are dropped due to firewall rules are not reported. This option is enabled by default.
Skip Reporting STACK Connections—If enabled, the firewall will not report all connections initiated or responded to by the firewall’s TCP/IP stack. By default, this option is enabled.
Include Following URL Types—From the drop-down menu, select the type of URLs that need to be reported. To skip a particular type of URL reporting, uncheck (disable) them.
* 
NOTE: This setting applies to both AppFlow reporting (internal) and external reporting when using IPFIX with extensions.
Gifs (selected by default)
Jpegs (selected by default)
Pngs (selected by default)
Js
Xmls
Jsons
Css
Htmls (selected by default)
Aspx (selected by default)
Cms
Enable Geo-IP Resolution—Enables Geo-IP resolution. If disabled, the AppFlow Monitor will not group flows based on country under initiator and responder tabs. This setting is unchecked (disabled) by default.
* 
NOTE: If Geo-IP blocking or Botnet blocking is enabled, this option is ignored.
Disable Reporting IPv6 Flows (ALL)—Disables reporting of IPv6 flows. This setting is enabled by default.
AppFlow Report Upload Timeout (sec)—Specify the timeout, in seconds, when connecting to the AppFlow upload server. The minimum timeout is 5 seconds, the maximum is 300 seconds, and the default value is 120 seconds.

External Collector Tab

The External Collector tab provides configuration settings for AppFlow reporting to an external IPFIX collector.

Send Flows and Real-Time Data To External Collector—Enables the specified flows (AppFlows) data and real-time data to be reported to an external flow collector. If you enable this setting, you must select a reporting format from the External Flow Reporting Format drop-down menu.
* 
NOTE: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
External AppFlow Reporting Format—If the Send Flows and Real-time Data to External Collector option is selected, you must specify the flow reporting type:
NetFlow version-5 (default)
NetFlow version-9
IPFIX
IPFIX with extensions

If the reporting type is set to:

Netflow versions 5 or 9 or IPFIX, then any third-party collector can be used to show flows reported from the device, which uses standard data types as defined in IETF. Netflow versions and IPFIX reporting types contain only connection-related flow details per the standard.
IPFIX with extensions, then only collectors that are SonicWall flow aware can be used. IPFIX with extensions reports SonicWall dynamic tables for:
 

connections

users

applications

locations

URLs

logs

devices

VPN tunnels

devices

SPAMs

wireless

 

threats (viruses/spyware/intrusion)

real-time health (memory/CPU/face statistics)

Flows reported in this mode can either be viewed by another SonicWall firewall configured as a collector (specially in an High Availability pair with the idle firewall acting as a collector) or a SonicWall Linux collector. Some third-party collectors also can use this mode to display applications if they use standard IPFIX support. Not all reports are visible when using a third-party collector, though.

* 
NOTE: When using IPFIX with extensions, select a third-party collector that is SonicWall flow aware, such as SonicWall Scrutinizer.
External Collector’s IP Address—Specify the external collector IP address to which the device will send flows via Netflow/IPFIX. This IP address must be reachable from the SonicWall firewall for the collector to generate flow reports. If the collector is reachable via a VPN tunnel, then the source IP must be specified.
Source IP to Use for Collector on a VPN Tunnel—If the collector IP address specified in the External Collector’s IP Address setting is reachable via a VPN tunnel, then the source IP must be specified in this setting to match the correct VPN policy.
* 
NOTE: Select the Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets always take the VPN path.
External Collector’s UDP Port Number—Specify the UDP port number on which the collector is listening for Netflow/IPFIX packets. The default port is 2055.
Send IPFIX/Netflow Templates at Regular Intervals—Enables the appliance to send Template flows at regular intervals. This option is selected by default.
* 
NOTE: This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.

Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you may disable it here.

Send Static AppFlow At Regular Interval—Selecting this check box enables the sending of the static AppFlows specified in the Send Static AppFlow For Following Tables drop-down menu. This setting generates IPFIX records for all static tables every hour.
* 
NOTE: This option is available with IPFIX with extensions only. It is selected by default.

This option must be selected if SonicWall Scrutinizer is used as a collector.

Send Static AppFlow For Following Tables—Select the static mapping tables to be generated to a flow from the drop-down menu:
Applications (selected by default)
Viruses (selected by default)
Spyware (selected by default)
Intrusions (selected by default)
Location Map
Services (selected by default)
Rating Map (selected by default)
Table Map
Column Map

For more information on static tables, refer to NetFlow Tables.

When running in IPFIX with extensions mode, SonicWall reports multiple types of data to an external device to correlate User, VPN, Application, Virus, and Spyware information. In this mode, data is both static and dynamic. Static tables are needed only once as they rarely change. Depending on the capability of the external collector, not all static tables are needed. You can select the tables needed in this drop-down menu.

Send Dynamic AppFlow For Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down menu:
Connections (selected by default)
Users (selected by default)
URLs (selected by default)
URL ratings (selected by default)
VPNs (selected by default)
Devices
SPAMs
Locations
VoIPs (selected by default)

For more information on dynamic tables, refer to the NetFlow Tables.

* 
NOTE: This option is available with IPFIX with extensions only.

In IPFIX with extensions mode, the firewall generates reports for the selected tables. As the firewall doesn’t cache this information, some of the flows not sent may create failure when correlating flows with other related data.

Include Following Additional Reports via IPFIX—Select additional IPFIX reports to be generated to a flow from the drop-down menu:
Top 10 Apps – Generates the top 10 applications.
Interface Stats – Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
Core utilization –Generates per-core utilization.
Memory utilization – Generates statuses of available memory, used memory, and memory used by the AppFlow collector.

By default, none are selected. Statistics are reported every 5 seconds.

* 
NOTE: This option is available with IPFIX with extensions only.

When running in IPFIX with extensions mode, SonicWall can report more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. In this drop-down menu, you can select tables that are needed.

Report On Connection OPEN—Reports flows when the connection is open. This is typically when a connection is established. All associated data related to that connection may not be available when the connection is opened. This option, however, enables flows to show up on the external collector as soon as the new connection is opened. By default, this setting is enabled.
Report On Connection CLOSED—Reports flows when the connection is closed. This is the most efficient way of reporting flows to an external collector. All associated data related to that connection are available and reported. By default, this setting is enabled.
Report Connection On Active Timeout—Reports connections based on Active Timeout sessions. If enabled, the firewall reports an active connection every active timeout period. By default, this setting is disabled.
Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The range is 1 second to 999 seconds for the Active Timeout. The default setting is 60 seconds.
Report Connection On Kilo BYTES Exchanged—Reports flows based on when a specific amount of traffic, in kilobytes, is exchanged. If this setting is enabled, the firewall reports an active connection whenever the specified number of bytes of bidirectional data is exchanged on an active connection. This option is ideal for flows that are active for a long time and need to be monitored. This option is not selected by default.
Kilobytes Exchanged—Specify the amount of data, in kilobytes, transferred on a connection before reporting. The default value is 100 kilobytes.
Report ONCE—When the Report Connection On Kilo BYTES Exchanged option is enabled, the same flow is reported multiple times whenever the specified amount of data is transferred over the connection. This could cause a large amount of IPFIX packet generation on a loaded system. Enabling this option sends the report only once. By default, the setting is enabled.
Report Connections On Following Updates—Select from the drop-down menu to enable connection reporting for the following (by default, all are selected):
* 
NOTE: This option is available with IPFIX with extensions only.
threat detection—Reports flows specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.
application detection—Reports flows specific to applications. Upon performing a deep packet inspection, the SonicWall appliance is able to detect if a flow is part of a certain application. When identified, the flow is reported again.
user detection—Reports flows specific to users. The SonicWall appliance associates flows to a user-based detection based on its login credentials. When identified, the flow is reported again.
VPN tunnel detection—Reports flows sent through the VPN tunnel. When flows sent over the VPN tunnel are identified, the flow is reported again.
Actions—Generate asynchronously templates and static flow data.
Generate ALL Templates — Click on the button to begin building templates on the IPFIX server; this will take up to two minutes to generate.
* 
NOTE: This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.
Generate Static AppFlow Data — Click on the button to begin generating a large amount of flows to the IPFIX server; this will take up to two minutes to generate.
* 
NOTE: This option is available with IPFIX with extensions only.

NetFlow Activation and Deployment Information

SonicWall recommends careful planning of NetFlow deployment with NetFlow services activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:

Understanding your application-driven data collection requirements: accounting applications may only require originating and terminating router flow information whereas monitoring applications may require a more comprehensive (data intensive) end-to-end view
Understanding the impact of network topology and routing policy on flow collection strategy: for example, avoid collecting duplicate flows by activating NetFlow on key aggregation routers where traffic originates or terminates and not on backbone routers or intermediate routers which would provide duplicate views of the same flow information
NetFlow can be implemented in the SonicOS management interface to understand the number of flow in the network and the impact on the router. NetFlow export can then be setup at a later date to complete the NetFlow deployment.

NetFlow is, in general, an ingress measurement technology which should be deployed on appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (that is, interface by interface) and strategically (that is, on well chosen-routers) —instead of widespread deployment of NetFlow on every router in the network.

User Configuration Tasks

Depending on the type of flows you are collecting, you will need to determine which type of reporting will work best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as configuring a second appliance to act as a collector.

Topics:

NetFlow Version 5 Configuration Procedures

To configure typical Netflow version 5 flow reporting:
1
Click the Settings tab.
2
For Report Connections in the Settings section, select either of these radio buttons:
Interface-based
Firewall/App Rules-based

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.
4
Select the Send Flows and Real-Time Data To External Collector checkbox.
5
Select Netflow version-5 from the External Flow Reporting Format drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
NOTE: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
Click the Accept button at the top of the page.
* 
NOTE: You may need to reboot the device to completely enable this configuration.

NetFlow Version 9 Configuration Procedures

To configure Netflow version 9 flow reporting:
1
Click the Settings tab.
2
For Report Connections in the Settings section, select either of these radio buttons:
Interface-based
Firewall/App Rules-based

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.
4
Select the Send Flows and Real-Time Data To External Collector checkbox.
5
Select Netflow version-9 as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
NOTE: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
Netflow version-9 uses templates that must be known to an external collector before sending data. In Actions, click the Generate ALL Templates button to begin generating templates. A message requesting confirmation displays.

10
Click OK.
11
After the templates have been generated, click Accept.

IPFIX (NetFlow Version 10) Configuration Procedures

To configure IPFIX, or NetFlow version 10, flow reporting:
1
Click the Settings tab.
2
For Report Connections in the Settings section, select either of these radio buttons:
Interface-based
Firewall/App Rules-based

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.
4
Select the Send Flows and Real-Time Data To External Collector check box.
5
Select IPFIX as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
NOTE: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
IPFIX uses templates that must be known to an external collector before sending data. In Actions, click the Generate ALL Templates button to begin generating templates. A message requesting confirmation displays.

10
Click OK.
11
After the templates have been generated, click Accept.

IPFIX with Extensions Configuration Procedures

To configure IPFIX with extensions flow reporting:
1
Click the Settings tab.
2
For Report Connections in the Settings section, select either of these radio buttons:
Interface-based
Firewall/App Rules-based

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.
4
Select the Send Flows and Real-Time Data To External Collector check box.
5
Select IPFIX with extensions as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
NOTE: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
IPFIX uses templates that must be known to an external collector before sending data. Click the Generate ALL Templates button to begin generating templates. A message requesting confirmation displays.

10
Click OK.
11
Enable the Send Static AppFlow At Regular Intervals by selecting the check box.
12
Click the Generate Static AppFlow Data button. A message requesting confirmation displays.

13
Click OK.
14
Select the tables to receive static flows for from the Send Static AppFlow For Following Tables drop-down menu.
15
Select the tables to receive dynamic flows for from the Send Dynamic AppFlow For Following Tables drop-down menu.
16
Select any additional reports to be generated from the Include Following Additional Reports via IPFIX drop-down menu.
17
Click Accept.

Configuring Netflow with Extensions with SonicWall Scrutinizer

One external flow reporting option that works with Netflow with Extensions is the third-party collector called SonicWall Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWall flow aware.

To verify your Netflow with Extensions reporting configurations:
1
Click the Settings tab.
2
For Report Connections in the Settings section, select either of these radio buttons:
Interface-based
Firewall/App Rules-based

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.
4
Select the Send Flows and Real-Time Data To External Collector checkbox.
5
Select IPFIX with extensions as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
NOTE: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
9
Select the tables to receive static flows for from the provided drop-down menu. .
* 
NOTE: Currently, SonicWall Scrutinizer supports Applications and Threats only. Future versions of Plixer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map.
10
Click Accept.
11
Navigate to the Network > Interfaces page.
12
Confirm that Flow Reporting is enabled per interface by clicking the Configure icon of the interface you are requesting data from. The Edit Interface dialog displays.
13
Click the Advanced tab.
14
Ensure the Enable flow reporting check box is selected.
15
Click OK.
16
Login to SonicWall Scrutinizer. The data displays within minutes.

NetFlow Tables

The following section describes the various NetFlow tables. Also, this section describes in detail the IPFX with extensions tables that are exported when the SonicWall is configured to report flows.

Topics:

Static Tables

Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. These Static IPFIX tables may be exported:

Applications Map—Reports all applications the SonicWall appliance identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.
Viruses Map—Reports all viruses detected by the SonicWall appliance.
Spyware Map—Reports all spyware detected by the SonicWall appliance.
Intrusions Map—Reports all intrusions detected by the SonicWall appliance.
Location Map—Represents SonicWall’s location map describing the list of countries and regions with their IDs.
Services Map—Represents SonicWall’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.
Rating Map—Represents SonicWall’s list of Rating IDs and the Name of the Rating Type.
Table Layout Map—Reports SonicWall’s list of tables to be exported, including Table ID and Table Names.
Column Map—Represents SonicWall’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.

Dynamic Tables

Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly, based on the activity of the SonicWall appliance. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. These Dynamic IPFIX tables may be exported:

Connections—Reports SonicWall connections. The same flow tables can be reported multiple times by configuring triggers.
Users—Reports users logging in to the SonicWall appliance via LDAP/RADIUS, Local, or SSO.
URLs—Reports URLs accessed through the SonicWall appliance.
URL ratings—Reports Rating IDs for all URLs accessed through the SonicWall appliance.
VPNs—Reports all VPN tunnels established through the SonicWall appliance.
Devices—Reports the list of all devices connected through the SonicWall appliance, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.
SPAMs—Reports all email exchanges through the SPAM service.
Locations—Reports the Locations and Domain Names of an IP address.
VoIPs—Reports all VoIP/H323 calls through the SonicWall appliance.

Templates

The following section shows examples of the type of Netflow template tables that are exported.

To perform a Diagnostic Report of your own Netflow configuration;
1
Navigate to the System > Diagnostics page.
2
Click the Download Report button in the Tech Support Report section.
Topics:
NetFlow Version 5

The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP to send export datagram:

The first field of the header contains the version number of the export datagram.
The second field in the header contains the number of records in the datagram, which can be used to search through the records.

Because NetFlow version 5 is a fixed datagram, no templates are available, but the datagram follows the format listed below:

NetFlow Version 5 Header Format
 

NetFlow Version 5 Header Format

Bytes

Contents

Description

0-1

version

NetFlow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since the export device booted

8-11

unix_secs

Current count of seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20

engine_type

Type of flow-switching engine

20

engine_id

Slot number of the flow-switching engine

22-23

sampling_interval

First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval

NetFlow Version 5 Flow Record Format
 

NetFlow Version 5 Flow Record Format

Bytes

Contents

Description

0-3

srcaddr

Source IP address

4-7

dstaddr

Destination IP address

8-11

nexthop

IP address of the next hop router

12-13

input

SNMP index of input interface

14-15

output

SNMP index of output interface

10-19

dPkts

Packets in the flow

20-23

dOctets

Total number of Layer 3 bytes in the packets of the flow

24-27

First

SysUptime at start of flow

28-31

Last

SysUptime at the time the last packet of the flow was received

32-33

srcport

TCP/UDP source port number or equivalent

34-35

dstport

TCP/UDP destination port number or equivalent

36

pad1

Unused (zero) bytes

37

tcp_flags

Cumulative OR of TCP flags

38

prot

IP protocol type (for example, TCP=6; UDP=17)

39

tos

IP type of service (ToS)

40-41

src_as

Autonomous system number of the source, either origin or peer

42-43

dst_as

Autonomous system number of the destination, either origin or peer

44

src_mask

Source address prefix mask bits

45

dst_mask

Destination address prefix mask bits

46-47

pad2

Unused (zero) bytes

NetFlow Version 9
Example of a NetFlow version 9 Template

NetFlow version 9 Template FlowSet Field Descriptions
 

NetFlow Version 9 Template FlowSet Field Descriptions

Field Name

Description

Template ID

The SonicWall appliance generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX (NetFlow Version 10)
Example of an IPFIX (NetFlow version 10) Template

IPFIX Template FlowSet Field Descriptions
 

IPFIX Template FlowSet Field Descriptions

Field Name

Description

Template ID

The SonicWall appliance generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX with Extensions

IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWall IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs.

* 
NOTE: The SonicWall Specific Enterprise ID (EntID) is defined as 8741.
Name Template (Standard IPFIX with Extensions)

The following Name Template is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates.

Example of an IPFIX with Extensions Template

 

Accessing the Real-Time Monitor

* 
NOTE: AppFlow reporting is supported only on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

AppFlow > Real-Time Monitor

* 
NOTE: For increased convenience and accessibility, the Real-Time Monitor page can be accessed either from Dashboard > Real-Time Monitor or AppFlow > Real-Time Monitor. The page is identical regardless of which tab it is accessed through. For information on using Real-Time Monitor, refer to Dashboard > Real-Time Monitor.

 

Accessing AppFlow Dash

* 
NOTE: AppFlow reporting is supported only on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

AppFlow > AppFlow Dash

* 
NOTE: For increased convenience and accessibility, the AppFlow Monitor page can be accessed either from Dashboard > AppFlow Dash or AppFlow > AppFlow Dash. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Monitor, refer to Dashboard > AppFlow Dash.

 

Accessing the AppFlow Monitor

* 
NOTE: AppFlow reporting is supported only on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

AppFlow > AppFlow Monitor

* 
NOTE: For increased convenience and accessibility, the AppFlow Monitor page can be accessed either from Dashboard > AppFlow Monitor or AppFlow > AppFlow Monitor. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Monitor, refer to Dashboard > AppFlow Monitor.

 

Accessing AppFlow Reports

* 
NOTE: AppFlow reporting is supported only on E-Class NSA series, NSA series, TZ 215 series, and TZ 210 series appliances.

AppFlow > AppFlow Reports

* 
NOTE: For increased convenience and accessibility, the AppFlow Reports page can be accessed either from Dashboard > AppFlow Reports or AppFlow > AppFlow Reports. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Reports, refer to Dashboard > AppFlow Reports.