en-US
search-icon

SonicOS 5.9 Admin Guide

Dashboard

Using the SonicOS Visualization Dashboard

Visualization Dashboard

Topics:

Dashboard Overview

The SonicWall Visualization Dashboard provides an effective and efficient interface to visually monitor your network in real time, providing effective flow charts of real-time data, customizable rules, and flexible interface settings. With the Visualization Dashboard, you can efficiently view and sort real-time network and bandwidth data to:

Identify applications and websites with high bandwidth demands
View application usage on a per-user basis
Anticipate attacks and threats encountered by the network
 
* 
TIP: For easy viewing, display a Dashboard report or chart in a new browser tab, then move the tab to a new browser window separate from the management by clicking on the Display icon next to the submenu item of interest. For more information about displaying a report separately, see Display Icons.

Enabling the Real-Time Monitor and AppFlow Collection

The real-time application monitoring features rely on the flow collection mechanism to collect and display data. Before you can view the applications chart in the Dashboard > Real-Time Monitor, Dashboard > AppFlow Monitor, or Dashboard > AppFlow Reports pages, you must first enable and configure the flow collection feature.

To enable Real-Time Monitoring and Internal AppFlow collection:
1
Navigate to the AppFlow > Flow Reporting page.

2
Click the Settings tab.

3
In the Settings section, select the Enable Real-Time Data Collection check box to enable data collation for real-time statistics. This option is enabled by default.
4
From the Collect Real-Time Data For drop-down menu, select the reports you want. By default, all are selected.
Top apps
Bits per sec.
Packets per sec.
Average packet size
Connections per sec.
Core utility
5
In the Local Server Settings section, select the Enable AppFlow To Local Collector checkbox. This option is enabled by default.
* 
NOTE: To completely enable this feature if it is disabled, you may need to reboot the appliance.
6
To enable these reports, click the Accept button to save your changes.
7
Navigate to the Network > Interfaces page.

8
In the Configure column, click the Edit icon for the interface on which you wish to enable flow reporting. The Edit Interface dialog displays.

9
Click the Advanced tab.

10
Ensure that the Enable flow reporting checkbox is selected. This option is selected by default.
11
Click the OK button to save your changes.
12
Repeat Step 8 through Step 11 for each interface you wish to monitor.

For more detained information on configuring Flow Reporting, see AppFlow Overview and AppFlow > Flow Reporting.

 

Monitoring Multi-Core Usage

Dashboard > Multi-Core Monitor

* 
NOTE: For increased convenience and accessibility, the Multi-Core Monitor can be accessed either from Dashboard > Multi-Core Monitor or on the System > Diagnostics page. The Multi-Core Monitor display is identical regardless through which tab it is accessed.

The Multi-Core Monitor display in Dashboard > Real-Time Monitor (Multi-Core Monitor) shows different data.

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWall appliance. Core 1 through core 8 handle the control plane. Core 1 through core 8 usage is displayed in green on the Multi-Core Monitor.

The remaining cores handle the data plane. To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores can process all data plane tasks. Memory is shared across all cores. Each core can process a separate flow simultaneously, allowing for up to 88 flows to be processed in parallel.

* 
NOTE: High utilization on Core 1 is normal while browsing the Web management interface and applying changes. All Web management requests are processed by Core 1 through Core 8 and do not impact the other cores. Traffic handling and other critical, performance-oriented and system tasks are always prioritized by the scheduler and are never affected by web management usage.

Monitoring Real-Time Traffic Statistics

Dashboard > Real-Time Monitor

The Real-Time Monitor provides an inclusive, multi-functional display with information about applications, bandwidth usage, packet rate, packet size, connection rate, connection count, and multi-core monitoring.

* 
NOTE: A chart may be empty or blank if there are no recent data entries received within the viewing range.

Topics:

Configuring the Real-Time Monitor

The first time you access the Real-Time Monitor, it is disabled:

To enable the Real-Time Monitor and start displaying statistics in the different monitors, select the To configure, please check this box check box. A brief processing message displays, and then all the monitors display and begin showing data in the various flow charts.

Using the Toolbar

The Real-Time Monitor Toolbar contains features to specify the refresh rate, export details, configure color palettes, change the amount of data displayed, and pause or play the data flow. Changes made to the toolbar apply across all the data flows.

* 
NOTE: For an explanation of common toolbar options, see Icons and Buttons in the Management Interface. Real-Time Monitor Toolbar Options explains toolbar options specific to Real-Time Monitor.
 

Real-Time Monitor Toolbar Options

Option

Widget

Description

Configure Link

Provides a link to AppFlow > Flow Reporting for ease of configuring the Real-Time Monitor Reports.

Using Collector

Displays the data source (collector).

Time & Date

Displays the current time in 24-hour format (hh:mm:ss), and the current date in Month/Day format.

Refresh rate

Determines the frequency at which data is refreshed. A numerical integer between 1 to 10 seconds is required. The default is 3 seconds.

Configure

Allows for customization of the color palette for the Application Chart and Bandwidth Chart. Clicking on the icon displays the Settings pop-up window:

To change the colors displayed on the charts, do one of these:

Enter the desired hexadecimal color codes in the provided text fields: Application Chart Color Palette and/or Bandwidth Chart Color Palette.
If a gradient is desired, select the Use Gradient box located below the text fields. This option is selected by default.
Click Default for a default range of colors.
Click Generate to generate a random range of colors.

By default, the legends are displayed outside the charts. To put the legends inside the Application Chart and/or Bandwidth Chart, specify the appropriate checkbox:

Put legends inside Application Chart
Put legends inside Bandwidth Chart

View Range

Displays data pertaining to a specific span of time. The default setting for the view range is 10 minutes.

Data Source

Selects the server that is the source of the data:

Local to display AppFlow data from an internal server on your firewall.
External. to display AppFlow data from an external server.

Common Features

Topics:

Collapse/Expand Buttons

Directly above each chart, at the far right, is a minus sign icon, , that collapses the chart when it is clicked. When a chart is collapsed, a plus sign icon, , is displayed, which expands the chart when it is clicked. Collapsing charts is useful when you want to compare other charts closer together.

Display Scope

For all charts except Connection Count, you can specify the scope of the display:

Applications

In the Applications Real-Time Monitor, you can specify the applications displayed in the Applications Chart from a drop-down menu:

Most Frequent Apps
All Apps
Individual applications

Multiple applications can be selected by clicking more than one check box.

Interfaces

For all charts except Applications and Multi-Core Monitor, you can specifies which Interfaces are displayed in the chart from a drop-down menu:

All Interfaces Rate
All Interfaces Size
All Interfaces %
Individual interfaces

The individual interfaces vary depending on the number of interfaces on your network. Choices also vary by Rate, %, or Size. Multiple interfaces can be selected if desired.

Aggregate Cores

In the Multi-Core Monitor chart, you can specify which Cores are displayed from a drop-down menu:

Current (Aggregate)
Average (Aggregate)
Individual Cores

The individual Cores vary depending on the number of Cores available. Multiple Cores can be selected if desired.

Legends

For most charts, you can display a legend that shows the name and color used for the applications or interfaces selected in the chart’s Display menu. To display or hide the legend, click on the Legends button below the chart.

* 
NOTE: If you selected to have the legends for the Applications and Bandwidth charts displayed within the charts, the Legends button has no effect on their display.

Tooltips

Various elements of the charts have associated tooltips:

The name of the chart has a Question icon that briefly describes the chart.

Legend items display information about the item the legend represents.

A small circle displays information about a precise moment on the chart.

To display a tooltip, hover your mouse over the desired item. The information displayed varies by chart.

Changing Chart Format

You are able to view individual charts in either bar chart format or flow (area) chart format. Each chart has chart format icons in the upper right corner of the chart. The default is flow chart format.

Topics:
Bar Chart Format

The bar chart format displays applications individually, thus allowing you to compare applications. In this chart, the applications, interfaces, or core monitors are arranged along the x-axis, for applications and interfaces according to the color code shown in the Legend. The y-axis displays information appropriate to the chart, such as the amount of traffic for each application or interface. To display the data in bar chart format, click on the Bar Chart icon:

Flow Chart Format

The flow chart format displays over-lapping data in a stacked format as it occurs. In this chart, the x-axis displays the current time and the y-axis displays information appropriate to the chart, such as the amount of traffic for each application or the rate or size of the packets. To display data in the flow chart format, click the Flow Chart icon:

Scaling a Chart

The Scale field, , in the upper right corner of a chart, allows for automatic Y-Scaling or custom scaling of a chart:

Auto Y-Scaling (default) – Automatic Y-Scaling.
<num>[<unit>] – The values for customized scaling must be a numeric integer. Specifying a unit is optional. If a unit is desired, four options are available:
K for Kilo.
M for Mega.
G for Giga.
% for percentage.

For example, if a custom scale of 100Kbps is desired, then 100K should be entered. The numeric integer 100 is entered followed by the unit K.

* 
NOTE: An invalid entry results in the default, Auto Y-Scaling, being used.

IPv6/IPv4 Selection

For complete information on the SonicOS implementation of IPv6, see IPv6.

Real-Time Monitor Visualization is configured the same in IPv6 and IPv4: select the radio buttons in the drop-down menu to change the view/configuration:

IPv4 Only
IPv6 Only
IPv4 and IPv6
* 
NOTE: This option applies only to the Applications and Ingress/Egress Bandwidth charts.

Current Statistics: Average, Minimum, Maximum

All charts, except Applications, display the current statistics, such as average, minimum, and maximum values, for the data flow. The values vary by chart and can be in

Kbps (kilo bits per second)
Pps (packets per second)
Bytes
Cps (connections per second)
%

The Multi-Core Monitor chart also displays total utilization (Total Utll). Instead of Current Ave, Min, and Max statistics, the Connection Count chart displays the:

Current count
Peak count
Max count

For the Ingress/Egress charts, the information is displayed for both halves, the Ingress on the top and the Egress on the bottom. For the other charts, the information is displayed on the top.

Applications Monitor

The Applications data flow provides a visual representation of the current applications accessing the network. The Applications Monitor chart is plotted by collecting the top 25 applications (based on its current rate, bits per second) traversing through the firewall every refresh period.

The following options are available only on the Applications Real-Time chart:

 

Applications Real-Time Display-Locking Options

Option

Widget

Description

Lock

Locks the Display options for the Application interface. The lock and unlock options are available when you select Most Frequent Apps from the Application Display drop-down menu. Most Frequent Apps displays the top-25 apps; you can use the Lock/Unlock option to keep the report from altering the top-25 apps.

Unlock

Unlocks the Display options for the Application interface.

Ingress and Egress Bandwidth Flow

* 
NOTE: The Bandwidth flow charts have no direct correlation to the Application flow charts.

The Ingress and Egress Bandwidth data flows provide a visual representation of incoming and outgoing bandwidth traffic. The current percentage of total bandwidth used, average flow of bandwidth traffic, and the minimum and maximum amount of traffic that has gone through each interface is available in the display.

Packet Rate Monitor

The Packet Rate Monitor provides the ingress and egress packet rate as packets per second (pps). This chart can be configured to show packet rate by network interface. The graph shows the current average packet rate, minimum packet rate, and maximum packet rate for both ingress and egress network traffic.

Packet Size Monitor

The Packet Size Monitor provides the ingress and egress packet rate in bytes (B). This chart can be configured to show packet size by network interface. The graph shows the packet size current average, minimum packet size, and maximum packet size for both ingress and egress network traffic.

Connection Count Monitor

The Connection Count data flow provides a visual representation of the current total number of connections, peak number of connections, and maximum number of connections.

Multi-Core Monitor

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWall appliance. Core 0 through core 7 handle the control plane. Core 0 through core 7 usage is displayed in green on the Multi-Core Monitor. The remaining cores handle the data plane.

To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores can process all data plane tasks. Memory is shared across all cores. Each core can process separate flows simultaneously, allowing for up to 88 flows to be processed in parallel.

Memory Usage Monitor

The Memory Usage monitor displays:

Available memory
Total amount of memory used
Amount of memory used by the database
* 
NOTE: Only the bar chart version is displayed.

 

Viewing the Top-10 AppFlow Reports

Dashboard > AppFlow Dash

The Dashboard > AppFlow Dash page provides the same information that is provided in Dashboard > AppFlow Reports, except in AppFlow Dash, the information is shown in graphs for the top one through ten items in each category:

Top Applications
Top Users
Top Viruses
Top Intrusions
Top Spyware
Top URL Ratings
Top Locations
Top IP Addresses
* 
NOTE: The Botnets category on the Dashboard > AppFlow Reports page does not have a corresponding graph on the Dashboard > AppFlow Dash page. See Dashboard > AppFlow Reports.

The following graphic shows the first four graphs on the AppFlow Dash page. The graphs for the other categories are similar.

Configuring the Display

Topics:

Configuring Length of Data Collection

The toolbar displays the length of time the data have been collected:

You can specify the length of time the data displayed in the graphs have been collected by selecting the start time in the View drop-down menu:

Since Restart
Since Last Reset
Refreshing the Display

You can refresh the display of:

All graphs on the page by clicking the Refresh icon next to the View drop-down menu.
Just one graph by clicking the Refresh icon for that graph.

Configuring Aggregate Reporting

A green Status icon indicates that aggregate AppFlow reporting is enabled. Mousing over the Status icon displays a tooltip with a link to AppFlow > Flow Reporting,, where you can enable/disable and configure Aggregate Appflow reporting.

To close the tooltip, click close.

Specifying the Data Source

You can specify the source of the data in the Data Source drop-down menu: Local or External.

Selecting How to View Individual Graphs

You can select the way to view a graph’s data by the View by drop-down menu in the graph’s title bar:

How to View Graphs

View this graph

By

Top Applications

Top Locations

Sessions—Number of connections/flows

Init Bytes—Number of bytes sent by the initiator

Resp Bytes—Number of bytes sent by the responder

Top Users

Top IP Addresses

Sessions—Number of connections/flows

Bytes Rcvd—Bytes of data received by the user/IP address

Bytes Sent—Bytes of data sent by the user/IP address

Top Viruses

Top Intrusions

Top Spyware

Top URL Ratings

Sessions—Number of connections/flows

 

Configuring AppFlow Statistics and Viewing Reports

Dashboard > AppFlow Reports

The Dashboard > AppFlow Reports page provides configurable, scheduled reports by:

 

applications

users

IP addresses

viruses

intrusions

spyware

location

Botnets

URL rating

 

AppFlow Reports statistics enable you to view a top-level aggregate report of what is going on in your network and, at a quick glance, answer such questions as the following:

What are the top most used applications running in my network?
Which applications in terms of total number of sessions and bytes consume my network bandwidth?
Which applications have viruses, intrusions, and spyware?
What website categories are my users visiting?

The report data can be viewed from the point of the last system restart, since the system reset, or by defining a schedule range. Reports also can be sent by FTP or by email.

* 
TIP: The Dashboard > AppFlow Dash page displays the top ten items in each category (except IP addresses) in graph format. See Dashboard > AppFlow Dash.

To configure your AppFlow Reports, follow the procedures described in AppFlow > Flow Reporting. To facilitate configuring your AppFlow Reports, the bottom of the Dashboard > AppFlow Reports page has a link to the AppFlow > Flow Reporting page.

The bottom of the page displays the:

Totals for each column, such as number of entries, number of bytes sent by the initiator and responder, locations blocked
Total up time of the appliance in days, hours, minutes, and seconds
Time of the last update/reset: hour, minute, second, month, day
Type of general reporting, such as Aggregate AppFlow, that is enabled as well as whether the reporting for the tab is enabled.

Data can be sorted in ascending or descending order by any of the columns.

Topics:

AppFlow Reports

The Dashboard > AppFlow Reports page displays these reports on separate tabs:

Applications

Name—Name of the application — the signature ID
Sessions—Number of connections/flows both as a number and as a percentage
Init Bytes—Number of bytes sent by the initiator both as a number and as a percentage
Resp Bytes—Number of bytes sent by the responder both as a number and as a percentage
Access Rules Block—Number of connections/flows blocked by firewall rules
App Rules Block—Number of connections/flows blocked by the DPI engine
Location Block—Number of connections/flows blocked by GEO enforcement
Botnet Block—Number of connections/flows blocked by Botnet enforcement
Viruses—Number of connections/flows with viruses
Intrusions—Number of connections/flows identified as intrusions
Spyware—Number of connections/flows with spyware

Users

User Name—Name of the users generating sessions
Sessions—Number of sessions/connections initiated/responded both as a number and as a percentage
Bytes Rcvd—Number of bytes received by the user both as a number and as a percentage
Bytes Sent—Number of bytes sent by the user both as a number and as a percentage
Blocked—Number of sessions/connections blocked
Virus—Number of sessions/connections detected with a virus
Spyware—Number of sessions/connections detected with spyware
Intrusion—Number of sessions/connections detected as intrusions

IP

IP Address—IP addresses generating sessions
Sessions—Number of sessions/connections initiated/responded both as a number and as a percentage
Bytes Rcvd—Number of bytes received by this IP address both as a number and as a percentage
Bytes Sent—Number of bytes sent by this IP address both as a number and as a percentage
Blocked—Number of sessions/connections blocked
Virus—Number of sessions/connections detected with a virus
Spyware—Number of sessions/connections detected with spyware
Intrusion—Number of sessions/connections detected as intrusion

Viruses

Virus Name—Name of the virus signature
Sessions—Number of sessions/connections with this virus

Intrusions

Intrusion Name—Name of the intrusion signature
Sessions—Number of sessions/connections detected as an intrusion

Spyware

Spyware Name—Name of the spyware signature
Sessions—Number of sessions/connections with this spyware

Location

* 
NOTE: You cannot restrict the number of locations displayed with the Limit drop-down menu.

Country Name—Name and flag of the country initiating/responding to a session/connection
Sessions—Number of sessions/connections initiated/responded by this country both as a number and as a percentage
Bytes Rcvd—Number of data bytes received by this country both as a number and as a percentage
Bytes Sent—Number of data bytes sent by this country both as a number and as a percentage
Dropped—Number of sessions/connections dropped

Botnets

* 
NOTE: You cannot restrict the number of locations displayed with the Limit drop-down menu.

Botnet Name:
Botnet Detected
Botnet Blocked
Sessions—Number of sessions/connections where a botnet was detected/blocked

URL Rating

* 
NOTE: You cannot restrict the number of locations displayed with the Limit drop-down menu.

Rating Name—Name of the URL category
Sessions—Number of sessions/connections both as a number and as a percentage

Common Functions

The following functions are common to all the tabs:

Downloading SonicWall Security Services Signatures

The AppFlow Reports feature requires that you have the latest SonicWall Security Services signature downloads enabled for the latest dynamic protection updates. Click on the Status button on any tab to view the list of enabled SonicWall Security Services as illustrated below.

The pop-up dialog displays the following for each service generating an AppFlow Report:

Whether the service is licensed, not licensed, or a license is N/A (not applicable)
Whether the service is enabled, disabled, or N/A
Whether the relevant database has been downloaded for the service or NA
A link to the relevant SonicWall page for configuring the service

Limiting the Display

You can limit the amount of data displayed in these ways:

Limiting the Number of Entries Displayed

You can limit the number of entries displayed in a report by selecting one of these numbers from the Limit drop-down menu:

10
25
50 (default)
100
150
Unlimited
* 
NOTE: The number of entries for the Location, Botnets, and URL Rating reports cannot be limited.
Filtering the Data

You can limit the display to only certain entries in a tab by specifying a string in the Filter String field. The string is not case sensitive.

The filter applies only to the active tab and does not affect the display of the other tabs. Displaying another tab erases the filter for all tabs.

The filter can be as general or specific as necessary. For example, entering 10.2 for the IP tab returns 10 entries while entering 10.200 returns only 2:

 

Filter Options by Tab

For this tab

Filter by

Applications

Name

Users

User Name

IP

IP Address

Viruses

Virus Name

Intrusions

Intrusion Name

Spyware

Spyware Name

Location

Country Name

Botnets

N/A

URL Rating

Rating Name

Creating a CSV File

You can create a CVS file of a tab’s data by clicking the Create CVS File icon. For example, if you click on the Create CSV File icon for the Applications tab, this file is created:

* 
NOTE: This is not the same CSV file as that created by downloading an AppFlow Report (see Downloading AppFlow Reports).

Printing the Display

If your appliance has a printer, you can print the data on a tab by clicking the Printer icon.

Refreshing the Display

You can refresh the display by clicking the Refresh icon.

Viewing AppFlow Data

You can view the AppFlow data in these ways:

Since Restart

To view AppFlow data since the last reboot or restart of the appliance, select Since Restart from the View drop-down menu. This report shows the aggregate statistics since the last reboot of the device. The date and time of the reboot are given in green as well as the total up time, in days, hours, minutes, and seconds, since the reboot. For example, SINCE: 08/14/2014 15:40:06.000 UPTIME: 32 Days 01:25:10.

* 
TIP: The up time is also displayed at the bottom of the page along with the date and time of the last update.

Since Last Reset

To view AppFlow data since the last reset of the appliance, select Since Last Reset from the View drop-down menu. This report shows the aggregate statistics since the last time you cleared the statistics by pressing the Reset button. The date and time of the reset are given in green as well as the total up time, in days, hours, minutes, and seconds, since the reset. For example, SINCE: 08/14/2014 15:40:06.000 UPTIME: 32 Days 01:25:10.

The reset option allows you to quickly view AppFlow Report statistics from a fresh reset of network flows. The reset clears the counters seen at the bottom of the page, which displays counter totals for number of sessions, initiator and responder bytes, to the number of intrusions and threats.

On Schedule

You can generate AppFlow data by a defined schedule start and end time. This report shows AppFlow statistics collected during the time range specified in the configure settings options. Once the end time of the schedule is reached, scheduled AppFlow statistics are exported automatically to an FTP server or an email server. AppFlow statistical data is exported in CSV file format. Once the AppFlow statistics are exported, the data is refreshed and cleared.

To configure an On Schedule AppFlow report:
1
Navigate to the AppFlow > AppFlow Reports page.

2
Select On Schedule from the View drop-down menu
3
Click the Configure button. The Schedule Report dialog displays.

4
Select to have your AppFlow Reports data sent automatically to an FTP server or an email server.
5
Enter the appropriate information.
6
If your email server requires SMTP authentication:
a
Select the select the POP Before SMTP check box.
b
Enter the SMTP server User name and Password.
7
Click the Set Schedule button to define a start and end schedule. The Edit Schedule schedule option page displays.

8
In Schedule type, select one of the following:
Once — Creates a one-time schedule. The Once schedule options allow you to set reporting schedules based on a calendar start and end date with time in hours and minutes.
Recurring — Creates an ongoing scheduled. The Recurring schedule options allow to select ongoing schedules based on days of the week and start and end hour and minute time targets. The Recurring schedule displays your selections in the Schedule List.
Mixed — Creates both a one-time schedule and an ongoing schedule.

The Recurring and Mixed schedules display your selections in the Schedule List.

9
If you selected Recurring or Mixed for the schedule type, complete the schedule times:
For both Recurring and Mixed, in the Recurring section, specify the day(s), Start Time and Stop Time of the schedule.
For Mixed, in the Once section, specify the Year, Month, Day, Hour, and Minute for the Start and End of the report.
10
Click OK to save your AppFlow Reports schedule.
11
On the Schedule Reports options page, click the Apply button to start using your AppFlow Reports schedule object settings.

Downloading AppFlow Reports

You can download AppFlow Reports to one of these formats:

CSV (Microsoft Excel Comma Separated Values file)—opens in Excel as a swarm.csv file
* 
NOTE: This is not the same csv file that is generated by clicking the Create CSV File icon (see Creating a CSV File).
DOC (Microsoft Word Document)—opens in Word as a swarm.docx file
PDF—opens as an HTML file in the browser window
To download a report:
1
Navigate to the Dashboard > AppFlow Reports page.

2
Click on the Send Report icon. The Download Application Visualization Report pop-up dialog displays.

3
Click the Download Report button. An Opening file.wri.sfr dialog displays.

4
Click OK to save the file. The file is downloaded to your Downloads folder.
5
Open a browser window.
6
Log on to MySonicWall.com.
7
Navigate to SW Tools > App Reports. The Upload Report page displays.

8
Click the Browse button. A File Upload dialog displays.
9
Locate the file, select it, and then click Open. The file name appears on the Upload Report page.

10
Click the Upload button. It may take several minutes to upload the report. When the upload is complete, you can select any or all of these forms (the file has the name swarm):

CSV
DOC
PDF

An Opening file dialog displays.

11
Open the file with the specified program or save it.
12
You can select either or both of the other file formats until you leave the Upload Report page or log out of MySonicWall.

 

Monitoring Real-Time Network Data

Dashboard > AppFlow Monitor

* 
NOTE: The Dashboard > AppFlow Monitor page is accessible only in Admin Config mode.

The AppFlow Monitor provides real-time, incoming and outgoing, network data. Various views and customizable options in the AppFlow Monitor Interface assist in visualizing the traffic data by:

 

applications

users

URLs

initiators

responders

threats

VoIP

VPN

devices

contents

You can pause your cursor over many of the buttons, menu items, or column headings on the AppFlow Monitor page to display a Tooltip that describes the functionality of the item.

Topics:

AppFlow Monitor Tabs

The AppFlow Monitor Tabs contain details about incoming and outgoing network traffic. Each tab provides a faceted view of the network flow.

 

AppFlow Monitor Network Flow Views

Tab

Lists

Applications

Applications currently accessing the network.

Users

Users currently connected to the network.

URLs

URLs currently accessed by Users.

Initiators

Details about current connection initiators.

Responders

Details about current connection responders.

Threats

Threats encountered by the network.

VoIP

Current VoIP and media traffic.

VPN

VPN sessions connected to the network.

Devices

Devices currently connected to the network.

Contents

Information about the type of traffic flowing through the network.

AppFlow Monitor Toolbar

The AppFlow Toolbar allows for customization of the AppFlow Monitor interface. The ability to create rules and add items to filters allows for more application and user control. Different views, pause and play abilities, customizable data intervals and refresh rates are also available to aid in visualizing incoming, real-time data.

 

AppFlow Monitor Toolbar Options

Option

Widget

Description

Create Rule

Starts the App Control Wizard. For more information on using this wizard, refer to About Application Control.

NOTE: General- and service-type applications cannot be included in a rule.

Filter View

Correlates data among the tabs. For more information about creating a filter, see Filter Options

Interval

Specifies the span of time in which data is collected. The default is Last 60 seconds.

Group

Categorizes selections according to the available grouping options, which vary depending on the tab that is selected. See Group Options.

List View

Provides a detailed list view of the data flow. See List View. This is the default view.

Pie Chart View

Provides a pie chart view of the data flow. See Pie Chart View.

Flow Chart View

Provides a flow chart view of the data flow.

Export

Exports the data flow in comma separated variable (.csv) format.

Print PDF Report

Sends an Application Visualization Report in PDF format to the printer attached to the appliance.

Send Report

Generates data for backend report generation. For more information, refer to Generating Application Visualization Report.

Refresh

Refreshes the real-time data.

Status Update

Green: All appropriate signatures and databases are active.
Yellow: Some or all signature databases are still being downloaded or could not be activated.
Red: The database is not downloaded or active.

Provides status updates about:

See AppFlow Monitor Status for more information.

Group Options

The Group option sorts data based on the specified group. Each tab contains different grouping options.

 

Grouping Options

This Tab

Can be Grouped by

Which

Applications

Application (default)

Displays all traffic generated by individual applications.

Category

Groups all traffic generated by an application category.

Signatures

Groups all traffic generated by an application signature

Users

User Name (default)

Groups all traffic generated by a specific user.

IP Address

Groups all traffic generated by a specific IP address.

Domain Name

Groups all traffic generated by a specific domain name.

Auth Type

Groups all traffic generated by a specific authorizing method.

URLs

URL (default)

Displays all traffic generated by each URL.

Domain Name

Groups all traffic generated by a domain name.

Rating

Groups all traffic generated based on CFS rating.

Initiators

IP Address (default)

Groups all traffic generated by a specific IP address.

Interface

Groups all traffic according to the firewall interface.

Country

Groups all traffic generated by each country, based on country IP database.

Responders

IP Address (default)

Groups all traffic by IP address.

Interface

Groups responders by interface.

Country

Groups responders by each country, based on country IP database.

Threats

Intrusions

Displays flows in which intrusions have been identified.

Virus

Displays flows in which viruses have been identified.

Spyware

Displays flows in which spyware has been identified.

Spam

Shows all flows that fall under the category of spam.

All (default)

Displays all flows in which a threat has been identified or that fall under the category of spam.

VoIP

Media Type (default)

Groups VoIP flows according to media type.

Caller ID

Groups VoIP flows according to caller ID.

VPN

Remote IP Address (default)

Groups VPN flows access according to the remote IP address.

Local IP Address

Groups VPN flows access according to the local IP address.

Name

Groups VPN flows access according to the tunnel name.

Devices

IP Address (default)

Groups flows by IP addresses inside the network.

Interface

Groups flows by interfaces on the firewall.

Name

Groups flows by device name or MAC address.

Contents

Email Address

Groups contents by email address.

File Type (default)

Groups flows by file type detected.

AppFlow Monitor Status

The AppFlow Monitor Status pop-up dialog appears by clicking the Status button in the toolbar.

The AppFlow Monitor Status provides signature updates about:

 

App Rules

App Control Advanced

GAV

IPS

Anti-Spyware

CFS

Anti-Spam

BWM

Country databases

Geo-IP blocking

Botnet blocking

 

The tooltip also displays:

Maximum flows in the database.
Whether AppFlow is enabled and if so, to which collector.

For easy configuration of the AppFlow Monitor display, the tooltip provides links to the appropriate UI page for most items as well as a link to AppFlow > Flow Reporting for configuring AppFlow.

If the Status pop-up window is no longer wanted, click close in the upper-right corner.

AppFlow Monitor Views

These views are available for the AppFlow Monitor:

Detailed List View
Pie Chart View
Flow Chart View

Each view provides a unique display of incoming, real-time data.

Topics:

List View

In the List View, each AppFlow tab comprises columns displaying real-time data. These columns are organized into sortable categories. Some columns are common to all tabs.The VoIP tab, however, also has columns specific to it. There are tooltips and flow tables associated with some column items.

Topics:
Common Columns and Other Information
Topics:
Columns

These columns are common to all tabs.

Check Box—Allows you to select the line item for creation of filters.
* 
NOTE: General-type applications and unknown users cannot be included in a rule.
Main Column—The title of the Main Column depends on the selected tab. For example, if the Users Tab is the selected, then the Main Column header will read Users. In that column, the name of the Users connected to the network are shown. Clicking on the items in this column will bring up a tooltip with relevant information on the item displayed. For information on the tooltip, see Detail Tooltips.
Sessions—Displays the number of sessions associated with the item in the Main Column. Clicking on this number will display a Flow Table of all the sessions. For a description of the Flow Table, see Flow Tables.
Total Packets—Displays the number of data packets transferred per item.
Total Bytes—Displays the number of bytes transferred per item.
Ave Rate (Kbps)—Displays the rate at which data is transferred per item.
Threats—Displays the number of threats encountered by the network per item.
Totals

At the bottom of the table is a bar labeled Total: that displays the total of the items listed in each column:

Other Information

The following information is located underneath the Total bar:

up time: days Days hours:minutes:seconds – How long the appliance has been up and running.
Report Flows Mode: – The mode selected on the AppFlow > Flow Reporting page. See Settings Tab.
last update: hour:minute:second Month Day – Time and date the display was last updated.
AppFlow to collector Collector is Enabled/Disabled. To configure, go to AppFlow > Flow Reporting. – Specifies whether AppFlow is enabled and if so, to which collector. For easy configuration of the AppFlow Monitor display, a link to AppFlow > Flow Reporting is specified for configuring AppFlow.
VoIP Columns

These columns are unique to the VoIP tab:

Out of Sequence/Lost Pkts: Displays the number of packets either out of sequence or lost per item.
Avg Jitter (msec): Displays the average jitter rate, in milliseconds, per item.
Max Jitter (msec): Displays the maximum jitter rate, in milliseconds, per item.
Detail Tooltips

Each item listed in the Main Column provides a link to a Detail tooltip, which appears when an item link is clicked. The information provided by the tooltip depends on the tab. For example, clicking on an Application column item in the Applications tab displays a Signature Details tooltip, while clicking on a User column item in the Users tab displays a User Details tooltip.

Topics:
Signature Details

User Details

Initiator Details

Responder Details

Device Details

Flow Tables

Each item in the Sessions column contains a link that, when clicked, displays a Flow Table containing relevant information on that session/flow:

 

Start Time

Last Update

Init (Initiator) MAC

Resp (Responder) MAC

Init IP

Resp IP

Proto

Init Port

Resp Port

Init Iface

Resp Iface

Init Bytes

Resp Bytes

Rate (Kbps)

Status

 

Pie Chart View

The Pie Chart View displays the top items and the percentage of bandwidth used by each. The percentage of bandwidth used is determined by taking the total amount of bandwidth used by the top items and then dividing that total by the number of top applications.

Flow Chart View

The Flow Chart View displays the network usage according to the Kbps used over the specified period. For each AppFlow Monitor tab, you can select, in the:

Drop-down menu below the chart, what the chart displays:
Most Frequent—The top entries in the AppFlow Monitor tab.
* 
NOTE: The most frequent entries may change over time. If you select Most Frequent, you can restrict the most frequent entries to those displayed at a particular time by clicking the lock icon next to the drop-down menu.
One or more of the individual entries in the AppFlow Monitor tab.
Scaling field:
Auto Y-Scaling (default).
A specific number and optional unit for scaling.

Filter Options

* 
NOTE: Filter options are available only in List view although they affect the other views.

The AppFlow Monitor Filter Options allow you to filter out incoming, real-time data. You can apply, create, and delete custom filters to customize the information displayed. The filter options apply across all the AppFlow Monitor tabs. See Creating Filters.

 

Filter Options

Option

Widget

Description

Add to Filter

Adds the current selection to filter.

At least 1 item must be selected to use the filter options. After doing so, all other tabs will update with information pertaining to the items in the filter.

Remove from Filter

Removes all the current selections from the filter view by clicking on the X.

Filter Element

Indicates a filter element.

Load Filter

Loads existing filter settings.

Save

Saves the current filter settings.

Delete

Deletes the current filter settings.

Filter View

Correlates data among the tabs.

Creating Filters

Creating filters allows you to reduce the amount of data seen in the AppFlow Monitor. You can create simple or complex filters, depending on the criteria you specify. By doing so, you can focus on points of interest without distraction from other applications.

Topics:
Creating a Filter with Filter View
To create a filter using Filter View:
1
Navigate to Dashboard > AppFlow Monitor.
2
Select a tab; for example, Applications or Users.
3
Select the check box(es) of the item(s) on the tab you wish to add to the filter.
4
Click either the Filter View button or the Add to Filter button.

After entries have been added to the filter, only those entries are visible in the tab. In the other AppFlow Monitor tabs, only information about those items associated with the filtered entries are visible.

Tabs with a filter are indicated by a button in the Filter View.

5
To further refine the filter, select another tab and repeat Step 3 and Step 4. Each tab is added to the Filter View.

Viewing Entries in Filter View

For a quick look at the items in a filter view, click on the name of the tab in the filter view. A drop-down menu appears listing all items selected in that tab.

To close the drop-down menu, click the name of the tab in the Filter View.

Saving Filter Views

You can save a filter view for future use. To save a filter view, follow these steps.

1
Click the Load Filter drop-down menu.

2
Select the blank line at the top of the list.
3
Enter a friendly, easy-to-remember name for the filter.
4
Click the Save Filter button next to the Load Filter drop-down menu.

Deleting Filter Views

You can delete all the filter views, the filter view of a tab, or just a few of the items in a particular filter view.

 

Ways to Delete Filter Views

To Delete

Do This

All the filter views

Click the X in the Remove from Filter button

A particular filter view

Click the X in the Filter View button for that tab

One or more items in a filter view

1
Click the name of the tab to display the drop-down menu.
2
Click the X next to the item(s) to delete

A saved filter

1
Select the filter in the Load Filter drop-down menu.
2
Click the Delete button to the right of the Load Filter drop-down menu
Creating a Filter with the Filter Text Field

The Dashboard > AppFlow Monitor page has a Filter text field, in which you can enter a text string to use for filtering the displayed information. Valid text strings are names such as Google, Firefox, or IP addresses.

Generating Application Visualization Report

The SonicWall Application Intelligence and Control feature allows you to maintain granular control of applications and users by creating bandwidth management policies based on local pre-defined categories, individual applications, or even users and groups. With the Application Visualization feature, you are able to view real-time graphs of applications, ingress and egress bandwidth, websites visited, and all user activity. You are able to adjust network policies based on these critical observations. The SonicWall Application Usage and Risk Analysis combines the results of these two features in a downloadable report listing the following categories:

High Risk Applications in Use
Top URL Categories in Use
Applications with the Highest Bandwidth Usage
Application Usage by Category and Technology
Top Findings of Network Characteristics
Recommendations based on the Top Findings
To generate an Application Visualization report:
1
Navigate to the Dashboard > App Flow Monitor page.
2
Click the Send Report button from the AppFlow toolbar.

3
Click the Generate Report button to get a dynamically generated report specific to your SonicWall appliance.

* 
NOTE: The report may take a few minutes to generate and download.

Once the report is generated, an executive summary is provided at the top of the report for a holistic overview of your network. The report contains a real-time snapshot of network traffic to guide you in implementing new bandwidth management policies.

An example SonicWall Application Usage and Risk Analysis is provided below, listing applications with the highest bandwidth usage, their application category, number of sessions, application risk level, and a detailed description of the application.

IPv6 App Flow Monitor

For complete information on the SonicOS implementation of IPv6, see About IPv6.

App Flow Monitor Visualization is configured the same in IPv6 and IPv4. Toggle the View IP Version radio buttons to change the view/configuration.

 

Viewing Threat Reports

Dashboard > Threat Reports

This section describes how to use the SonicWall Threat Reports feature on a SonicWall appliance.

Topics:

SonicWall Threat Reports Overview

Topics:

What Are Threat Reports?

The SonicWall Threat Reports provides reports of the latest threat protection data from a single SonicWall appliance and aggregated threat protection data from SonicWall appliances deployed globally:

Viruses Blocked
Intrusions Prevented
Spyware Blocked
Multimedia (IM/P2P) Detected/Blocked

The SonicWall Threat Reports displays automatically upon successful authentication to a SonicWall appliance, and can be viewed at any time by navigating to the Dashboard > Threat Reports page.

Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hourly, can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months. For easier viewing, SonicWall Threat Reports reports can be transformed into a PDF file format with the click of a button.

Benefits

The Threat Reports provides the latest threat protection information to keep you informed about potential threats being blocked by SonicWall appliances. If you subscribe to SonicWall’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically protected from the threats reported by the SonicWall Threat Reports. SonicWall’s security services include ongoing new signature updates to protect against the latest virus and spyware attacks.

How Does the Threat Reports Work?

The SonicWall Threat Reports provides global and appliance-level threat protection statistics. At the appliance level, threat protection data from your SonicWall appliance is displayed. At the global level, the SonicWall Threat Reports is updated hourly from the SonicWall backend server with aggregated threat protection data from globally-deployed SonicWall appliances. Data provided by the SonicWall backend server is cached locally for reliable delivery.

To be protected from the threats reported in the SonicWall Threat Reports, it is recommended that you purchase SonicWall security services. For more information about SonicWall security services, see SonicWall Security Services.

* 
NOTE: The SonicWall appliance must have Internet connectivity (including connection to a DNS server) to receive the latest threat protection statistics from the SonicWall backend server, which reports aggregated data from globally deployed SonicWall appliances. If you lose connectivity, cached data from the last update will display, and the latest data will not be available until connectivity is restored.

SonicWall Threat Reports Configuration Tasks

The SonicWall Threat Reports can be configured to display:

Global or appliance-level statistics
Statistics for different time periods

And to generate a custom PDF file.

The SonicWall Threat Reports displays automatically upon successful login to a SonicWall appliance. You can access the SonicWall Threat Reports at any time by navigating to Dashboard > Threat Reports. The introductory Dashboard > Threat Reports page, shown below, displays while the latest data is retrieved before the System > Security Dashboard page displays.

* 
NOTE: The System > Security Dashboard page contains the Threat Reports. To display this page, you need to navigate to the Dashboard > Threat Reports page.
System > Security Dashboard Top Half

System > Security Dashboard Bottom Half

Topics:

Switching to Global or Appliance-Level View

To view SonicWall Threat Reports global reports, select the radio button next to Global in the top of the Dashboard > Threat Reports screen. To view appliance-level reports, select the radio button next to the appliance serial number.

Selecting Custom Time Interval

SonicWall Threat Reports provide an aggregate view of threats blocked during a specified time period. You can configure each report to one of four time periods. Each report can be configured to reflect a different time period.

To change a report to reflect a different time period:
1
On the System > Security Dashboard page, select the report you want to change:
Viruses Blocked
Intrusions Prevented
Spyware Blocked
Multimedia (IM/P2P) Detected/Blocked
2
In the right-hand corner of the title bar of the selected report, select one of the following options from the drop-down menu:

Last 12 Hours - Displays threat information from the last 12 hours
Last 14 Days (default) - Displays threat information from the last 14 days
Last 21 Days - Displays threat information from the last 21 days
Last 6 Months - Displays threat information from the last 6 months

Generating a Threat Reports PDF

To create a PDF version of the SonicWall Threat Reports, first select the desired view (global or appliance-level) and the desired time period for each report (the last 12 hours, 14 days, 21 days, or 6 months). Click the words, Download PDF , at the top of the page.

 

Monitoring Active Users

Dashboard > User Monitor

The User Monitor tool provides a quick and easy method to monitor the number of active users on the SonicWall security appliance. To view the User Monitor tool, navigate to the Dashboard > User Monitor page.

View Style: Sets the scale of the X-axis, which displays the time duration:
Last 30 Minutes
Last 24 Hours
Last 30 Days
Vertical Axis: Sets the scale of the Y-axis, which displays the number of users. The available options reflect the number of users. For example, two different systems would have different options:
 

Vertical Axis Options

Few Users

Many Users

10

800

100

8000

1000

80000

Configure icon: Displays the Select the user types to display pop-up dialog, where you can select the types of users to be displayed, indicated by the associated color:

Remote Users via SSL VPN (yellow)
Remote Users with GVC/L2TP Client (green)
Users Authenticated by Web Login (orange)
Guest Users (purple)
Inactive Users (grey)

By default, all except Guest Users and Inactive Users are selected.

* 
NOTE: The display can become quite large.
Refresh button: Refreshes the display.

 

Monitoring Individual Data Packets

Dashboard > Packet Monitor

For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of how it is accessed.

Topics:

Packet Monitor Overview

Topics:

What is Packet Monitor?

Packet Monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:

Interface identification
MAC addresses
Ethernet type
Internet Protocol (IP) type
Source and destination IP addresses
Port numbers
L2TP payload details
PPP negotiations details

You can configure the Packet Monitor feature in the SonicOS management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.

Benefits of Packet Monitor

The SonicOS Packet Monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet Monitor includes the following features:

Control mechanism with improved granularity for custom filtering (Monitor Filter)
Display filter settings independent from monitor filter settings
Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall
Three-window output in the management interface:
List of packets
Decoded output of selected packet
Hexadecimal dump of selected packet
Export capabilities include text or HTML format with hex dump of packets, plus CAP file format
Automatic export to FTP server when the buffer is full
Bidirectional Packet Monitor based on IP address and port
Configurable wrap-around of Packet Monitor buffer when full

How Does Packet Monitor Work?

As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the Packet Monitor tool. As network packets enter the Packet Monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.

Default settings are provided so that you can start using Packet Monitor without configuring it first. The basic functionality is provided by buttons on the page:

 

Dashboard > Packet Monitor Toolbar Options

Button

Functionality

Configure

Configures Packet Capture settings, including filtering and logging.

Monitor All

Resets all current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored.

NOTE: Clicking Monitor All will overwrite your current monitor filter settings and advanced page settings. A warning message is displayed that requires confirmation to continue.

Monitor Default

Resets current monitor filter settings and advanced page settings to factory default settings.

NOTE: Clicking Monitor Default will overwrite your current monitor filter settings and advanced page settings with factory default settings. A warning message is displayed that requires confirmation to continue.

Clear

Clears the Packet Monitor queue and refreshes the displayed packet statistics for capture buffer, mirroring, and FTP logging to show new buffer data. A confirmation dialog box displays when you click this button.

Refresh

Displays new buffer data in the Captured Packets table. You can then click any packet in the list to display its header information and data in the Packet Detail and Hex Dump sections.

Start Capture

Begins capturing all packets except those used for communication between the SonicWall appliance and the management interface on your console system.

Stop Capture

Stops the packet capture.

Start Mirror

Begins mirroring packets.

Stop Mirror

Stop mirroring packets

Log to FTP server

Transfers the capture file to the FTP server when the buffer is full.

NOTE: A valid FTP server IP address must have been entered on the Logging tab of the Packet Monitor Configuration window. See Configuring Logging Settings.

Export As:

Displays or saves a snapshot of the current buffer in the file format that you select from the drop-down list. Saved files are placed on your local management system (where the management interface is running). Choose from the following formats:

Libpcap - View the data with the Wireshark (formerly Ethereal) network protocol analyzer. This is also known as libcap or pcap format. A dialog box allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap.
Html - View the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.
Text - View the data in a text editor. A dialog box allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri.
App Data - View only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data equals captured packet minus L2, L3, and L4 headers.

Refer to the figure below to see a high-level view of the Packet Monitor subsystem. This shows the different filters and how they are applied.

Packet Monitor subsystem: High-level view

What is Packet Mirror?

Packet mirroring is the process of sending a copy of packets seen on one interface to another interface or to a remote SonicWall appliance.

There are two aspects of mirroring:

Classification – Refers to identifying a selected set of packets to be mirrored. Incoming and outgoing packets to and from an interface are matched against a filter. If matched, the mirror action is applied.
Action – Refers to sending a copy of the selected packets to a port or a remote destination. Packets matching a classification filter are sent to one of the mirror destinations. A particular mirror destination is part of the action identifier.
Supported Platforms for Packet Mirror

On all SonicWall NSA Series appliances running SonicOS 5.6 or higher, packet mirroring is fully supported.

On SonicWall TZ Series appliances running SonicOS 5.6 or higher, packet mirroring is partially supported, as follows:

Local mirroring is not supported.
Remote mirroring is supported for both sending and receiving mirrored packets.

How Does Packet Mirror Work?

Every classification filter is associated with an action identifier. Up to two action identifiers can be defined, supporting two mirror destinations (a physical port on the same firewall and/or a remote SonicWall firewall). The action identifiers determine how a packet is mirrored. The following types of action identifiers are supported:

Send a copy to a physical port.
Encapsulate the packet and send it to a remote SonicWall appliance.
Send a copy to a physical port with a VLAN configured.
Classification is specified on the Monitor Filter and Advanced Monitor Filter tabs of the Packet Monitor Configuration window.
A local SonicWall firewall can be configured to receive remotely mirrored traffic from a remote SonicWall firewall. At the local firewall, received mirrored traffic can either be saved in the capture buffer or sent to another local interface. This is configured in the Remote Mirror Settings (Receiver) section on the Mirror tab of the Packet Monitor Configuration window.

SonicOS 5.6 and higher supports the following packet mirroring options:

Mirror packets to a specified interface (Local Mirroring).
Mirror only selected traffic.
Mirror SSL decrypted traffic.
Mirror complete packets including Layer 2 and Layer 3 headers as well as the payload.
Mirror packets to a remote SonicWall network security appliance (Remote Mirroring Tx).
Receive mirrored packets from a remote SonicWall appliance (Remote Mirroring Rx).

Configuring Packet Monitor

You can access the Packet Monitor tool on the Dashboard > Packet Monitor page of the SonicOS management interface. There are six main areas of configuration for Packet Monitor, one of which is specifically for packet mirror. The following sections describe the configuration options, and provide procedures for accessing and configuring the filter settings, log settings, and mirror settings:

* 
NOTE: Clicking the Default button on the Packet Monitor Configuration window will erase all current Packet Monitor configuration settings to factory default values.

Configuring General Settings

This section describes how to configure Packet Monitor general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 64. The buffer wrap option enables the packet capture to continue even when the buffer becomes full, by overwriting the buffer from the beginning.

To configure the general settings:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click the Configure button. The Packet Monitor Configuration dialog displays.

3
Under General Settings, in the Number of Bytes To Capture (per packet) field, type the number of bytes to capture from each packet. The minimum value is 64, which is the default value. This value can be entered as a hexadecimal value.
4
To continue capturing packets after the buffer fills up, select the Wrap Capture Buffer Once Full check box. Selecting this option will cause the packet capture buffer to wrap once full, that is, to start writing captured packets at the beginning of the buffer again after the buffer fills.
* 
NOTE: This option has no effect if FTP server logging is enabled on the Logging tab because the buffer is automatically wrapped when FTP is enabled.
5
Under Exclude Filter, select the Exclude encrypted GMS traffic to prevent capturing or mirroring of encrypted management or syslog traffic to or from SonicWall GMS. This setting only affects encrypted packets within a configured primary or secondary GMS tunnel. GMS management traffic is not excluded if it is sent via a separate tunnel.
6
Use the Exclude Management Traffic settings to prevent capturing or mirroring of management traffic to the appliance. Select one or more check boxes for each type of traffic to exclude:
HTTP/HTTPS
SNMP
SSH
* 
NOTE: If management traffic is sent via a tunnel, the packets are not excluded.
7
Use the Exclude Syslog Traffic to settings to prevent capturing or mirroring of syslog traffic to the logging servers. Select the check box for either or both type of server to exclude:
Syslog Servers
GMS Server
* 
NOTE: If syslog traffic is sent via a tunnel, the packets are not excluded.
8
Use the Exclude Internal Traffic for settings to prevent capturing or mirroring of internal traffic between the SonicWall appliance and its High Availability partner or a connected SonicPoint. Select the check box for each type of traffic to exclude:
HA
SonicPoint
9
To save your settings and exit the configuration window, click OK.

Configuring Monitoring Based on Firewall Rules

The Packet Monitor and Flow Reporting features allow traffic to be monitored based on firewall rules for specific inbound or outbound traffic flows. This feature set is enabled by choosing to monitor flows in the Firewall > Access Rules area of the SonicOS management interface.

To configure the general settings:
1
Navigate to the Firewall > Access Rules page.
2
Click the Configure icon for the rule(s) on which you wish to enable Packet Monitoring or Flow Reporting. The Edit Rule dialog displays.

3
Select the Enable packet monitor check box to send Packet Monitoring statistics for this rule.
4
Click the OK button to save your changes.
* 
NOTE: Further monitor filter settings are required on the Dashboard > Packet Monitor page to enable monitoring based on firewall rules.

Configuring Monitor Filter Settings

All filters set on this page are applied to both packet capture and packet mirroring.

To configure Monitor Filter settings:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
Click the Monitor Filter tab.

4
Choose to Enable filter based on the firewall rule if you are using firewall rules to capture specific traffic. When this option is selected, only packets that match the firewall rule will be monitored.
* 
NOTE: Before the Enable filter based on the firewall rule option is selected, be certain you have selected one or more access rules on which to monitor packet traffic. This configuration is done from the Firewall > Access Rules page of the SonicOS management interface.
5
Specify how Packet Monitor will filter packets using these options:
* 
NOTE: In the following options, you can specify negative values by prefixing the value with an exclamation point (!).
Interface Name(s) - Specify the name of the interface on which packet capture will be performed. You can specify up to ten interfaces separated by commas. Interface names should be the same as those displayed on the Network > Interfaces page; for example:
For NSA series: X0. X1, X2:V100.
For TZ series: wlan, wwan, modem, opt, wan, lan.

You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN.

Ether Type(s) - Specify the name of the Ethernet type on which filtering of the captured packets will be performed. You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported:
ARP
IP (default)
IPv6
PPPoE-SES
PPPoE-DIS

The latter two can be specified as just PPPoE.

This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, IPv6, PPPOE.

You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.

You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally, you would only use hex values for Ethernet types that are not supported by acronym in SonicOS. See Supported Packet Types.

IP Type(s) - Specify the name of the IP packet type on which packet capture will be performed. You can specify up to ten IP types separated by commas. The following IP types are supported:
TCP (default)
UDP
ICMP
ICMPV6
GRE
IGMP
AH
ESP
6TO4

This option is not case-sensitive.

You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP.

You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types.

Source IP Address(es) - Specify the source IP address on which packet capture will be performed. You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2, 2001::1, 2002::1. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4, !2001::1.
Source Port(s) - Specify the source Port Address on which packet capture will be performed. You can specify up to ten TCP and/or UDP port numbers separated by commas; for example: 20,21,22,25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80,!8080.
Destination IP Address(es) - Specify the destination IP address on which packet capture will be performed. You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2, 2001::1, 2002::1. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4, !2001::1.
Destination Port(s) - Specify the destination Port Address on which packet capture will be performed. You can specify up to ten TCP and/or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080. Default ports are 25,10025.
Enable Bidirectional Address and Port Matching - Select this option to have IP addresses and ports specified in the Source or Destination fields on this page matched against both the source and destination address and port fields in each packet. This option is enabled by default.
* 
NOTE: By default, the following options are not selected. Leave them unselected for normal operation. Normally, all types of packets are captured. If one or more of the following options are selected, only those types of packets will be monitored.
Forwarded packets only - Select this option to monitor only packets that are forwarded by the firewall.
Consumed packets only - Select this option to monitor only packets that are consumed by internal sources within the firewall.
Dropped packets only - Select this option to monitor only packets that are dropped at the perimeter.
6
To save your settings and exit the configuration dialog, click OK.

Configuring Display Filter Settings

This section describes how to configure Packet Monitor display filter settings. The values that you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. These settings apply only to the display of captured packets on the management interface and do not affect packet mirroring.

* 
NOTE: If a field is left blank, no filtering is done on that field. Packets are displayed without regard to the value contained in that field of their headers.
To configure Packet Monitor display filter settings:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
Click the Display Filter tab.

* 
NOTE: In the following options, you can specify negative values by prefixing the value with an exclamation point (!).
In the Interface Name(s) field, type the name of the SonicWall appliance interface(s) for which to display packets.You can specify up to ten interfaces separated by commas. Interface names should be the same as those displayed on the Network > Interfaces page; for example:
For NSA series: X0. X1, X2:V100.
For TZ series or SOHO: wlan, wwan, modem, opt, wan, lan.

You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN.

4
In the Ether Type(s) field, enter the Ethernet type(s) for which you want to display packets.You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported:
ARP
IP
IPv6
PPPoE-SES
PPPoE-DIS

The latter two can be specified as just PPPoE.

This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, IPv6, PPPOE.

You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.

You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally, you would only use hex values for Ethernet types that are not supported by acronym in SonicOS. See Supported Packet Types.

5
In the IP Type(s) field, enter the IP packet types for which you want to display packets. To display all IP types, leave this field blank.

You can specify up to ten IP types separated by commas. The following IP types are supported:

TCP (default)
UDP
ICMP
ICMPV6
GRE
IGMP
AH
ESP
6TO4

This option is not case-sensitive.

You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP.

You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types.

6
In the Source IP Address(es) field, type the IP addresses from which you want to display packets. You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2, 2001::1, 2002::1. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4, !2001::1.
7
In the Source Port(s) field, type the port numbers from which you want to display packets. You can specify up to ten TCP and/or UDP port numbers separated by commas; for example: 20,21,22,25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80,!8080.
8
In the Destination IP Address(es) field, type the IP addresses for which you want to display packets. You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2, 2001::1, 2002::1. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4, !2001::1.
9
In the Destination Port(s) field, type the port numbers for which you want to display packets. You can specify up to ten TCP and/or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080. Default ports are 25,10025.
10
To match the values in the source and destination fields against either the source or destination information in each captured packet, select the Enable Bidirectional Address and Port Matching check box. This option is selected by default.
11
To display captured packets that the SonicWall appliance forwarded, select the Forwarded check box. This option is selected by default.
12
To display captured packets that the SonicWall appliance generated, select the Generated check box. This option is selected by default.
13
To display captured packets that the SonicWall appliance consumed, select the Consumed check box. This option is selected by default.
14
To display captured packets that the SonicWall appliance dropped, select the Dropped check box. This option is selected by default.
15
To save your settings and exit the configuration window, click OK.

Configuring Logging Settings

This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption.

If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps.

To configure logging settings:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
Click the Logging tab.

4
In the FTP Server IP Address field, type the IP address of the FTP server where captive packets are to be logged.
 
* 
NOTE: Make sure that the FTP server IP address is reachable by the SonicWall appliance. An IP address that is reachable only via a VPN tunnel is not supported.
5
In the Login ID field, type the login name the SonicWall appliance will use to connect to the FTP server.
6
In the Password field, type the password the SonicWall appliance will use to connect to the FTP server.
7
In the Directory Path field, type the directory location for the captured files. The SonicWall appliance will copy log captured files to this location relative to the default FTP root directory.

For libcap format, files are named packet-log--<>.cap, where the <> contains a run number and date, including hour, month, day, and year. For example:

packet-log--3-22-08292006.cap

For HTML format, file names are in the form packet-log_h-<>.html. For example;

packet-log_h-3-22-08292006.html

8
To enable automatic logging of the capture file to a remote FTP server, select the Log To FTP Server Automatically check box. Files are transferred in both libcap (packet-log--<>.cap) and HTML format (packet-log_t-<>.html).
 
* 
NOTE: An FTP server IP address must be specified.
9
To enable logging of the file in HTML format as well as libcap format, select the Log HTML File Along With .cap File (FTP) check box.
10
To test the connection to the FTP server and log the capture buffer contents to it, click Log Now. In this case, the file name will contain an F. For example,

packet-log-F-3-22-08292006.cap

packet-log_h-F-3-22-08292006.html

11
To save your settings and exit the configuration window, click OK.
Restarting FTP Logging

If automatic FTP logging is off, either because of a failed connection or simply disabled, you can restart it in Logging tab of the Configure window.

1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
Click the Logging tab.
4
Verify that the settings are correct for each item on the page. See Configuring Logging Settings.
5
To change the FTP logging status on the main Packet Monitor page to active, select the Log To FTP Server Automatically check box.
6
To save your settings and exit the configuration dialog, click OK.

Configuring Advanced Monitor Filter Settings

This section describes how to configure monitoring for packets generated by the SonicWall appliance and for intermediate traffic.

1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
Click the Advanced Monitor Filter tab.

* 
NOTE: By default, none of the options on the Advanced Monitor Filter tab are enabled.
4
To monitor packets generated by the SonicWall appliance in the capture, select the Monitor Firewall Generated Packets check box.

Even when other monitor filters do not match, this option ensures that packets generated by the SonicWall appliance are captured. Also included are packets generated by HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing protocols. These captured packets are marked with s in the incoming interface section of the captured packets list window when they are from the system stack. Otherwise, the incoming interface is not specified.

5
To monitor intermediate packets generated by the SonicWall appliance as a result of various policies, select the Monitor Intermediate Packets check box.
* 
NOTE: These intermediate packets include packets such as those generated as a result of fragmentation or reassembly, intermediate encrypted packets, IP helper-generated packets, multicast packets that are replicated.

Selecting this check box activates, but does not select, the subsequent check boxes for monitoring specific types of intermediate traffic. You need to select the types of intermediate traffic to be monitored.

6
Select the check box for any or all of the following options to monitor that type of intermediate traffic:
* 
NOTE: Monitor filters are still applied to all selected intermediate traffic types.
Monitor intermediate multicast traffic – Capture or mirror replicated multicast traffic.
Monitor intermediate IP helper traffic – Capture or mirror replicated IP Helper packets.
Monitor intermediate reassembled traffic – Capture or mirror reassembled IP packets.
Monitor intermediate fragmented traffic – Capture or mirror packets fragmented by the firewall.
Monitor intermediate remote mirrored traffic – Capture or mirror remote mirrored packets after de-encapsulation.
Monitor intermediate IPsec traffic – Capture or mirror IPsec packets after encryption and decryption.
Monitor intermediate SSL decrypted traffic – Capture or mirror decrypted SSL packets.
* 
NOTE: SSL-decrypted traffic will be fed to the Packet Monitor, and certain IP and TCP header fields may not be accurate in the monitored packets. IP and TCP checksums are not calculated on the decrypted packets, and TCP port numbers are remapped to port 80.

DPI-SSL must be enabled to decrypt the packets along with any of the security services to be applied to such packets.

Monitor intermediate decrypted LDAP over TLS packets – Capture or mirror decrypted LDAPS (LDAP over TLS) packets. Decrypted LDAPS packets will be fed to the Packet Monitor,.

The packets are marked with ldp in the ingress/egress interface fields and will have dummy Ethernet, IP, and TCP headers with some inaccurate fields. Also, the LDAP server port is set to 389 to an external capture analysis program will know to decode it as LDAP. Passwords in captured LDAP bind requests will be obfuscated.

Monitor intermediate decrypted Single Sign On agent messages – Capture or mirror decrypted messages to or from the SSO authentication agent. This option enables decrypted SSO packets will be fed to the Packet Monitor.

These packets are marked with sso in the ingress/egress interface fields and will have dummy Ethernet, IP, and UDP headers with some inaccurate fields.

7
To save your settings and exit the configuration window, click OK.

Configuring Mirror Settings

This section describes how to configure Packet Monitor mirror settings. Mirror settings provide a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWall firewall.

To configure mirror settings:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click the Configure button. The Packet Monitor Configuration dialog displays.

3
Click the Mirror tab.

4
In the Mirror Settings section, type the desired maximum mirror rate into the Maximum mirror rate (in kilobits per second) field. If this rate is exceeded during mirroring, the excess packets will not be mirrored and will be counted as skipped packets. This rate applies to both local and remote mirroring. The default and minimum value is 100 kbps, and the maximum is 1 Gbps.
5
Select the Mirror only IP packets check box to prevent mirroring of other Ether type packets, such as ARP or PPPoE. If selected, this option overrides any non-IP Ether types selected on the Monitor Filter tab.
6
In the Local Mirror Settings section, select the destination interface for locally mirrored packets from the Send received remote mirrored packets to Interface (NSA platforms only) drop-down menu.
7
In the Remote Mirror Settings (Sender) section, in the Mirror filtered packets to remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall to which all mirrored packets will be sent. Packets will be encapsulated and sent to the specified remote device.
* 
NOTE: The remote SonicWall must be configured to receive the mirrored packets.
8
The Encrypt remote mirrored packets via IPSec (preshared key-IKE) field is used to encrypt mirrored traffic when sending mirrored packets to the remote SonicWall.
* 
NOTE: The Encrypt remote mirrored packets via IPSec (preshared key-IKE) option is not available at this time.
9
In the Remote Mirror Settings (Receiver) section, in the Receive mirrored packets from remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall from which mirrored packets will be received. Packets will be decapsulated and sent either to a local buffer or out of another interface as specified in the options below.
* 
NOTE: The remote SonicWall must be configured to send the mirrored packets.
10
The Decrypt remote mirrored packets via IPSec (preshared key-IKE) field is used to decrypt traffic when receiving mirrored packets from the remote SonicWall.
* 
NOTE: The Decrypt remote mirrored packets via IPSec (preshared key-IKE) option is not available at this time.
11
To mirror received packets to another interface on the local SonicWall, select the interface from the Send received remote mirrored packets to Interface (NSA platforms only) drop-down menu.
12
To save received packets in the local capture buffer, select the Send received remote mirrored packets to capture buffer check box. This option is independent of sending received packets to another interface, and both can be enabled if desired.
13
To save your settings and exit the configuration window, click OK.

Using Packet Monitor and Packet Mirror

The top of the Dashboard > Packet Monitor page provides several buttons for general control of the Packet Monitor feature and display. For a description of these buttons, see the table in How Does Packet Monitor Work?.

For an explanation of the status indicators near the top of the page, see Understanding Status Indicators.

The other buttons and displays on this page are described in the following sections:

Starting and Stopping Packet Capture

You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWall appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop Capture.

1
Navigate to the Dashboard > Packet Monitor page.

2
Optionally, click Clear to reset the statistics to zero.
3
In the Packet Monitor section, click Start Capture.
4
To refresh the packet display windows to show new buffer data, click Refresh.
5
To stop the packet capture, click Stop Capture.

You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the Packet Monitor page. See Viewing Captured Packets.

Starting and Stopping Packet Mirror

You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror.

1
Navigate to the Dashboard > Packet Monitor page.

2
In the Packet Monitor section, click Start Mirror to start mirroring packets according to your configured settings.
3
To stop mirroring packets, click Stop Mirror.

Viewing Captured Packets

The Dashboard > Packet Monitor page provides three section to display different views of captured packets.

Topics:
About the Captured Packets Section

The Captured Packets section displays the following statistics about each packet:

# - The packet number relative to the start of the capture.
Time - The date and time that the packet was captured.
Ingress - The SonicWall appliance interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses:
 

Ingress Subsystem Type Abbreviations

Abbreviation

Definition

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation

Egress - The SonicWall appliance interface on which the packet was captured when sent out. The subsystem type abbreviation is shown in parentheses. See the table above for definitions of subsystem type abbreviations.
Source IP - The source IP address of the packet.
Destination IP - The destination IP address of the packet.
Ether Type - The Ethernet type of the packet from its Ethernet header.
Packet Type - The type of the packet, depending on the Ethernet type; for example:
IP packets: the packet type might be TCP, UDP, or another protocol that runs over IP.
PPPoE packets: the packet type might be PPPoE Discovery or PPPoE Session.
ARP packets: the packet type might be Request or Reply.
Ports [Src,Dst] - The source and destination TCP or UDP ports of the packet.
Status - The status field for the packet.

The status field shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed or forwarded by the SonicWall appliance. You can position the mouse pointer over dropped or consumed packets to show the following information.

 

Status Details

Packet status

Displayed value

Definition of displayed value

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWall-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID

Length [Actual] - Length value is the number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet. You can configure the number of bytes to capture. See Configuring General Settings.

You can select a packet to use as a filter by double clicking the packet. You can maneuver through the Captured Packets table by using the following keys:

 

Captured Packets Table: Keys

Key

Action

Up arrow

Go to the previous packet.

Down arrow

Go to the next packet.

Right arrow

Load the next page.

Left arrow

Load the previous page.

Page Up

Go up 9 packets

Page Down

Go down 9 packets

Home

Go to the first packet in the current page.

End

Go to the last packet in the current page.

n

Go to the next page.

p

Go to the previous page.

f

Go to the first page.

l

Go to the last page

r

Refresh the display.

c

Start capture.

s

Stop capture.

About the Packet Detail Section

When you click on a packet in the Captured Packets section, the packet header fields are displayed in the Packet Detail section. The display varies, depending on the type of packet that you select.

About the Hex Dump Section

When you click on a packet in the Captured Packets section, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump section. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.

Verifying Packet Monitor Activity

This section describes how to tell if your Packet Monitor, mirroring, or FTP logging is working correctly according to the configuration.

Topics:

Understanding Status Indicators

The main Packet Monitor page displays status indicators for packet capture, mirroring, and FTP logging. Information popup tooltips are available for quick display of the configuration settings.

Topics:
Packet Capture Status

The packet capture status indicator is labeled as Trace, and shows one of the following three conditions:

Red – Capture is stopped
Green – Capture is running and the buffer is not full
Yellow – Capture is running, but the buffer is full

The management interface also displays the buffer size, the number of packets captured, the percentage of buffer space used, and how much of the buffer has been lost. Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason. If the transfer is not finished by the time the buffer is full again, the data in the newly filled buffer is lost.

* 
NOTE: Although the buffer wrap option clears the buffer upon wrapping to the beginning, this is not considered lost data.
Mirroring Status

There are three status indicators for packet mirroring:

Local mirroring – Packets sent to another physical interface on the same SonicWall

For local mirroring, the status indicator shows one of the following three conditions:

Red – Mirroring is off
Green – Mirroring is on
Yellow – Mirroring is on but disabled because the local mirroring interface is not specified

The Local mirroring row also displays the following statistics:

Mirroring to interface – The specified local mirroring interface
Packets mirrored – The total number of packets mirrored locally
Pkts skipped – The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
Pkts exceeded rate – The total number of packets that skipped mirroring due to rate limiting
Remote mirroring Tx – Packets sent to a remote SonicWall

For Remote mirroring Tx, the status indicator shows one of the following three conditions:

Red – Mirroring is off
Green – Mirroring is on and a remote SonicWall IP address is configured
Yellow – Mirroring is on but disabled because the remote device rejects mirrored packets and sends port unreachable ICMP messages

The Remote mirroring Tx row also displays the following statistics:

Mirroring to – The specified remote SonicWall IP address
Packets mirrored – The total number of packets mirrored to a remote SonicWall appliance
Pkts skipped – The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
Pkts exceeded rate – The total number of packets that failed to mirror to a remote SonicWall, either due to an unreachable port or other network issues
Remote mirroring Rx – Packets received from a remote SonicWall

For Remote mirroring Rx, the status indicator shows one of the following two conditions:

Red – Mirroring is off
Green – Mirroring is on and a remote SonicWall IP address is configured

The Remote mirroring Rx row also displays the following statistics:

Receiving from – The specified remote SonicWall IP address
Mirror packets rcvd – The total number of packets received from a remote SonicWall appliance
Mirror packets rcvd but skipped – The total number of packets received from a remote SonicWall appliance that failed to get mirrored locally due to errors in the packets
FTP Logging Status

The FTP logging status indicator shows one of the following three conditions:

Red – Automatic FTP logging is off
Green – Automatic FTP logging is on
Yellow – The last attempt to contact the FTP server failed, and logging is now off

To restart automatic FTP logging, see Restarting FTP Logging.

Next to the FTP logging indicator, the management interface also displays the number of successful and failed attempts to transfer the buffer contents to the FTP server, the current state of the FTP process thread, and the status of the capture buffer.

Current Buffer Statistics

The Current Buffer Statistics row summarizes the current contents of the local capture buffer. It shows the number of dropped, forwarded, consumed, and generated packets.

Current Configurations

The Current Configurations row provides dynamic information displays for the configured filter, general, logging, and mirror settings. When you hover your mouse pointer over one of the information icons or its label, a popup tooltip displays the current settings for that selection.

Clearing the Status Information

You can clear the Packet Monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging.

1
Navigate to the Dashboard > Packet Monitor page.
2
Click Clear.
3
Click OK in the confirmation dialog.

Related Information

Topics:

Supported Packet Types

When specifying the Ethernet or IP packet types that you want to monitor or display, you can use either the standard acronym for the type, if supported, or the corresponding hexadecimal representation. To determine the hex value for a protocol, refer to the RFC for the number assigned to it by IANA. The protocol acronyms that SonicOS currently supports are as follows:

 

Supported Protocol Acronyms

Supported Ethernet Types:

ARP

 

IP

 

PPPoE-DIS

 

PPPoE-SES
NOTE: To specify both PPPoE-DIS and PPPoE-SES, you can simply use PPPoE.

Supported IP Types:

TCP

 

UDP

 

ICMP

 

IGMP

 

GRE

 

AH

 

ESP

File Formats for Export As

The Export As option on the Dashboard > Packet Monitor page allows you to display or save a snapshot of the current buffer in the file format that you select from the drop-down menu. Saved files are placed on your local management system (where the management interface is running). Choose from the following formats:

Libpcap - To view the data with the Wireshark network protocol analyzer. This is also known as libcap or pcap format. A dialog box allows you to open the buffer file with Wireshark, or save it to your local hard drive with the extension .pcap.
Html - To view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.
Text - To view the data in a text editor. A dialog box allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri.
App Data - To view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.

Examples of the Html and Text formats are shown in the following sections:

HTML Format

You can view the HTML format in a browser. The following is an example showing the header and part of the data for the first packet in the buffer.

Text File Format

You can view the text format output in a text editor. The following is an example showing the header and part of the data for the first packet in the buffer.

 

Tracking Potential Security Threats

Dashboard > Log Monitor

* 
NOTE: For increased convenience and accessibility, the Log Monitor page can be accessed either from Dashboard > Log Monitor or Log > Log Monitor. The two pages provide identical functionality.

The SonicWall network security appliance maintains an Event log for tracking potential security threats.

The event log can be sent automatically to an Email address for convenience and archiving. Alerts from the Log Monitor can also be sent via Email and can alert you about such things as attacks to your firewall. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

The displayed information is controlled by setting options for which categories you want to display in the log table. Use the Categories column to determine the baseline events to monitor and to configure event-specific information.

The Filter input field at the top left corner of the Log Monitor panel enables you to enter a search string that is used to filter the log events that are displayed in Log Monitor panel.

You can type any substring and press the Enter key to filter the Log Monitor table. The Log Monitor lists only log events that contain matches for that substring.

Topics:

Configuring Logging

You configure logging events in the Log > Log Settings page. See Configuring Log Settings.

* 
NOTE: There are log messages that show the up/down status of some of the special network objects. These objects, however, live for only three seconds and then are deleted automatically.

Managing Event Logging

Some of the common tasks that you can perform to manage the Event Log are as follows:

Online Viewing of Log Events—The Event Log is not persistent. Older events in the run-time Event Log database buffer may be over-written with newer events.
Online Viewing Using the SonicOS Log Monitor UI—The UI takes snapshots of the Event Log database, so users can scroll forward and backwards in the Event Log using their browser.
Text Viewing Format Using the CLI—Shows only the current content of the Event Log database.
Log Monitor Display Filtering—You can customize the Log Event display.
Log Settings Capture Filtering—You can customize the Log Event capture.
Offline Viewing of Log Events—Offline viewing is persistent because the system saves the log events to an external source, such as your computer.
Viewing Log Events via Email—Using your Email client, you can setup individual Email alerts that are sent whenever an event occurs, or an Email digest that sends batches of log events periodically.

Viewing Log Events via Syslog Viewer—You can view and configure log events and capture settings using a Syslog viewer.
Viewing Log Events via GMS Syslogs—You can view and configure log events using GMS.
Exporting the Event Log Database—You can export the Event Log database as a plain text file by clicking the Export button.

Deleting Entries from the Run-Time Event Log Database—You can permanently delete entries, using the Clear All button. So, proceed with caution. If automation is not enabled, export the database before using Clear All.

Deep Packet Forensics using a Data Recorder such as Solera—You can record deep packet events using a data recorder such as Solera. This feature is enabled under Log > Automation, and the events to record are configured under Log > Settings.

Log Monitor Table Functions

The Log Monitor table provides numerous settings to allow you to navigate, view, and export results. Table columns can be customized, so that you can view full data on any event, or only the data you need. Table entries can be sorted to display in either ascending or descending order.

You can sort the entries in the Log Monitor table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

The top row of the Log Monitor table contains several functional items:

Display Menu

From the Display drop-down menu, you can select the time interval for viewing log events. Time intervals range from the Last 60 seconds to the Last 30 days, with a default of Last 5 minutes, or All entries to log all events in the database.

Functional Icons

The functional buttons perform various functions of the Log Monitor. Pausing your cursor over a button reveals the description of the button.

Log Monitor: Functional Icons describes the icon functions:

 

Log Monitor: Functional Icons

Function

Icon

Description

Export Log as CSV File

Clicking this icon displays a dialog that allows you to open or save the log in Comma-separated value (CSV) format. This format is used for importing into Excel or other presentation development applications.

Export Log as Plain Text File

Clicking this icon displays a dialog that allows you to save the log in Plain Text format. Two formats for Email can be configured on the Log > Automation page: Plain Text or HTML.

Select Columns to Display

Clicking this icon displays a dialog that allows you to select the columns that you want to show in the Log Monitor table.

Send Log to Email Address

Clicking this icon sends all logs to the configured email address.

Clear All Logs

Clicking this icon deletes all saved logs.

Status

Indicates the status of the feature; for further information, see Common Icons.

Clicking this icon displays the total number of logs present in the database, as well as the latest reported time for each status category:

To close the dialog, click close.

Refreshing the Data

You can refresh the displayed data:

Force an update by clicking the Refresh icon.
Specify how often the Log Monitor table is updated with events from the event log database. In the Refresh field, specify an interval between 10 seconds (minimum) and 999 seconds (maximum). The default is 60 seconds.
Refresh all output immediately by clicking the Pause/Play toggle icon. The Pause/Play toggle icon starts or stops the Log Monitor table from updating its content. This is useful when the Log Monitor table is being updated continually in quick succession. You can pause the display from updating long enough to inspect the messages.

Data Display

The Log Monitor is displayed in a table that can be sorted by column.

To select the columns to appear in the table:
1
Click the Tools button.

The Select Columns to Display popup dialog appears.

2
Select the columns you want to display or hide. Default Log Table Columns lists the default columns.
* 
NOTE: The Time, ID, and Message columns are always displayed and cannot be hidden by customization.
* 
NOTE: For more information on specific log events, refer to the SonicOS Log Event Reference Guide.
3
Click Apply.
 

Default Log Table Columns

This column

Displays the

Time

Date and time of the event

ID

Identifying number for the event. ID is most useful when using GMS or Syslog. The ID is shown in Syslog packets and is used to identify data in generated reports.

Category

Category, Group, and/or Event, as selected from the Select Columns to Display dialog

Priority

Level of priority associated with your log event. Syslog uses eight priorities to characterize messages:

Emergency
Alert
Critical
Error
Warning
Notice
Informational
Debug

Src. Int

Source network and IP address

Dst. Int

Destination network and IP address

Src. IP

Source IP address

Src. Port

Source port

Dst. IP

Destination IP address

Dst. Port

Destination port

IP Protocol

IP protocol (TCP or IP) in use

User Name

Name of the originating user

Application

Application accessing the network

Notes

Dynamic, detailed information about the event

Filtering the Log Monitor Table

The filter bar allows you to filter the log table based on selected criteria.

To filter the Log Monitor table:
1
Select a filter item by clicking on the desired column cell. The selected cell turns blue. Multiple cells can be selected.

2
When finished making selections, click the + in the filter bar.

The filter criteria is applied to the display, and you see the filter type in the filter bar.

3
Click on the Arrow , beside the column name (in this case Category), to view the filter value.

4
To remove a filter, click the x next to the Filter type in the drop-down menu.

Filter View

Filter View allows you to set the filtering without any existing matches in the Log Monitor table.

In normal view, you can only set filtering based on an existing event that you can select in the Log Monitor table. In Filter View, you can select only one combination of Category/Priority at a time. In normal view, you can select several categories at the same time.

You can configure multiple filter views for categories using the filter bar.

To configure a filter view:
1
Go to the Log > Monitor page.
2
Click the + sign next to the Filter View bar. The Filter View dialog appears.

3
From the Priority menu, select the priority that you want.
4
From the Category menu, select the category that you want.
5
From the Source Interface menu, select the interface that you want.
6
From the Destination Interface menu, select the interface that you want.
7
In the Source IP box, enter the IP address of the source interface.
8
In the Destination IP box, enter the IP address of the destination interface.
9
Click Apply. The Log Monitor table displays the filtered results.

Log Event Messages

For a complete reference guide of log event messages, refer to the SonicOS Log Event Reference Guide at https://support.sonicwall.com/technical-documents.

Log Persistence

Lower-end TZ models can store up to 800 event entries in the log buffer. All other SonicWall Release 5.9 models can store 1000 to 10,000 event entries in the log buffer.

When the log becomes full, one or a couple of the oldest log entries are deleted. You can also click the Clear all logs button to clear all log entries.

Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.

The option to deliver logs as either plain-text or HTML provides an easy method to review and replay events logged.

GMS

To provide the ability to identify and view events across an entire enterprise, a GMS update is required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.

 

Monitoring Interface Bandwidth Traffic

Dashboard > BWM Monitor

The Dashboard > BWM Monitor page provides bandwidth monitors for both Global BWM and Advanced BWM. If bandwidth monitoring is not enabled, you must enable monitoring on the Firewall Settings > BWM page. The Dashboard > BWM Monitor page provides a link to the Firewall Settings > BWM page.

Topics:

Global Bandwidth Monitor

In Global BWM mode, the BWM Monitor displays eight different monitors. Each monitor shows the bandwidth usage for each priority, and has a separate graph for ingress and egress traffic. The following priorities are displayed in the BWM monitor in Global BWM mode:

Real-time
Highest
High
Medium High
Medium
Medium Low
Low
Lowest

The View Range list lets you select the following intervals:

60 seconds
2 minutes
5 minutes
10 minutes (default)

The Refresh Every box is configurable from 3 to 30 seconds.

The bandwidth management priority is depicted by current, dropped, guaranteed, and maximum.

The following graphic shows the BWM Monitor in Global Bandwidth Mode:

Advanced Bandwidth Monitor

In Advanced BWM mode, the Dashboard > BWM Monitor provides two monitors that enable you to monitor bandwidth usage:

These monitors display graphs of bandwidth usage based on the configured Advanced Bandwidth Management policies, such as Access Rules, App Rules, and Action Objects.

To allow a bandwidth rule to be shown in the BWM Monitor:
1
On the SonicWall Security Appliance, go to Firewall > Access Rules.

2
Do one of the following:
Click the Add button.
Click the Configure button for the rule you want to configure.

The Add/Edit Rule dialog displays.

3
If you are adding a new rule, follow the steps in Adding Access Rules.
4
Click the BWM tab.

5
Select either or both:
Enable Egress Bandwidth Management (‘Allow’ rules only)
Enable Ingress Bandwidth Management (‘Allow’ rules only)
6
Ether:
Select a Bandwidth Object from the appropriate Bandwidth Object drop-down menu.
Create a new Bandwidth Object.
7
Select the Enable Tracking Bandwidth Usage option.
8
Click the ADD/OK button.

Policy-Based Ingress/Egress

The Policy-based Ingress/Egress graph can display a real-time bandwidth image or a history image. The interval range can be changed by selecting a value for the View Range list.

The drop-down list at the top right of this graph lists the policies that the graph can display. The names of policies are preceded with a prefix:

Access Rules are prefixed with RL.
Action Objects are prefixed with AFA.

Pausing the mouse over certain items displays tooltip information.

The Auto Y-Scaling, Bar Graph, and Flow Chart options are described in Common Features.

Policy-Based Top 10

The Policy-Based Top 10 monitor displays the most used bandwidth rules. The direction of rules (Ingress/Egress) is significant:

(I) before the name of a rule indicates an Ingress rule.
(E) before the name of a rule indicates an Egress rule.

The values used for sorting the Top 10 rules is the average bandwidth accumulated from historic traffic. It is not the bandwidth of the current calculation time interval. Hence, you may see different values for the same rule between the Top 10 graph and other real-time monitors.

To get the precise value of the average bandwidth of a specific rule, pause your mouse over the bar for that rule.

To see a pie chart of the per-IP bandwidth for a specific rule, double click the bar for that rule.

The IP address and the percentage of bandwidth consumed is displayed in the per-IP bandwidth pie chart. The percentage of bandwidth consumed is calculated from the average bandwidth usage and not real-time values.

* 
NOTE: The pie chart of the per-IP bandwidth is displayed only if that rule is configured for per-IP bandwidth management in the Elemental Bandwidth Settings dialog.

 

Monitoring Active Connections

Dashboard > Connections Monitor

The Dashboard > Connections Monitor page displays details on all active connections to the security appliance.

Topics:

Filtering Connections Viewed

Topics:

Entering Filter Criteria

You can filter the results to display only connections matching certain criteria:

Source Address
Destination Address
Destination Port
Protocol
Flow Type
Src Interface (source interface)
Dst Interface (destination interface)

Enter your filter criteria in the Connection Monitor Settings section.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source Address and Destination Address, the search string will look for connections matching:

Source Address AND Destination Address

Select the check box in the Group Filters column for any two or more criteria to combine them with a logical OR. For example, if you enter values for Source Address, Destination Address, and Protocol, and check Group next to Source Address and Destination Address, the search string will look for connections matching:

(Source Address OR Destination Address) AND Protocol

Click Apply Filters to apply the filter immediately to the Active Connections Monitor table. Click Reset Filters to clear the filter and display the unfiltered results again.

Exporting Results

You can export the list of active connections to a file.

To export the active connections to a file:
1
On the Dashboard > Connections Monitor page, click the Export Results button. The Export Connections Monitor Results dialog displays.

2
Select if you want the results exported to a plain text file or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database.
3
Click the Export button.
4
If you are prompted to Open or Save the file, select Save.
5
Enter a filename and path
6
Click OK.

Collapsing the Settings Section

After you have specified the filter criteria, you no longer need to display the Connections Monitor Settings section. To collapse the section, click the Collapse button. Only the heading is displayed.

To redisplay the Connections Monitor Settings section, click the Expand button.

Viewing Connections

The connections are listed in the Active Connections Monitor table:

Src IP (Source IP)
Src Port (Source Port)
Dst IP (Destination IP)
Dst Port (Destination Port)
Protocol
Src Iface (Source Interface)
Dst Iface (Destination Interface)
Flow Type
IPS Category
Expiry (sec)
Tx Bytes (Transmit Bytes)
Rx Bytes (Receive Bytes)
Tx Packets (Transmit Packets)
Rx Packets (Receive Packets)
Flush

Click on a column heading to sort by that column.

To refresh the Active Connections Monitor table, click the Refresh icon. You can also specify the number of items displayed per page.

To flush any connection, click the Delete icon in the Flush column for that connection. To flush all connections, click the Flush All button at the bottom of the table.

IPv6 Connections Monitor

For complete information on the SonicOS implementation of IPv6, see About IPv6.

The Connections Monitor is configured the same in IPv6 and IPv4; toggle the View IP Version radio buttons to change the view/configuration.