en-US
search-icon

SonicOS 6.2 Admin Guide

AppFlow

Managing Flow Reporting Statistics

* 
NOTE: The AppFlow feature is available on TZ series and above appliances.

AppFlow > Flow Reporting

You manage the firewall’s flow reporting, statistics, and configurable settings for sending AppFlow and real-time data to a local collector or external AppFlow servers with the AppFlow feature. AppFlow provides support for external AppFlow reporting formats, such as NetFlow version 5, NetFlow version 9, IPFIX, and IPFIX with Extension. AppFlow includes support for Quest™ Change Auditor for SonicWall, the automated auditing module that allows you to collect data on internet web site and cloud activity. For more information about using Change Auditor with SonicOS firewalls, see Change Auditor for SonicWall User Guide.

The AppFlow > Flow Reporting page includes settings for configuring the firewall to view statistics based on Flow Reporting and Internal Reporting. From this page, you can also configure settings for internal reporting as well as for GMSflow Server and external collector reporting.

You can access the Dashboard > AppFlow Monitor page by clicking on the Link icon in the upper right corner of the AppFlow > Flow Reporting page.

You can clear all the AppFlow settings to default values by clicking on the Default button at the top of the AppFlow > Flow Reporting page.

The AppFlow > Flow Reporting page has these tabs:

Statistics – Displays reporting statistics in four tables
Settings – Allows the enabling of various real-time data collection and AppFlow report collection
GMSFlow Server – Allows the configuring of AppFlow reporting to a GMSFlow server.
External Collector – Allows the configuring of AppFlow reporting to an IPFIX collector
Topics:  

Statistics Tab

This tab displays reports of the flows that are sent to the server, not collected, dropped, stored in and removed from the memory, reported and non-reported to the server. This section also includes the number of NetFlow and IP Flow Information Export (IPFIX) templates sent and general static flows reported.

Topics:  

External Flow Reporting Statistics

 

This statistic

Displays the total number of

Connection Flows Enqueued:

Connection-related flows collected so far.

Connection Flows Dequeued:

Connection-related flows that have been reported either to an internal AppFlow collector or external collectors.

Connection Flows Dropped:

Collected connection-related flows that failed to get reported.

Connection Flows Skipped Reporting:

Connection-related flows that skipped reporting. This can happen when running in periodic mode where collected flows are more than the configured value for reporting.

Non-Connection data Enqueued:

All non-connection-related flows that have been collected so far.

Non-Connection data Dequeued:

All non-connection-related flows that have been reported either to external collectors or an internal AppFlow collector.

Non-connection data Dropped:

All non-connection-related data dropped due to too many requests.

Non-connection related static data Reported:

Static non-connection-related static data that have been reported. This includes lists of applications, viruses, spyware, intrusions, table-map, column-map, and location map.

Logs Reported by IPFIX

All logs reported by IPFIX.

Internal AppFlow Reporting Statistics

 

This statistic

Displays the total number of

Data Flows Enqueued:

Connection-related flows that have been queued to the AppFlow collector.

Data Flows Dequeued:

All connection-related flows that have been successfully inserted into the database.

Data Flows Dropped:

Connection-related flows that failed to get inserted into the database due to a high connection rate.

Data Flows Skipped Reporting:

Connection-related flows that skipped reporting.

General Flows Enqueued:

All non-connection-related flows in the database queue.

General Flows Dequeued:

All non-connection-related flows successfully inserted into the database.

General Flows Dropped:

All non-connection-related flows that failed to be inserted into the database due to a high rate (too many requests).

General Static Flows Dequeued:

All non-connection-related static flows successfully inserted into the database.

AppFlow Collector Errors:

AppFlow database errors.

Total Flows in DB:

Connection-related flows in the database.

Total IPFIX Statistics

The IPFIX statistics are displayed in two tables at the bottom of the Statistics tab.

 

This statistic

Displays the total number of

Total NetFlow/IPFIX Packets Sent:

IPFIX/NetFlow packets sent to the all/external collector/AppFlow server/GMSFlow server collected so far.

NetFlow/IPFIX Packets Sent to External Collection:

IPFIX/NetFlow packets sent to the external collector so far.

Netflow/IPFIX Packets Sent to GMSFlow Server

IPFIX/NetFlow packets sent to the GMSFlow collector so far.

NetFlow/IPFIX Templates Sent

IPFIX/NetFlow templates sent to the all/external collector/AppFlow server/GMSFlow serve.

Connection Flows Sent to External Collector

Connection/static/general flows that have been reported to the, external collector.

Connection Flows Sent to GMSFlow Server

Connection/static/general flows that have been reported to the r GMSFlow server.

Non-Connection related Dynamic Flows Sent to External Collector:

IPFIX/netflow packets sent to the external collector so far.

Non-Connection related Dynamic Flows Sent to GMSFlow Server:

IPFIX/netflow packets sent to the GMSFlow server so far.

Non-Connection related Static Flows Sent to External Collector:

Connection/static/general flows that have been reported to the AppFlow collector or external collector.

Logs Reported by IPFIX to external collector

Logs reported to the external collector by IPFIX so far.

Non-Connection related Static Flows Sent to GMSFlow Server:

Connection/static/general flows that have been reported to the GMSFlow server.

Logs Reported by IPFIX to GMSFlow Server

Logs reported to the GMSFlow server by IPFIX so far.

Settings Tab

The Settings tab has configurable options for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector.

The Settings tab has three sections:

Settings

The Settings section of the Settings tab allows you to enable real-time data collection and AppFlow report collection.

Report Collections—Enables AppFlow reporting collection according to one of these modes:
All — Selecting this checkbox reports all flows. This is the default setting.
Interface-based — Selecting this checkbox enables flow reporting based only on the initiator or responder interface. This provides a way to control what flows are reported externally or internally. If enabled, the flows are verified against the per interface flow reporting configuration, located in the Network > Interfaces page.

If an interface has its flow reporting disabled, then flows associated with that interface are skipped.

Firewall/App Rules-based — Selecting this checkbox enables flow reporting based on already existing firewall Access and App rules configuration, located on the Firewall > Access Rules page and the Firewall > App Rules page, respectively. This is similar to interface-based reporting; the only difference is instead of checking per interface settings, the per-firewall rule is selected.

Every firewall Access and App rule has a checkbox to enable flow reporting. If a flow matching a rule is to be reported, this enabled checkbox forces verification that firewall rules have flow reporting enabled or not.

* 
NOTE: If this option is enabled, but no rules have the flow-reporting option enabled, no data is reported. This option is an additional way to control which flows need to be reported.
Enable Real-Time Data Collection—Enables real-time data collection on your firewall for real-time statistics. You can enable/disable Individual items in the Collect Real-Time Data For drop-down menu. This setting is enabled by default.

When this setting is disabled, the Real-Time Monitor does not collect or display streaming data as the real-time graphs displayed in the Dashboard > Real-Time Monitor page are disabled.

Collect Real-Time Data For—Select the streaming graphs to display on the Real-Time Monitor page. By default, all items are selected.
 

This option

Displays this graph(s)

Top apps

Applications

Bits per sec.

Bandwidth

Packets per sec.

Packet Rate

Average packet size

Packet Size

Connections per sec.

Connection Rate and Connection Count

Core util.

Multi-Core Monitor

Memory util.

Memory Usage

Enable Aggregate AppFlow Report Data Collection—Enables individual AppFlow Reports collection on your SonicWall appliance for display in Dashboard > Appflow Reports. You can enable/disable Individual items in the Collect Report Data For drop-down menu. This setting is enabled by default.

When this setting is disabled, the AppFlow Reports does not collect or display data.

* 
TIP: You can quickly display the Dashboard > AppFlow Reports page by clicking the Display icon by the Enable Aggregate AppFlow Report Data Collection checkbox.
Collect Report Data For—Select from this drop-down menu the data to display on the Dashboard > Appflow Reports page. By default, all reports are selected.
 
Apps Report
Threat Report
User Report
Geo-IP Report
IP Report
URL Report

Local Server Settings

The Local Server Settings section allows you to enable AppFlow reporting to an internal collector.

Enable AppFlow To Local Collector—Enables AppFlow reporting collection to an internal server on your SonicWall appliance. If this option is disabled, the tabbed displays on Dashboard > AppFlow Monitor are disabled. By default, this option is disabled.
* 
NOTE: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.

Other Report Settings

The options in the Other Report Settings section configure conditions under which a connection is reported. This section does not apply to all non-connection-related flows.

Report DROPPED Connection—If enabled, connections that are dropped due to firewall rules are not reported. This option is enabled by default.
Skip Reporting STACK Connections—If enabled, the firewall will not report all connections initiated or responded to by the firewall’s TCP/IP stack. By default, this option is enabled.
Include Following URL Types—From the drop-down menu, select the type of URLs that need to be reported. To skip a particular type of URL reporting, uncheck (disable) them.
* 
NOTE: This setting applies to both AppFlow reporting (internal) and external reporting when using IPFIX with extensions.
 

Gifs (selected by default)

Jsons

Jpegs (selected by default)

Css

Pngs (selected by default)

Htmls (selected by default)

Js

Aspx (selected by default)

Xmls

Cms

Enable Geo-IP Resolution—Enables Geo-IP resolution. If disabled, the AppFlow Monitor does not group flows based on country under Initiators and Responders tabs. This setting is unchecked (disabled) by default.
* 
NOTE: If Geo-IP blocking or Botnet blocking is enabled, this option is ignored.
Disable Reporting IPv6 Flows (ALL)—Disables reporting of IPv6 flows. This setting is enabled by default.
AppFlow Report Upload Timeout (sec)—Specify the timeout, in seconds, when connecting to the AppFlow upload server. The minimum timeout is 5 seconds, the maximum is 300 seconds, and the default value is 120 seconds.

GMSFlow Server Tab

This tab provides configuration settings for sending AppFlow and Real-Time data to a GMSFlow server.

Send AppFlow to SonicWall GMSFlow Server – The SonicWall appliance sends AppFlow data via IPFIX to a SonicWall GMSFlow server. This option is not enabled by default.

If this option is disabled, the SonicWall GMSFlow server does not show AppFlow Monitor, AppFlow Report, and AppFlow Dashboard charts on the GMSFlow server or via redirection an another SonicWall appliance.

* 
NOTE: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
Send Real-Time Data to SonicWall GMSFlow Server – The SonicWall appliance sends real-time data via IPFIX to the SonicWall GMSFlow server. This option is disabled by default.

If this option is disabled, the SonicWall GMSFlow server does not display real-time charts on the GMSFlow server or via redirection on a SonicWall appliance.

Send System Logs to SonicWall GMSFlow Server – The SonicWall firewall sends system logs via IPFIX to the SonicWall GMSFlow server. This option is not selected by default.
Report on Connection OPEN – The SonicWall appliance reports when a new connection is opened. All associated data related to that connection may not be available when the connection is opened. This option enables flows to show up on the GMSFlow server as soon as a new connection is opened. This option is disabled by default.
Report on Connection CLOSE – The SonicWall appliance reports when a new connection is closed. This is the most efficient way of reporting flows to the GMSFlow server. All associated data related to that connection are available and reported. This option is enabled by default.
Report Connections on Following Updates – The firewall reports when a specified update occurs. Select the updates from the drop-down menu. By default, no update is selected.
 

threat detection

VPN tunnel detection

application detection

URL detection

user detection

 

Send Dynamic AppFlow For Following Tables – The firewall sends data for the selected tables. By default, all the tables are selected.

Connections

Devices

Users

SPAMs

URLs

Locations

URL ratings

VOIPs

VPNs

 

* 
IMPORTANT: In IPFIX with extension mode, the firewall can generate reports for selected tables. As the firewall doesn’t cache this data, some of the flows not sent may create failure when correlating flows with other, related data.

External Collector Tab

The External Collector tab provides configuration settings for AppFlow reporting to an external IPFIX collector.

Send Flows and Real-Time Data To External Collector—Enables the specified flows to be reported to an external flow collector. This option is disabled by default.
* 
IMPORTANT: When enabling/disabling this option, you may need to reboot the device to enable/disable this feature completely.
External AppFlow Reporting Format—If the Report to EXTERNAL Flow Collector option is selected, you must select the flow-reporting type from the drop-down menu:

NetFlow version-5 (default)

IPFIX

NetFlow version-9

IPFIX with extensions 1


1
IPFIX with extensions v2 is still supported by enabling an internal setting. For how to enable this option, contact SonicWall Support. Currently, GMSFlow Server does not support this IPFIX version.

* 
NOTE: Your selection for External Flow Reporting Format changes the available options.

If the reporting type is set to:

Netflow versions 5 or 9 or IPFIX, then any third-party collector can be used to show flows reported from the firewall, which uses standard data types as defined in IETF. Netflow versions and IPFIX reporting types contain only connection-related flow details per the standard.
IPFIX with extensions, then only collectors that are SonicWall-flow aware can be used to report SonicWall dynamic tables for:
 

connections

users

applications

locations

URLs

logs

devices

VPN tunnels

devices

SPAMs

wireless

 

threats (viruses/spyware/intrusion)

real-time health (memory/CPU/face statistics)

Flows reported in this mode can either be viewed by another SonicWall firewall configured as a collector (specially in a High Availability pair with the idle firewall acting as a collector) or a SonicWall Linux collector. Some third-party collectors also can use this mode to display applications if they use standard IPFIX support. Not all reports are visible when using a third-party collector, though.

* 
NOTE: When using IPFIX with extensions, select a third-party collector that is SonicWall-flow aware, such as Scrutinizer.
External Collector’s IP Address—Specify the external collector’s IP address to which the device sends flows via Netflow/IPFIX. This IP address must be reachable from the SonicWall firewall for the collector to generate flow reports. If the collector is reachable via a VPN tunnel, then the source IP must be specified in Source IP to Use for Collector on a VPN Tunnel.
Source IP to Use for Collector on a VPN Tunnel—If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy.
* 
NOTE: Select Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets always take the VPN path.
External Collector’s UDP Port Number—Specify the UDP port number that Netflow/IPFIX packets are being sent over. The default port is 2055.
Send IPFIX/Netflow Templates at Regular Intervals—Enables the appliance to send Template flows at regular intervals. This option is selected by default.
* 
NOTE: This option is available with Netflow version-9, IPFIX, IPFIX with extensions only.

Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you can disable the function here.

Send Static AppFlow at Regular Interval—Enables the hourly sending of IPFIX records for the specified static appflows tables. This option is disabled by default.
* 
NOTE: This option is available with IPFIX with extensions only.

This option must be selected if SonicWall Scrutinizer is used as a collector.

Send Static AppFlow for Following Tables—Select the static mapping tables to be generated to a flow from the drop-down menu. For more information on static tables, refer to NetFlow Tables.
 

Applications (selected by default)

Services (selected by default)

Viruses (selected by default)

Rating Map (selected by default)

Spyware (selected by default)

Table Map

Intrusions (selected by default)

Column Map

Location Map

 

When running in IPFIX with extensions mode, the firewall reports multiple types of data to an external device to correlate User, VPN, Application, Virus, and Spyware information. Data is both static and dynamic. Static tables are needed only once as they rarely change. Depending on the capability of the external collector, not all static tables are needed.

In the IPFIX with extension mode, the firewall can asynchronously generate the static mapping table(s) to synchronize the external collector. This synchronization is needed when the external collector is initialized later than the firewall.

Send Dynamic AppFlow for Following Tables—Select the dynamic mapping tables to be generated to a flow from the drop-down menu. For more information on dynamic tables, refer to NetFlow Tables.
* 
NOTE: This option is available with IPFIX with extensions only.

The firewall generates reports for the selected tables. As the firewall doesn’t cache this information, some of the flows not sent may create failure when correlating flows with other related data.

 

Connections (selected by default)

Devices

Users (selected by default)

SPAMs

URLs (selected by default)

Locations

URL ratings (selected by default)

VoIPs (selected by default)

VPNs (selected by default)

 

Include Following Additional Reports via IPFIX—Select additional IPFIX reports to be generated to a flow. Select values from the drop-down menu. By default, none are selected. Statistics are reported every 5 seconds.
* 
NOTE: This option is available with IPFIX with extensions only.
System Logs – Generates system logs such as interface state change, fan failure, user authentication, HA failover and failback, tunnel negotiations, configuration change. System logs include events that are typically not flow-related (session/connection) events, that is, not dependent on traffic flowing through the firewall.
Top 10 Apps – Generates the top 10 applications.
Interface Stats – Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
Core utilization –Generates per-core utilization.
Memory utilization – Generates statuses of available memory, used memory, and memory used by the AppFlow collector.

When running in either mode, SonicWall can report more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. With this option, you can select tables that are needed.

Report On Connection OPEN—Reports flows when a new connection is established. All associated data related to that connection may not be available when the connection is opened. This option, however, enables flows to show up on the external collector as soon as the new connection is established. By default, this setting is enabled.
Report On Connection CLOSE—Reports flows when a connection is closed. This is the most efficient way of reporting flows to an external collector. All associated data related to that connection are available and reported. By default, this setting is enabled.
Report Connection On Active Timeout—Reports connections based on Active Timeout sessions. If enabled, the firewall reports an active connection every active timeout period. By default, this setting is disabled.
* 
NOTE: If you select this option, the Report Connection On Kilo BYTES Exchanged option cannot be selected also. If this option is already checked, this message is displayed when attempting to select Report Connection on Kilo BYTES Exchanged:
Number of Seconds—Set the number of seconds to elapse for the Active Timeout. The range is 1 second to 999 seconds for the Active Timeout. The default setting is 60 seconds.
Report Connection On Kilo BYTES Exchanged—Reports flows based on when a specific amount of traffic, in kilobytes, is exchanged. If this setting is enabled, the firewall reports an active connection whenever the specified number of bytes of bidirectional data is exchanged on an active connection. This option is ideal for flows that are active for a long time and need to be monitored. This option is not selected by default.
* 
NOTE: If you select this option, the Report Connection On Active Timeout option cannot be selected also. If this option is already checked, this message is displayed when attempting to select Report Connection on Active Timeout:
Kilobytes Exchanged—Specify the amount of data, in kilobytes, transferred on a connection before reporting. The default value is 100 kilobytes.
Report ONCE—When the Report Connection On Kilo BYTES Exchanged option is enabled, the same flow is reported multiple times whenever the specified amount of data is transferred over the connection. This could cause a large amount of IPFIX-packet generation on a loaded system. Enabling this option sends the report only once. This option is selected by default.
Report Connections On Following Updates—Select from the pull-down menu to enable connection reporting for the following (by default, all are selected):
 

This selection

Reports flows

threat detection

Specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again.

application detection

Specific to applications. Upon performing a deep packet inspection, the SonicWall appliance is able to detect if a flow is part of a certain application. When identified, the flow is reported again.

user detection

Specific to users. The SonicWall appliance associates flows to a user-based detection based on its login credentials. When identified, the flow is reported again.

VPN tunnel detection

Sent through the VPN tunnel. When flows sent over the VPN tunnel are identified, the flow is reported again.

Actions—Generate templates and static flow data asynchronously when you click these buttons:
Generate ALL Templates — Click on the button to begin building templates on the IPFIX server; this takes up to two minutes to generate.
* 
NOTE: This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.
Generate Static AppFlow Data — Click on the button to begin generating a large amount of flows to the IPFIX server; this takes up to two minutes to generate.
* 
NOTE: This option is available with IPFIX with extensions only.
Log Settings To External Collector – Sends the necessary fields of log settings to the external collector when you click the Send All Entries button.
* 
TIP: This option displays only when IPFIX with extensions is selected for External Flow Reporting Format.
* 
NOTE: Ensure the connection between SonicOS and the external collector server is ready before clicking the Send All Entries button.
* 
TIP: Click the button again to sync the settings whenever:
SonicOS is upgraded with new added log events.
The connection between SonicOS and the external server has been down for some time and log settings may have been edited.

NetFlow Activation and Deployment Information

SonicWall recommends careful planning of NetFlow deployment with NetFlow services activated on strategically located edge/aggregation routers which capture the data required for planning, monitoring and accounting applications. Key deployment considerations include the following:

Understanding your application-driven data collection requirements: accounting applications may only require originating and terminating router flow information whereas monitoring applications may require a more comprehensive (data intensive) end-to-end view
Understanding the impact of network topology and routing policy on flow collection strategy: for example, avoid collecting duplicate flows by activating NetFlow on key aggregation routers where traffic originates or terminates and not on backbone routers or intermediate routers which would provide duplicate views of the same flow information
NetFlow can be implemented in the SonicOS management interface to understand the number of flow in the network and the impact on the router. NetFlow export can then be setup at a later date to complete the NetFlow deployment.

NetFlow is, in general, an ingress measurement technology which should be deployed on appropriate interfaces on edge/aggregation or WAN access routers to gain a comprehensive view of originating and terminating traffic to meet customer needs for accounting, monitoring or network planning data. The key mechanism for enhancing NetFlow data volume manageability is careful planning of NetFlow deployment. NetFlow can be deployed incrementally (that is, interface by interface) and strategically (that is, on well-chosen routers) —instead of widespread deployment of NetFlow on every router in the network.

User Configuration Tasks

Depending on the type of flows you are collecting, you will need to determine which type of reporting works best with your setup and configuration. This section includes configuration examples for each supported NetFlow solution, as well as configuring a second appliance to act as a collector.

Configuring NetFlow Version 5

To configure Netflow version 5 flow reporting:
1
Click the Settings tab.

2
For Report Connections in the Settings section, select one of these radio buttons:
All (default)
Interface-based: when enabled, the flows reported are based on the initiator or responder interface.
Firewall/App Rules-based: when enabled, the flows reported are based on already existing firewall rules.

When enabled, the flows reported are based on the initiator or responder interface or on already existing firewall rules.

* 
NOTE: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.

4
Select the Send Flows and Real-Time Data To External Collector checkbox.
5
Select Netflow version-5 as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
IMPORTANT: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
Click the Accept button at the top of the page.
* 
NOTE: You may need to reboot the device to completely enable this configuration.

Configuring NetFlow Version 9

To configure Netflow version 9 flow reporting:
1
Click the Settings tab.

2
In the Settings section, for Report Connections, select one of these radio buttons:
All (default)
Interface-based: when enabled, the flows reported are based on the initiator or responder interface.
Firewall/App Rules-based: when enabled, the flows reported are based on already existing firewall rules.
* 
IMPORTANT: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.

4
Select the Send Flows and Real-Time Data To External Collector checkbox.
* 
IMPORTANT: When enabling this option, you may need to reboot the device to enable this feature completely.
5
Select Netflow version-9 as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
IMPORTANT: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
In Actions, click the Generate ALL Templates button to begin generating templates. A message requesting confirmation displays.
* 
IMPORTANT: IPFIX uses templates that must be known to an external collector before sending data.

10
After the templates have been generated, click Accept.

Configuring IPFIX (NetFlow Version 10)

To configure IPFIX, or NetFlow version 10, flow reporting:
1
Click the Settings tab.

2
In the Settings section, for Report Connections, select one of these radio buttons:
All (default)
Interface-based: when enabled, the flows reported are based on the initiator or responder interface.
Firewall/App Rules-based: when enabled, the flows reported are based on already existing firewall rules.
* 
IMPORTANT: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.

4
Select the Send Flows and Real-Time Data To External Collector checkbox.
* 
IMPORTANT: When enabling this option, you may need to reboot the device to enable this feature completely.
5
Select IPFIX as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, for the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
IMPORTANT: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
In Actions, click the Generate ALL Templates button to begin generating templates. A message requesting confirmation displays.
* 
IMPORTANT: IPFIX uses templates that must be known to an external collector before sending data.

10
After the templates have been generated, click Accept.

Configuring IPFIX with Extensions

To configure IPFIX with extensions flow reporting:
1
Click the Settings tab.

2
In the Settings section, for Report Connections, select one of these radio buttons:
All (default)
Interface-based: when enabled, the flows reported are based on the initiator or responder interface.
Firewall/App Rules-based: when enabled, the flows reported are based on already existing firewall rules.
* 
IMPORTANT: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.

4
Select the Send Flows and Real-Time Data To External Collector checkbox.
* 
IMPORTANT: When enabling this option, you may need to reboot the device to enable this feature completely.
5
Select IPFIX with extensions as the External Flow Reporting Format from the drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
For the Source IP to Use for Collector on a VPN Tunnel, specify the source IP if the external collector must be reached by a VPN tunnel.
* 
IMPORTANT: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
Select the tables you wish to receive static flows for from the Send Static AppFlow For Following Tables drop-down menu.
10
Select the tables you wish to receive dynamic flows for from the Send Dynamic AppFlow For Following Tables drop-down menu.
11
Select any additional reports to be generated to a flow from the Include Following Additional Reports via IPFIX drop-down menu.
* 
IMPORTANT: To have system logs generated, you must select System Logs from this drop-down menu.
12
Click the Generate ALL Templates button to begin generating templates.
* 
IMPORTANT: IPFIX with extensions uses templates that must be known to an external collector before sending data.
13
Enable the option to Send Static AppFlow at Regular Intervals by selecting the checkbox. After enabling this option, click the Generate Static Flows button.

14
To begin generating static flow data, click the Generate Static AppFlow Data button. A message requesting confirmation displays.

15
To send log messages to the external collector, click the Send All Entries button for the Send Log Settings to External Collector option.
* 
IMPORTANT: Ensure the connection between SonicOS on the firewall and the external collector server is ready before clicking the Send All Entries button.

The external server loads the properties (see Saved properties) and settings for use when it reboots. Click the Send All Entries button to synchronize the settings whenever:

SonicOS is upgraded, for example, with new log events.
The connection between SonicOS (firewall) and the external server has been down for some time and log settings may have been edited during that time.
* 
NOTE: SonicOS sends updates to the external server automatically if some fields of log event settings are changed.
 

Saved properties

Category

Property

Event properties and settings

Event ID

Belongs to group ID

Color

Message type ID

Priority

Stream filter

Event name

Log message

Group properties

Group ID

Belongs to category ID

Group name

Category properties

Category ID

Category name

Message type properties

Type ID

Type name

16
Click Accept.

Configuring GMSFlow Server to Include Logs via IPFIX

To configure GMSFlow server to include logs via IPFIX:
1
Navigate to AppFlow > Flow Reporting.

2
Click the GMSFlow Server tab.

3
Select the Send System Logs to SonicWall GMSFlow Server checkbox. This option is not selected by default.
4
Click Accept.
5
Navigate to AppFlow > GmsFlow Server.

6
To send log messages to the GMSFlow server, click the Synchronize Log Settings button.
* 
IMPORTANT: Ensure the connection between SonicOS on the firewall and the GMSFlow server is ready before clicking the Synchronize Log Settings button.

The external server loads the properties (see Saved properties) and settings for use when it reboots. Click the Send All Entries button to synchronize the settings whenever:

SonicOS is upgraded, for example, with new log events.
The connection between SonicOS (firewall) and the external server has been down for some time and log settings may have been edited during that time.
* 
NOTE: SonicOS sends updates to the external server automatically if some fields of log event settings are changed.
 
7
Click Apply.

Configuring Netflow with Extensions with SonicWall Scrutinizer

One external flow reporting option that works with Netflow with Extensions is the third-party collector, SonicWall Scrutinizer. This collector displays a range of reporting and analysis that is both Netflow and SonicWall-flow aware.

To verify your Netflow with Extensions reporting configurations:
1
Click the Settings tab.

2
In the Settings section, for Report Connections, select the All radio button.
* 
IMPORTANT: This step is optional, but is required if flow reporting is done on selected interfaces.
3
Click the External Collector tab.

4
Click the Send Flows and Real-Time Data To External Collector checkbox.
* 
IMPORTANT: When enabling this option, you may need to reboot the device to enable this feature completely.
5
Select IPFIX with extensions from the External Flow Reporting Format drop-down menu.
6
Specify the External Collector’s IP address in the provided field.
7
Optionally, if the external collector must be reached by a VPN tunnel, specify the source IP in the Source IP to Use for Collector on a VPN Tunnel field.
* 
IMPORTANT: This step is required if the external collector must be reached by a VPN tunnel.
8
Specify the External Collector’s UDP port number in the provided field. The default port is 2055.
9
Click the Send Static AppFlow At Regular Interval checkbox.
10
Select the tables you wish to receive static flows for from the Send Dynamic AppFlow For Following Tables drop-down menu.

.

* 
NOTE: Currently, Scrutinizer supports Applications and Threats only. Future versions of Plixer will support the following Static Flows: Location Map, Services, Rating Map, Table Map, and Column Map.
11
Click the Generate Static AppFlow Data button.
12
Click Accept.
13
Navigate to Network > Interfaces.

14
Confirm that Flow Reporting is enabled per interface by clicking the Configure icon of the interface you are requesting data from. The Edit Interface dialog displays.

15
On the Advanced tab, ensure the checkbox to Enable flow reporting is selected.

16
Click OK.
17
Login to SonicWall Scrutinizer. The data displays within minutes.

NetFlow Tables

The following section describes the various NetFlow tables. Also, this section describes in detail the IPFX with extensions tables that are exported when the SonicWall is configured to report flows.

Topics:  

Static Tables

Static Tables are tables with data that does not change over time. However, this data is required to correlate with other tables. Static tables are usually reported at a specified interval, but may also be configured to send just once. Exportable Static IPFIX tables lists the Static IPFIX tables that may be exported:

 

Exportable Static IPFIX tables

Applications Map

Reports all applications the firewall identifies, including various Attributes, Signature IDs, App IDs, Category Names, and Category IDs.

Viruses Map

Reports all viruses detected by the firewall.

Spyware Map

Reports all spyware detected by the firewall.

Intrusions Map

Reports all intrusions detected by the firewall.

Location Map

Represents SonicWall’s location map describing the list of countries and regions with their IDs.

Services Map

Represents SonicWall’s list of Services with Port Numbers, Protocol Type, Range of Port Numbers, and Names.

Rating Map

Represents SonicWall’s list of Rating IDs and the Name of the Rating Type.

Table Layout Map

Reports SonicWall’s list of tables to be exported, including Table ID and Table Names.

Column Map

Represents SonicWall’s list of columns to be reported with Name, Type Size, and IPFIX Standard Equivalents for each column of every table.

Dynamic Tables

Unlike Static tables, the data of Dynamic tables change over time and are sent repeatedly, based on the activity of the firewall. The columns of these tables grow over time, with the exception of a few tables containing statistics or utilization reports. Exportable Dynamic IPFIX tables lists the Dynamic IPFIX tables that may be exported:

 

Exportable Dynamic IPFIX tables

Connections

Reports SonicWall connections. The same flow tables can be reported multiple times by configuring triggers.

Users

Reports users logging in to the firewall via LDAP/RADIUS, Local, or SSO.

URLs

Reports URLs accessed through the firewall.

URL ratings

Reports Rating IDs for all URLs accessed through the firewall.

VPNs

Reports all VPN tunnels established through the firewall.

Devices

Reports the list of all devices connected through the firewall, including the MAC addresses, IP addresses, Interface, and NETBIOS name of connected devices.

SPAMs

Reports all email exchanges through the SPAM service.

Locations

Reports the Locations and Domain Names of an IP address.

VoIPs

Reports all VoIP/H323 calls through the firewall.

Templates

The following section shows examples of the type of Netflow template tables that are exported. You can perform a Diagnostic Report of your own Netflow Configuration by navigating to System > Diagnostics, and clicking the Download Report button in the Tech Support Report section.

Topics:  
NetFlow Version 5

The NetFlow version 5 datagram consists of a header and one or more flow records, using UDP to send export datagrams. The first field of the header contains the version number of the export datagram. The second field in the header contains the number of records in the datagram, which can be used to search through the records. Because NetFlow version 5 is a fixed datagram, no templates are available, and it follows the format of the tables listed in NetFlow version 5 header format and Netflow version 5 record format.

 

NetFlow version 5 header format

Bytes

Contents

Description

0-1

version

NetFlow export format version number

2-3

count

Number of flows exported in this packet (1-30)

4-7

SysUptime

Current time in milliseconds since the export device booted

8-11

unix_secs

Current count of seconds since 0000 UTC 1970

12-15

unix_nsecs

Residual nanoseconds since 0000 UTC 1970

16-19

flow_sequence

Sequence counter of total flows seen

20

engine_type

Type of flow-switching engine

20

engine_id

Slot number of the flow-switching engine

22-23

sampling_interval

First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval

 

Netflow version 5 record format

Bytes

Contents

Description

0-3

srcaddr

Source IP address

4-7

dstaddr

Destination IP address

8-11

nexthop

IP address of the next hop router

12-13

input

SNMP index of input interface

14-15

output

SNMP index of output interface

10-19

dPkts

Packets in the flow

20-23

dOctets

Total number of Layer 3 bytes in the packets of the flow

24-27

First

SysUptime at start of flow

28-31

Last

SysUptime at the time the last packet of the flow was received

32-33

srcport

TCP/UDP source port number or equivalent

34-35

dstport

TCP/UDP destination port number or equivalent

36

pad1

Unused (zero) bytes

37

tcp_flags

Cumulative OR of TCP flags

38

prot

IP protocol type (for example, TCP=6; UDP=17)

39

tos

IP type of service (ToS)

40-41

src_as

Autonomous system number of the source, either origin or peer

42-43

dst_as

Autonomous system number of the destination, either origin or peer

44

src_mask

Source address prefix mask bits

45

dst_mask

Destination address prefix mask bits

46-47

pad2

Unused (zero) bytes

NetFlow Version 9

NetFlow Version 9 Example

Netflow version 9 template FlowSet fields details the NetFlow version 9 Template FlowSet field descriptions.

 

Netflow version 9 template FlowSet fields

Field Name

Description

Template ID

The firewall generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX (NetFlow Version 10)

IPFIX (NetFlow version 10) example

IPFIX template FlowSet fields describes the IPFIX Template FlowSet Fields.

 

IPFIX template FlowSet fields

Field Name

Description

Template ID

The firewall generates templates with a unique ID based on FlowSet templates matching the type of NetFlow data being exported.

Name

The name of the NetFlow template.

Number of Elements

The amount of fields listed in the NetFlow template.

Total Length

The total length in bytes of all reported fields in the NetFlow template.

Field Type

The field type is a numeric value that represents the type of field. Note that values of the field type may be vendor specific.

Field bytes

The length of the specific Field Type, in bytes.

IPFIX with Extensions

IPFIX with extensions exports templates that are a combination of NetFlow fields from the aforementioned versions and SonicWall IDs. These flows contain several extensions, such as Enterprise-defined field types and Enterprise IDs.

* 
NOTE: The SonicWall Specific Enterprise ID (EntID) is defined as 8741.

IPFIX with extensions Name template example is a standard for the IPFIX with extensions templates. The values specified are static and correlate to the Table Name of all the NetFlow exportable templates. Also see IPFIX with extensions template example.

IPFIX with extensions Name template example

IPFIX with extensions template example

 

Connecting to a GMSFlow Server

AppFlow > GMSFlow Server

The AppFlow > GMSFlow Server page enables you to establish a connection to a GMSFlow Server.

In the SonicWall Global Management System (GMS), the Flow Server role can be used in a distributed deployment of GMS. In this role, the GMS server runs a single service, which collects SonicWall Flows on the default ports.

The single service that runs in this role is SonicWall Universal Management Suite - Flow Server. The flows are collected and stored in internal databases. To create reports out of these flows, you must have a GMS server in deployment running version of 7.1 or higher, and set with the role of Console or All in One. You also need to ensure that these ports are open:

UDP 2055
UDP 5055
TCP 9063
TCP 9064
TCP 9065
TCP 9066
TCP 9067

The GMS server has a fixed Syslog Facility (Local Use 0), Syslog Format (Default), and Server ID (firewall). Although the Event Profile value for GMS is set to 0 by default, all events are reported to GMS regardless of the profile. GMS is also exempted from Rate Limiting. The newly added Enable checkbox does not apply. GMS can be enabled/disabled only in the System > Administration page and not in the Log > Syslog page.

Connecting to a GMSFlow Server

Establishing a connection is a two-step process:

1
Establish a connection to the GMSFlow Server.
2
Configure the GMSFlow Server on the AppFlow > Flow Reporting page in SonicOS.

For more detailed information about configuring an AppFlow server with GMS, refer to the latest SonicWall GMS Administration Guide.

To establish a connection to a GMSFlow Server:
1
In GMS, log into the Instant GMSFlow Server.
2
Go to the Network > Settings page.
3
Find and copy the Host IP address of the GMSFlow Server.
On the SonicWall network security appliance:
1
Go to the AppFlow > GMSFlow Server page.

2
In the GMSFlow Server Address field, paste the Host IP address.
3
In the Source IP to Use for Collector on a VPN Tunnel field, specify the source IP address for the applicable VPN policy.
* 
IMPORTANT: If the GMSFlow server is reachable via a VPN tunnel, then this field must be specified. You can choose an IP from the VPN policy.
4
In the Server Communication Timeout field, enter the number of seconds that the firewall will wait to receive a response from the Flow Server. The range is 60 (default) to 120 seconds.
5
If you want to enable the firewall to send static flows to the Flow Server each time the firewall is rebooted, select the Auto-Synchronize Flow Server option.
6
To test your connection to the GMSFlow Server, click the Test Connectivity button. The connectivity status is displayed.
7
If you want to manually send static data to the GMSFlow Server, click the Synchronize Server button. The synchronicity status is displayed.
* 
IMPORTANT: You must click the Synchronize Server button once, and once only, after connecting to and registering your SonicWall GMS product.
8
Click Apply.

Accessing the Real-Time Monitor

AppFlow > Real-Time Monitor

* 
NOTE: For increased convenience and accessibility, the Real-Time Monitor page can be accessed either from Dashboard > Real-Time Monitor or AppFlow > Real-Time Monitor. The page is identical regardless of which tab it is accessed through. For information on using Real-Time Monitor, refer to Dashboard > Real-Time Monitor.

 

Accessing AppFlow Dash

AppFlow > AppFlow Dash

* 
NOTE: For increased convenience and accessibility, the AppFlow Monitor page can be accessed either from Dashboard > AppFlow Dash or AppFlow > AppFlow Dash. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Monitor, refer to Dashboard > AppFlow Dash.

 

Accessing the AppFlow Monitor

AppFlow > AppFlow Monitor

* 
NOTE: For increased convenience and accessibility, the AppFlow Monitor page can be accessed either from Dashboard > AppFlow Monitor or AppFlow > AppFlow Monitor. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Monitor, refer to Dashboard > AppFlow Monitor.

 

Accessing AppFlow Reports

AppFlow > AppFlow Reports

* 
NOTE: For increased convenience and accessibility, the AppFlow Reports page can be accessed either from Dashboard > AppFlow Reports or AppFlow > AppFlow Reports. The page is identical regardless of which tab it is accessed through. For information on using AppFlow Reports, refer to Dashboard > AppFlow Reports.