en-US
search-icon

SonicOS 6.2 Admin Guide

Dashboard

Using the SonicOS Visualization Dashboard

Visualization Dashboard

* 
NOTE: App Visualization (Real-Time Monitor and AppFlow Monitor) is supported on TZ series and above appliances.
Topics:  

Dashboard Overview

The Visualization Dashboard offers an effective and efficient interface to visually monitor your network in real time by providing effective flow charts of real-time data, customizable rules, and flexible interface settings. With the Visualization Dashboard, you can efficiently view and sort real-time network and bandwidth data to:

Identify applications and websites with high bandwidth demands
View application usage on a per-user basis
Anticipate attacks and threats encountered by the network
* 
TIP: For easy viewing, display a Dashboard report or chart in a new browser tab, then move the tab to a new browser window separate from the management window by clicking on the Display icon next to the submenu item of interest.

Enabling the Real-Time Monitor and AppFlow Collection

The real-time application monitoring features rely on the flow-collection mechanism to collect and display data. Before you can view the applications chart in the Real-Time Monitor, AppFlow Monitor, or AppFlow Reports, you must first enable and configure the flow-collection feature.

To enable Real-Time Monitoring and Internal AppFlow collection:
1
Navigate to the AppFlow > Flow Reporting page.

2
Click the Settings tab.

3
Select the Enable Real-Time Data Collection checkbox. This checkbox is selected by default.
4
Select from the Collect Real-Time Data For drop-down menu the reports you would like to see captured (all are selected by default):
Top apps
Bits per sec
Packets per sec
Average packet size
Connections per sec
Core util
5
Select the Enable AppFlow To Local Collector checkbox.
* 
NOTE: Enabling this setting requires the system to be rebooted.
6
To enable these reports, click the Accept button to save your changes.
7
Navigate to the Network > Interfaces page.

8
Click the Configure icon for the interface you wish to enable flow reporting on. The Edit Interface window displays.

9
Click the Advanced tab.

10
Ensure that the Enable flow reporting checkbox is selected.
11
Click the OK button to save your changes.
12
Repeat Step 8 through Step 11 for each interface you wish to monitor.

For more detailed information on configuring Flow Reporting settings, refer to Dashboard > AppFlow Reports.

 

Monitoring Multi-Core Usage

Dashboard > Multi-Core Monitor

* 
NOTE: For increased convenience and accessibility, the Multi-Core Monitor can be accessed from the Dashboard > Multi-Core Monitor, Dashboard > Real-Time Monitor, or System > Diagnostics page. The Multi-Core Monitor display on the System > Diagnostics page is identical to that of the Dashboard > Multi-Core Monitor. Both monitors display information about single cores. The Dashboard > Real-Time Monitor shows the information either for combined data in flow chart format or for individual cores in bar chart format.

If your system is configured for high availability, the cores for both the Primary and Secondary firewalls are displayed.

TZ Series, NSA Series, SuperMassive Series display

SuperMassive 9800 display

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the SonicWall network security appliance; for:

TZ Series, NSA Series, or SuperMassive Series: 18 to 32, with Core 1 through Core 8 handling the control plane and the remaining cores handling the data plane
SuperMassive 9800: 2 control plane cores and 62 data plane cores

The number of cores depends on the model of the appliance. The control plane(s) usage is displayed in green and the data plane cores in blue.

To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores process all data plane tasks. Memory is shared across all cores. Each core processes a separate flow, and all cores can process their flows simultaneously, simultaneously, thus allowing for up to 88 flows, or 62 flows for the SuperMassive 9800, to be processed in parallel.

* 
NOTE: High utilization on the control plane cores is normal while browsing the web management interface and applying changes. All web management requests are processed by the control plane cores and do not impact the other cores. Traffic handling and other critical, performance-oriented and system tasks are always prioritized by the scheduler, and are never impacted by web management usage.

Multi-Core Monitor Display for High Availability

If your system is configured for high availability, the cores for both the Primary and Secondary firewalls are displayed. To view the two monitors side by side, click the small triangle in the header of the first monitor.

High Availability display

High Availability display side-by-side

Monitoring Real-Time Traffic Statistics

* 
NOTE: The Real-Time Monitor feature is available on TZ series and above appliances.

Dashboard > Real-Time Monitor

The Real-Time Monitor provides an inclusive, multi-functional display with information about applications, bandwidth usage, packet rate, packet size, connection rate, connection count, and multi-core monitoring.

* 
NOTE: A chart may be empty or blank if there are no recent data entries received within the viewing range.

Topics:  

Configuring the Real-Time Monitor

The first time you access the Real-Time Monitor, it is disabled:

To enable the Real-Time Monitor and start displaying statistics in the different monitors, select the checkbox.

Using the Toolbar

The Real-Time Monitor Toolbar contains features to specify the refresh rate, export details, configure color palettes, change the amount of data displayed, and pause or play the data flow. Changes made to the toolbar apply across all the data flows.

 

Real-Time Monitor toolbar options

Option

Widget

Description

Refresh rate

Determines the frequency at which data is refreshed. A numerical integer between 1 to 10 seconds is required. The default is 3 seconds.

Export

Exports the data flow into a comma-separated variable (.csv) file. The default file name is sonicflow.csv.

Print

Exports the data flow to a printer.

Configure

Displays the Settings window for customization of the color palette and legend location for the Application Chart and Bandwidth Chart.

To customize the Color Palette:

1
Enter the desired hexadecimal color codes in the provided text fields.
2
If a gradient is desired, select the Use Gradient checkbox located below the text fields.
3
Click Default for a default range of colors.
4
Click Generate to generate a random range of colors.

To change the location of the legend to inside the chart instead of the default location below the chart:

1
Select the appropriate checkbox:
Put legends inside Application chart
Put legends inside Bandwidth chart
2
Click Save to apply the changes.
NOTE: Changing any of the options restarts display of all the charts.

View Range

Displays data pertaining to a specific span of time. Two minutes is the default setting for the view range.

Data Source

Displays data collected from a specific server. The default setting is Local.

Select Local to display AppFlow data from an internal server on your firewall.
Select AppFlow Server to display AppFlow data collected by an external AppFlow server.
Select GMSFlow Server to display AppFlow data collected by a GMSFlow server.

Using Collector

Displays the data source (collector).

Time & Date

Displays the current time in 24-hour format (hh:mm:ss), and the current date in Month/Day format.

Pause

Freezes the data flow. The time and date will also freeze.

The Pause button appears gray if the data flow has been frozen.

Play

Unfreezes the data flow. The time and date will refresh as soon as the data flow is updated.

The Play button appears gray if the data flow is live.

Common Features

Topics:  

Collapse/Expand Buttons

Directly above each chart, at the far right, is a minus sign button, , that collapses the chart when it is clicked. When a chart is collapsed, a plus sign, , is displayed, which expands the chart when it is clicked. Collapsing charts is useful when you want to compare other charts closer together.

Legends

For most charts, you can display a legend that shows the name and color used for the applications or interfaces selected in the chart’s Display menu. To display or hide the legend, click on the Legends button below the chart.

* 
NOTE: If you selected to have the legends for the Applications and Bandwidth charts displayed within the charts, the Legends button has no effect on their display.

Tooltips

Various elements of the charts have associated tooltips:

The name of the chart has a Tooltip icon that briefly describes the chart.

Legend items display information about the item the legend represents.

A small circle displays information about a precise moment on the chart.

To display a tooltip, hover your mouse over the desired item. The information displayed varies by chart.

Changing Chart Format

You are able to view individual charts in either bar chart format or flow (area) chart format. Each chart has Chart Format icons in the upper right corner of the chart. The default is flow chart format.

Topics:  
Bar Chart

The bar chart format displays applications individually, thus allowing you to compare applications. In this chart, the applications, interfaces, or core monitors are arranged along the x-axis, for applications and interfaces according to the color code shown in the Legend. The y-axis displays information appropriate to the chart, such as the amount of traffic for each application or interface. To display the data in bar chart format, click on the Bar Chart icon. The following example is a Bar Chart view.

Flow Chart

The flow chart format displays over-lapping data in a stacked format as it occurs. In this chart, the x-axis displays the current time and the y-axis displays information appropriate to the chart, such as the amount of traffic for each application or the rate or size of the packets. To display data in the flow chart format, click the Flow Chart icon.

The following example is a Flow Chart view.

Scaling a Chart

The Scale box, , in the upper right corner of a chart, allows for Auto Y-Scaling or custom scaling of a chart:

Auto (default) – Auto Y-Scaling
<num>[<unit>] – The values for customized scaling must be a numeric integer. Specifying a unit is optional. If a unit is desired, four options are available:
K for Kilo.
M for Mega.
G for Giga.
% for percentage.

For example, if a custom scale of 100Kbps is desired, then 100K should be entered: The numeric integer 100 followed by the unit K.

* 
NOTE: An invalid entry results in the default, Auto Y-Scaling, being used.

Selecting IPv6/IPv4

For complete information on the SonicOS implementation of IPv6, see IPv6.

* 
NOTE: This option applies only to the Applications and Ingress/Egress Bandwidth charts.

Real-Time Monitor Visualization is configured the same in IPv6 and IPv4; select a radio button in the drop-down menu to change the view/configuration:

IPv4 Only
IPv6 Only
IPv4 and IPv6

Current Average, Minimum, Maximum Display

All charts, except Applications, Connection Count, and Multi-Core Monitor, display the current average, minimum, and maximum values for the chart. The values vary by chart and can be in Kbps, Pps (packets per second), Bytes, or Cps (connections per second).

For the Ingress/Egress charts, the information is displayed for both halves, the Ingress on the top and the Egress on the bottom. For the other charts, the information is displayed on the top.

Applications Monitor

The Applications data flow provides a visual representation of the current applications accessing the network.

Data Flow

Bar Chart

Options

The following options are specific to the Applications chart. For other options and display features, see Common Features.

 

Applications chart options

Option

Widget

Description

Lock

Locks the Display for the Applications chart. The lock/unlock option is available when you select Most Frequent Apps. Most Frequent Apps displays the top-25 apps; you can use the lock or unlock option to keep the report from altering the top-25 apps.

Unlock

Unlocks the Display for the Applications chart.

Application Display

Specifies the applications displayed in the Application Flow Chart.

A drop-down menu allows you to specify Most Frequent Apps, All Apps, or individual applications. If desired, multiple applications can be selected by clicking more than one check box.

Bandwidth Monitor

The Ingress and Egress Bandwidth data flow chart provides a visual representation of incoming (Ingress) and outgoing (Egress) bandwidth traffic. The current percentage of total bandwidth used, average flow of bandwidth traffic, and the minimum and maximum amount of traffic that has gone through each interface is available in the display.

* 
NOTE: The Bandwidth charts have no direct correlation to the Application charts.

Flow Chart

The flow chart format overlaps the Bandwidth Interfaces; allowing you to view all of the Ingress and Egress Bandwidth traffic as it occurs. The x-axis displays the current time, and the y-axis displays the Ingress and Egress Bandwidth traffic.

Bar Chart

The bar chart format displays data pertaining to individual interfaces in a bar chart; allowing comparisons of individual Bandwidth Interfaces. In this chart, the x-axis denotes the Interfaces whereas the y-axis denotes the Ingress and Egress Bandwidth traffic.

Options

Options are available to customize the Display, Scale, and View of the Ingress and Egress Bandwidth charts. The following option is specific to the Bandwidth chart. For other options and display features, see Common Features.

 

Ingress and Egress Bandwidth chart options

Option

Widget

Description

Interface Rate Display

Specifies which Interfaces are displayed in the Bandwidth Flow Chart.

A drop-down menu provides options to specify All Interfaces Rate, All Interfaces (%), or rate or percentage (%) for individual interfaces.

The individual interfaces vary depending on the number of interfaces on the network. Multiple interfaces can be selected if desired.

Packet Rate Monitor

The Packet Rate Monitor provides information on the ingress and egress packet rate as packets per second (pps). This can be configured to show packet rate by network interface. The chart shows the packet rate current average, minimum packet rate, and maximum packet rate for both ingress and egress network traffic.

Flow Chart

Bar Chart

Options

Options are available to customize the Display, Scale, and View of the Ingress and Egress Packet Rate charts. For the options and display features, see Common Features.

Packet Size Monitor

The Packet Size Monitor provides information on the ingress and egress packet size in bytes (B). This can be configured to show packet size by network interface. The chart shows the packet size current average, minimum packet size, and maximum packet size for both ingress and egress network traffic.

Flow Chart

Bar Chart

Options

Options are available to customize the Display, Scale, and View of the Ingress and Egress Packet Size charts. For the options and display features, see Common Features.

Connection Rate Monitor

The Connection Rate Monitor is plotted by collecting the outgoing and incoming connection rates for each interface every refresh period. When looking at the combined connection rate of more than one interface at the same time, it may appear double than the actual connection rate. A single connection between a pair of interfaces is counted for both interfaces.

Flow Chart

Bar Chart

Options

Options are available to customize the Display, Scale, and View of the Connection Rate charts. For the options and display features, see Common Features.

Connection Count Monitor

The Connection Count Monitor provides a visual representation of the current total number of connections, peak number of connections, and maximum number of connections. The y-axis displays the total number of connections from 0C (zero connections) to 1KC (one kilo connections). The default auto scaling is 100K.

Flow Chart

.

Bar Chart

Options

Options are available to customize the Display, Scale, and View of the Connection Count charts. For the options and display features, see Common Features.

* 
NOTE: The Connection Count Monitor does not have legends.

Multi-Core Monitor

* 
NOTE: For increased convenience and accessibility, the Multi-Core Monitor also can be accessed from the Dashboard > Multi-Core Monitor, Dashboard > Real-Time Monitor, or System > Diagnostics page. The Multi-Core Monitor display on the System > Diagnostics page is identical to that of the Dashboard > Multi-Core Monitor. Both monitors display information about single cores. The Dashboard > Real-Time Monitor shows the information either for combined data in flow chart format or for individual cores in bar chart format.

The Multi-Core Monitor displays dynamically updated statistics on utilization of the individual cores of the firewall. Core 1 through core 8 handle the control plane. Core 1 through core 8 usage is displayed in green on the Multi-Core Monitor. The remaining cores handle the data plane. To maximize processor flexibility, functions are not dedicated to specific cores; instead all cores can process all data plane tasks. Memory is shared across all cores. Each core can process a separate flow simultaneously, allowing for up to 88 flows to be processed in parallel.

Flow Chart

The flow chart format overlaps the Multi-Core Monitor data. The x-axis displays the current time, and the y‑axis displays the percentage of CPU used.

Bar Chart

The bar chart format displays data pertaining to individual cores. The x-axis displays the cores while the y-axis displays the percentage of CPU used.

Options

Scale and View are options available to customize the Multi-Core Monitor interface. The following option is specific to the Multi-Core chart. For other options and display features, see Common Features.

 

Multi-Core Monitor options

Option

Widget

Description

Aggregate Display

Specifies which Cores are displayed in the Multi-Core Monitor Flow Chart.

A drop-down menu allows you to specify Current (Aggregate), Average (Aggregate), and individual Cores.

The individual Cores vary, depending on the number of Cores available. Multiple Cores can be selected.

 

Viewing the Top-10 AppFlow Reports

Dashboard > AppFlow Dash

The Dashboard > AppFlow Dash page provides the same information that is provided in Dashboard > AppFlow Reports. Only in AppFlow Dash, the information is shown in charts for the top one through ten items in each category. AppFlow Dash displays charts for the following items:

Top Applications
Top Users
Top Viruses
Top Intrusions
Top Spyware
Top URL Ratings
Top Locations
Top IP Addresses
* 
NOTE: The Botnets category on the Dashboard > AppFlow Reports page does not have a corresponding chart on the Dashboard > AppFlow Dash page. See Dashboard > AppFlow Reports.

The following graphic shows the first two charts on the AppFlow Dash page. The charts for the other categories are similar.

Configuring the Display

Topics:  

Configuring Length of Data Collection

The toolbar displays the length of time the data have been collected:

You can specify the length of time the data displayed in the charts have been collected by selecting the start time in the View drop-down menu:

Since Restart
Since Last Reset

You can refresh the display of:

The page by clicking the Refresh icon next to the View drop-down menu.
Just one chart by clicking the Refresh icon for that chart.

Configuring Aggregate Reporting

A green Status icon indicates that aggregate AppFlow reporting is enabled. Mousing over the Status icon displays a tooltip with a link to AppFlow > Flow Reporting, where you can enable, disable, and configure Aggregate Appflow reporting.

Specifying the Data Source

You can specify the source of the data in the Data Source drop-down menu:

Local
AppFlow Server
GMSFlow Server

Selecting How to View Individual Charts

You can select the way to view a chart’s data by a drop-down menu in the chart’s title bar:

Top Applications and Top Locations charts:
Sessions—Number of connections/flows
Init Bytes—Number of bytes sent by the initiator
Resp Bytes—Number of bytes sent by the responder
Top Users and Top IP Addresses charts:
Sessions—Number of connections/flows
Bytes Rcvd—Bytes of data received by the user/IP address
Bytes Sent—Bytes of data sent by the user/IP address
Top Viruses, Top Intrusions, Top Spyware and Top URL Ratings charts:
Sessions—Number of connections/flows

 

Monitoring Real-Time Network Data

Dashboard > AppFlow Monitor

The AppFlow Monitor provides real-time, incoming and outgoing network data. Various views and customizable options in the AppFlow Monitor Interface assist in visualizing the traffic data by applications, users, URLs, initiators, responders, threats, VoIP, VPN, devices, or contents.

Topics:  

AppFlow Monitor Tabs

The AppFlow Monitor Tabs contain details about incoming and outgoing network traffic. Each tab provides a faceted view of the network flow. The data is organized by tabs:

 

AppFlow Monitor tabs

This tab

Displays

Applications

A list of Applications currently accessing the network.

Users

A list of Users currently connected to the network.

URLs

A list of URLs currently accessed by Users.

To view this report:

1
Navigate to Firewall > Content Filter Objects.
2
Click the Edit icon for CFS Default Action. The Edit CFS Action Object displays.
3
Select the Enable Flow Reporting checkbox.
4
Click OK.
5
Navigate to Network > Zones.
6
Click the Edit icon for the zone to be monitored. The Edit Zone dialog displays.
7
Select the Enable Client CF Service checkbox.
8
Click OK.

Initiators

Details about current connection initiators.

Responders

Details about current connection responders.

Threats

A list of threats encountered by the network.

VoIP

Current VoIP and media traffic.

VPN

A list of VPN sessions connected to the network.

Devices

A list of devices currently connected to the network.

Contents

Information about the type of traffic flowing through the network.

To view this report:

1
Navigate to Security Services > Intrusion Prevention.
2
In the IPS Global Settings section, select the Enable IPS checkbox.
3
Click Accept.
4
Navigate to Firewall > App Control Advanced.
5
In the App Control Global Settings section, select the Enable App Control checkbox.
6
Click Accept.
7
Navigate to Network > Zones.
8
Click the Edit icon for the zone to be monitored. The Edit Zone dialog displays.
9
Select the Enable IPS checkbox.
10
Click OK.

AppFlow Monitor Toolbar

The AppFlow Toolbar allows for customization of the AppFlow Monitor interface. The ability to create rules and add items to filters allows for more application and user control. Different views, pause and play abilities, customizable data intervals and refresh rates are also available to aid in visualizing incoming, real-time data. Selecting data by group and configuring the columns displayed on a tab enable refining of the display.

 

AppFlow Monitor toolbar options

Option

Widget

Description

Create Rule

Starts the App Control Wizard. For more information on using this wizard, refer to About App Rules and App Control Advanced.

NOTE: General- and service-type applications cannot be included in a rule.

Filter View

Correlates data among the tabs. For more information about creating a filter, see Filter Options.

Interval

Specifies the span of time in which data is collected. The default is Last 60 seconds.

Group

Categorizes selections according to the available grouping options, which vary depending on the tab that is selected. See Group Options.

IP Version

Allows selection of internet protocol: IPv4, IPv6, or both (IPv4 & IPv6) (default).

List View

Provides a detailed list view of the data flow. See List View.

Pie Chart View

Provides a pie chart view of the data flow. See Pie Chart View.

Flow Chart View

Provides a flow chart view of the data flow. See Flow Chart View.

Export

Exports the data flow in comma separated variable (.csv) format.

Print PDF Report

Generates an Application Visualization Report. For more information, refer to Generating Application Visualization Report.

Configuration

Customizes the display by enabling or disabling columns for # (number), Tab subject (such as Applications or VPN), Sessions, Packets, Bytes, Rate, and Threats. Also enables or disables commas in numeric fields.

Refresh Button

Refreshes the real-time data display.

Status Update

Provides status updates about App signatures, GAV Database, Spyware Database, IPS Database, Country Database, Max Flows in Database, CFS Status, and more. For more information, see AppFlow Monitor Status.

A green status icon signifies that all appropriate signatures and databases are active.
A yellow status icon signifies that some or all signature databases are still being downloaded or could not be activated.
A red status icon signifies that the database is not downloaded or active.

Group Options

The Group option sorts data based on the specified group. Each tab contains different grouping options.

 

Group options by tab

This Tab

Can be Grouped by

Which

Applications

Application (default)

Displays all traffic generated by individual applications.

Category

Groups all traffic generated by an application category.

Signatures

Groups all traffic generated by an application signature

Users

User Name (default)

Groups all traffic generated by a specific user.

IP Address

Groups all traffic generated by a specific IP address.

Domain Name

Groups all traffic generated by a specific domain name.

Auth Type

Groups all traffic generated by a specific authorizing method.

URLs

URL (default)

Displays all traffic generated by each URL.

Domain Name

Groups all traffic generated by a domain name.

Rating

Groups all traffic generated based on CFS rating.

Initiators

IP Address (default)

Groups all traffic generated by a specific IP address.

Interface

Groups all traffic according to the firewall interface.

Country

Groups all traffic generated by each country, based on country IP database.

Responders

IP Address (default)

Groups all traffic by IP address.

Interface

Groups responders by interface.

Country

Groups responders by each country, based on country IP database.

Threats

Intrusions

Displays flows in which intrusions have been identified.

Viruses

Displays flows in which viruses have been identified.

Spyware

Displays flows in which spyware has been identified.

Spam

Shows all flows that fall under the category of spam.

Botnet

Displays all flows blocked connecting to/from Botnet servers

All (default)

Displays all flows in which a threat has been identified or that fall under the category of spam.

VoIP

Media Type (default)

Groups VoIP flows according to media type.

Caller ID

Groups VoIP flows according to caller ID.

VPN

Remote IP Address (default)

Groups VPN flows access according to the remote IP address.

Local IP Address

Groups VPN flows access according to the local IP address.

Name

Groups VPN flows access according to the tunnel name.

Devices

IP Address (default)

Groups flows by IP addresses inside the network.

Interface

Groups flows by interfaces on the firewall.

Name

Groups flows by device name or MAC address.

Contents

Email Address (default)

Groups contents by email address.

File Type

Groups flows by file type detected.

AppFlow Monitor Status

The AppFlow Monitor Status tooltip appears when the cursor rolls over the Status button in the toolbar. The AppFlow Monitor Status provides licensing information, status, and signature updates about App Rules, App Control Advanced, GAV, IPS, Anti-Spyware, CFS, Anti-Spam, BWM, country databases, Geo-IP blocking, and Botnet blocking. The tooltip also displays the maximum flows in the database and how AppFlow is enabled. For easy configuration of the AppFlow Monitor display, the tooltip provides links to the appropriate UI page for each item as well as a link to AppFlow > Flow Reporting for configuring AppFlow.

If the AppFlow Monitor Status tooltip is no longer wanted, click close in the upper-right corner.

AppFlow Monitor Views

Three views are available for the AppFlow Monitor: List View, Pie Chart View, and Flow Chart View. Each view provides a unique display of incoming, real-time data.

Topics:  

List View

In the List View, each AppFlow tab comprises columns displaying real-time data. These columns are organized into sortable categories. Some columns are common to all tabs.The VoIP tab, however, also has columns specific to it. There are tooltips and flow tables associated with some column items.

Topics:  
Common Columns

These columns are common to all tabs.

Check Box: Allows the selection of the line item for creation of filters and rules.
* 
NOTE: General-type applications and unknown users cannot be included in a rule.
Main Column: The title of the Main Column depends on the selected tab. For example, if the Users Tab is the selected, then the Main Column header will read “Users”. In that column, the name of the Users connected to the network are shown. Clicking on an item in this column will bring up a tooltip with relevant information on the item; see Detail Tooltips.
Sessions: Displays the number of sessions associated with the item in the Main Column. Clicking on this number will display a Flow Table of all the sessions.
Total Packets: Displays the number of data packets transferred per item.
Total Bytes: Displays the number of bytes transferred per item.
Ave Rate (KBps): Displays the rate at which data is transferred per item.
Threats: Displays the number of threats encountered by the network per item.
Total: Displays, at the bottom of the list, the total Items listed, Sessions, Total Packets, and Total Bytes sent during the duration of the current interval.
VoIP Columns

These columns are unique to the VoIP tab:

Out of Sequence/Lost Pkts: Displays the number of packets either out of sequence or lost per item.
Avg Jitter (msec): Displays the average jitter rate, in milliseconds, per item.
Max Jitter (msec): Displays the maximum jitter rate, in milliseconds, per item.
Detail Tooltips

Each item listed in the Main Column provides a link to a Detail tooltip, which appears when an item link is clicked. The information provided by the tooltip depends on the tab. For example, clicking on an Application column item in the Applications tab displays a Signature Details tooltip, while clicking on a User column item in the Users tab displays a User Details tooltip.

Topics:  
Signature Details

User Details

Initiator Details

Responder Details

Device Details

Flow Tables

Each item in the Sessions column contains a link to a Flow Table containing relevant information on that session/flow: Start Time, Last Update, Init (Initiator) MAC, Resp (Responder) MAC, Init IP, Resp IP, Proto, Init Port, Resp Port, Init Iface, Resp Iface, Init Bytes, Resp Bytes, Rate (Kbps), Status, and Details.

The Flow Table appears when a link is clicked. Further information can be obtained by hovering the cursor over the Statistics icon in the Details column. Doing so displays a tooltip containing Flow ID, Init Gateway, Resp Gateway, VPN Traffic, App Name, and, if relevant, Intrusion Name, Virus Name, and/or Spyware Name.

Pie Chart View

The Pie Chart View displays the number of top items and the percentage of bandwidth used by each. The percentage of bandwidth used is determined by taking the total amount of bandwidth used by the top items and then dividing that total by the number of items.

Flow Chart View

The Flow Chart View displays the network usage according to the Kbps used over the specified period. For each AppFlow Monitor tab, you can select, in the:

Drop-down menu below the chart, what the chart displays:
Most Frequent—The top entries in the AppFlow Monitor tab.
* 
NOTE: The most frequent entries may change over time. If you select Most Frequent, you can restrict the most frequent entries to those displayed at a particular time by clicking the lock icon next to the drop-down menu.
One or more of the individual entries in the AppFlow Monitor tab.
Scaling field:
Auto Y-Scaling (default).
A specific number and optional unit for scaling.

Filter Options

* 
NOTE: Filter options are available only in List view although they affect the other views.

The AppFlow Monitor Filter options allows you to filter incoming, real-time data. You can apply, create, and delete custom filters to customize the information displayed. The filter options apply across all the AppFlow Monitor tabs.

 

AppFlow Monitor filter options

Option

Widget

Description

Add to Filter

Adds the current selection to filter.

At least 1 item must be selected to use the filter options. After doing so, all other tabs will update with information pertaining to the items in the filter.

Remove from Filter

 

Removes all the current selections from the filter view by clicking on the X.

Filter Element

 

Indicates a filter element.

Load Filter

Loads existing filter settings or creates a new filter.

Save

Saves the current filter settings.

Delete

Deletes the current filter settings.

Filter View Button

Correlates data among the tabs.

Creating Filters

Creating filters reduces the amount of data seen in the AppFlow Monitor. You can create simple or complex filters, depending on the criteria you specify. By doing so, you can focus on points of interest without distraction from other applications.

Topics:  

Creating a Filter with Filter View

Creating a filter with Filter View correlates data among selected tabs.

To create a filter using Filter View:
1
Navigate to Dashboard > AppFlow Monitor.
2
Select a tab; for example, Applications or Users.
3
Select the checkbox(es) of the item(s) on the tab you wish to add to the filter.
4
Click either the Filter View button or the Add to Filter button.

After entries have been added to the filter, only those entries are visible in the tab. In the other AppFlow Monitor tabs, only information about those items associated with the filtered entries are visible.

Tabs with a filter are indicated by a button in the Filter View.

5
To further refine the filter, select another tab and repeat Step 3 and Step 4. Each tab is added to the Filter View.

Viewing Entries in Filter View

For a quick look at the items in a filter view, click on the name of the tab in the filter view. A drop-down menu appears listing all items selected in that tab.

To close the drop-down menu, click the name of the tab in the Filter View.

Saving Filter Views

You can save a filter view for future use.

To save a filter view:
1
Click the Load Filter drop-down menu.

2
Select the blank line at the top of the list.
3
Enter a friendly, easy-to-remember name for the filter.
4
Click the Save Filter button next to the Load Filter drop-down menu.

Deleting Filter Views

You can delete all the filter views, the filter view of a tab, or just a few of the items in a particular filter view.

 

How to delete filter views

To Delete

Do This

All the filter views

Click the X in the Remove from Filter button

A particular filter view

Click the X in the Filter View button for that tab

One or more items in a filter view

Click the name of the tab to display the drop-down menu, and then click the X next to the item(s) to delete

A saved filter

Select the filter in the Load Filter drop-down menu and then click the Delete button to the right of the Load Filter drop-down menu

Creating a Filter with the Filter Text Field

The Dashboard > AppFlow Monitor page has a Filter text field in which you can enter a text string to use for filtering the displayed information. Valid text strings are names such as Google, Firefox, or IP addresses.

Generating Application Visualization Report

The Application Intelligence and Control feature allows you to maintain granular control of applications and users by creating bandwidth management policies based on local pre-defined categories, individual applications, or even users and groups. With the Application Visualization feature, you are able to view real-time charts of applications, ingress and egress bandwidth, Websites visited, and all user activity. You are able to adjust network policies based on these critical observations. The Application Usage and Risk Report combines the results of these two features in a downloadable report listing the following categories:

High Risk Applications in Use
Top URL Categories in Use
Applications with the Highest Bandwidth Usage
Application Usage by Category and Technology
Top Findings of Network Characteristics
Recommendations based on the Top Findings
To generate an Application Usage and Risk Report:
1
Navigate to the Dashboard > AppFlow Monitor page.
2
Click the Print PDF Report icon from the AppFlow toolbar. The Reports pop-up menu displays.
3
Click the Generate Report button to get a dynamically generated report specific to your firewall.
* 
NOTE: The report may take a few minutes to generate and download.

After the report is generated, an executive summary is provided at the top of the report for a holistic overview of your network. The report contains a real-time snapshot of network traffic to guide you in implementing new bandwidth management policies. An example Application Usage and Risk Analysis report is provided below listing applications with the highest bandwidth usage, their application category, number of sessions, application risk level, and a detailed description of the application.

Application Usage and Risk Analysis Report example

IPv6 App Flow Monitor

For complete information on the SonicOS implementation of IPv6, see IPv6.

App Flow Monitor Visualization is configured the same in IPv6 and IPv4. Select the View IP Version from the drop-down menu to change the view/configuration.

 

Configuring AppFlow Statistics and Viewing Reports

Dashboard > AppFlow Reports

The AppFlow Reports page provides configurable scheduled reports by applications, users, IP addresses, viruses, intrusions, spyware, locations, botnets, and URL rating. AppFlow Reports statistics enable you to view a top-level aggregate report of what is going on in your network and, at a quick glance, answer such questions as the following:

What are the top-most used applications running in my network?
Which applications in terms of total number of sessions and bytes consume my network bandwidth?
Which applications have viruses, intrusions, and spyware?
What website categories are my users visiting?

The report data can be viewed from the point of the last system restart, since the system reset, or by defining a schedule range. Reports also can be sent by FTP or by email.

* 
TIP: The Dashboard > AppFlow Dash page displays the top ten items in each category (except IP addresses) in graph format. See Dashboard > AppFlow Dash.

To configure your AppFlow Reports, follow the procedures described in AppFlow > Flow Reporting. The bottom of the Dashboard > AppFlow Reports page has a link to the AppFlow > Flow Reporting page.

The bottom of the page displays the:

Totals for each column, such as number of entries, number of bytes sent by the initiator and responder, locations blocked
Total up time of the appliance in days, hours, minutes, and seconds
Time of the last update/reset: hour, minute, second, month, day
Topics:  

AppFlow Reports

The Dashboard > AppFlow Reports page displays these reports on separate tabs:

Applications

Name—Name of the application — the signature ID
Sessions—Number of connections/flows both as a number and as a percentage
Init Bytes—Number of bytes sent by the initiator both as a number and as a percentage
Resp Bytes—Number of bytes sent by the responder both as a number and as a percentage
Access Rules Block—Number of connections/flows blocked by firewall rules
App Rules Block—Number of connections/flows blocked by the DPI engine
Location Block—Number of connections/flows blocked by GEO enforcement
Botnet Block—Number of connections/flows blocked by Botnet enforcement
Viruses—Number of connections/flows with viruses
Intrusions—Number of connections/flows identified as intrusions
Spyware—Number of connections/flows with spyware

Users

User Name
Sessions—Number of sessions/connections initiated/responded both as a number and as a percentage
Bytes Rcvd—Number of bytes received by the user both as a number and as a percentage
Bytes Sent—Number of bytes sent by the user both as a number and as a percentage
Blocked—Number of sessions/connections blocked
Virus—Number of sessions/connections detected with a virus
Spyware—Number of sessions/connections detected with spyware
Intrusion—Number of sessions/connections detected as intrusions

IP

IP Address
Sessions—Number of sessions/connections initiated/responded both as a number and as a percentage
Bytes Rcvd—Number of bytes received by this IP address both as a number and as a percentage
Bytes Sent—Number of bytes sent by this IP address both as a number and as a percentage
Blocked—Number of sessions/connections blocked
Virus—Number of sessions/connections detected with a virus
Spyware—Number of sessions/connections detected with spyware
Intrusion—Number of sessions/connections detected as intrusion

Viruses

Virus Name
Sessions—Number of sessions/connections with this virus

Intrusions

Intrusion Name
Sessions—Number of sessions/connections detected as an intrusion

Spyware

Spyware Name—Name of the spyware signature
Sessions—Number of sessions/connections with this spyware

Location

Country Name—Name and flag of the country initiating/responding to a session/connection
Sessions—Number of sessions/connections initiated/responded by this country both as a number and as a percentage
Bytes Rcvd—Number of data bytes received by this country both as a number and as a percentage
Bytes Sent—Number of data bytes sent by this country both as a number and as a percentage
Dropped—Number of sessions/connections dropped

Botnets

Botnet Name:
Botnet Detected
Botnet Blocked
Sessions—Number of sessions/connections where a botnet was detected/blocked

URL Rating

Rating Name—Name of the URL category
Sessions—Number of sessions/connections both as a number and as a percentage

Common Functions

The following functions are common to all the tabs:

Specifying the Data Source

You can select the source of the report data in the Data Source drop-down menu:

Local (default)
AppFlow Server, if available
GMSFlow Server, if available

Downloading SonicWall Security Services Signatures

The AppFlow Reports feature requires that you have the latest SonicWall Security Services signature downloads enabled for the latest dynamic protection updates.

Click on the Status button on any tab to view the list of enabled SonicWall Security Services as illustrated below.

The pop-up displays the following for each service generating an AppFlow Report:

Whether the service is licensed, not licensed, or a license is N/A (not applicable)
Whether the service is enabled, disabled, or N/A
Whether the relevant database has been downloaded for the service or NA
A link to the relevant SonicWall page for configuring the service

Limiting the Display

You can limit the amount of data displayed in these ways:

Limiting the Number of Entries Displayed

You can limit the number of entries displayed in a report by selecting one of these numbers from the Limit drop-down menu:

10
25
50 (default)
100
150
Unlimited
* 
NOTE: The number of entries for the Location, Botnets, and URL Rating reports cannot be limited.
Filtering the Data

You can limit the display to only certain entries in a tab by specifying a string in the Filter String field. The string is not case sensitive.

The filter applies only to the active tab and does not affect the display of the other tabs. Displaying another tab erases the filter for all tabs.

The filter can be as general or specific as necessary. For example, entering 10.2 for the IP tab returns 4 entries while entering 10.203 returns only 2:

 

Filtering by tab

For This Tab

Filter by

Applications

Name

Users

User Name

IP

IP Address

Viruses

Virus Name

Intrusions

Intrusion Name

Spyware

Spyware Name

Location

Country Name

Botnets

N/A

URL Rating

Rating Name

Creating a CSV File

You can create a CVS file of a tab’s data by clicking the Export icon. For example, if you click on the Export icon for the Applications tab, this file is created:

* 
NOTE: This is not the same CSV file as that created by downloading an AppFlow Report (see Downloading AppFlow Reports).

Printing the Display

If your appliance has a printer, you can print the data on a tab by clicking the Print icon.

Refreshing the Display

You can refresh the display by clicking the Refresh icon.

Viewing AppFlow Data

You can view the AppFlow data in these ways:

Since Restart

To view AppFlow data since the last reboot or restart of the firewall, select Since Restart from the View drop-down menu. This report shows the aggregate statistics since the last reboot of the device. The date and time of the reboot are given in green as well as the total up time, in days, hours, minutes, and seconds, since the reboot. For example, SINCE: 08/14/2014 15:40:06.000 UPTIME: 32 Days 01:25:10.

* 
TIP: The up time is also displayed at the bottom of the page along with the date and time of the last update.

Since Last Reset

To view AppFlow data since the last reset of the firewall, select Since Last Reset from the View drop-down menu. This report shows the aggregate statistics since the last time you cleared the statistics by pressing the Reset button. The date and time of the reset are given in green as well as the total up time, in days, hours, minutes, and seconds, since the reset. For example, SINCE: 08/14/2014 15:40:06.000 UPTIME: 32 Days 01:25:10.

The reset option allows you to quickly view AppFlow Report statistics from a fresh reset of network flows. The reset clears the counters seen at the bottom of the page, which displays counter totals for number of sessions, initiator and responder bytes, to the number of intrusions and threats.

On Schedule

To view AppFlow data by a defined schedule start and end time, select On Schedule from the View drop-down menu and click the Configure button. This report shows AppFlow statistics collected during the time range specified in the configure settings options. Once the end time of the schedule is reached, scheduled AppFlow statistics are exported automatically to an FTP server or an email server. AppFlow statistical data is exported in CSV file format. Once the AppFlow statistics are exported, the data is refreshed and cleared.

To configure an On Schedule AppFlow report, perform the following configuration of selecting either an FTP server or email server for CSV file export:

1
Navigate to the AppFlow > AppFlow Reports page.
2
Select On Schedule from the View drop-down menu.

3
Click the Configure button. The Schedule Report pop-up dialog displays.

4
Have your AppFlow Reports data automatically sent to either or both an:
FTP server by selecting the Send Report by FTP checkbox.
Email server by selecting the Send Report by E-mail checkbox.
5
For reports sent by FTP, enter these options:
The FTP server address in the FTP Server field.
A user name in the User name field; the default is admin.
The password in the Password field.
The directory in which to send the reports in the Directory field; the default is reports.
6
For reports sent by email, enter these options:
The address of the email server in the E-Mail Server field.
The recipient’s email address in the E-mail To field.
The email address used for the sender in the From E-mail field.
The SMTP port number in the SMTP Port field.
7
If your email server requires SMTP authentication, select the POP Before SMTP checkbox.and enter these options
Address of the POP server in the Pop Server field.
User name in the User name field
Password in the Password field.
8
Enter the maximum number of user entries in the Max User Entries field; the default is 200.
9
Enter the maximum number of IP entries in the Max IP Entries field; the default is 200.
10
Click the Set Schedule button to define a start and end schedule. The Edit Schedule dialog displays.

11
In Schedule type, select:
Once to create a one-time schedule. The Once schedule options allow you to set reporting schedules based on a calendar start and end date with time in hours and minutes.
Recurring to create an ongoing scheduled. The Recurring schedule options allow to select ongoing schedules based on days of the week and start and end hour and minute time targets.
Mixed to create both a one-time schedule and an ongoing schedule.

The Recurring and Mixed schedules display your selections in the Schedule List.

12
If you selected Recurring or Mixed for the schedule type, complete the schedule times:
For both Recurring and Mixed, in the Recurring section, specify the day(s), Start Time and Stop Time of the schedule.
For Mixed, in the Once section, specify the Year, Month, Day, Hour, and Minute for the Start and End of the report.
13
Click OK to save your AppFlow Reports schedule.
14
On the Schedule Reports options page, click the Apply button to start using your AppFlow Reports schedule object settings.

Downloading AppFlow Reports

You can download the AppFlow Reports to one of these formats:

CSV (Microsoft Excel Comma Separated Values File)—opens in Excel as a swarm.csv file
* 
NOTE: This is not the same csv file that is generated by clicking the Create CSV File icon (see Creating a CSV File).
DOC (Microsoft Word Document)—opens in Word as a swarm.docx file
PDF—opens as an html file in the browser window
To download a report:
1
Navigate to the Dashboard > AppFlow Reports page.

2
Click on the Send Report icon. The Download Application Visualization Report pop-up window displays.

3
Click the Download Report button. An Opening file.wri.sfr window displays.

4
Click OK to save the file. The file is downloaded to your Downloads folder.
5
Open a browser window.
6
Log on to mysonicwall.com.
7
Navigate to SW Tools > App Reports. The Upload Report page displays.

8
Click the Browse button. A File Upload window displays.
9
Locate the file and click Open. The file name appears on the Upload Report page.

10
Click the Upload button. It may take several minutes to upload the report.
11
When the upload is complete, you can select any or all of these forms (the file has the name swarm):

CSV
DOC
PDF

 

Viewing Threat Reports

Dashboard > Threat Reports

This section describes how to use the SonicWall Threat Reports feature on a SonicWall appliance.

Topics:  

SonicWall Threat Reports Overview

Topics:  

What Are Threat Reports?

The SonicWall Threat Reports provides reports of the latest threat protection data from a single SonicWall appliance and aggregated threat protection data from SonicWall appliances deployed globally. The SonicWall Threat Reports displays automatically upon successful authentication to a SonicWall appliance, and can be viewed at any time by navigating to the Dashboard > Threat Reports page:

Viruses Blocked
Intrusions Prevented
Spyware Blocked
Multimedia (IM/P2P) Detected/Blocked

Each report includes a graph of threats blocked over time and a table of the top blocked threats. Reports, which are updated hourly, can be customized to display data for the last 12 hours, 14 days, 21 days, or 6 months. For easier viewing, SonicWall Threat Reports reports can be transformed into a PDF file format with the click of a button.

Benefits

The Threat Reports provides the latest threat protection information to keep you informed about potential threats being blocked by SonicWall appliances. If you subscribe to SonicWall’s security services, including Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention Service (IPS), and Content Filtering Service, you are automatically protected from the threats reported by the SonicWall Threat Reports. SonicWall’s security services include ongoing new signature updates to protect against the latest virus and spyware attacks.

How Does the Threat Reports Work?

The SonicWall Threat Reports provides global and appliance-level threat protection statistics. At the appliance level, threat protection data from your SonicWall appliance is displayed. At the global level, the SonicWall Threat Reports is updated hourly from the SonicWall backend server with aggregated threat protection data from globally-deployed SonicWall appliances. Data provided by the SonicWall backend server is cached locally for reliable delivery.

To be protected from the threats reported in the SonicWall Threat Reports, it is recommended that you purchase SonicWall security services. For more information about SonicWall security services, see SonicWall Security Services.

* 
NOTE: The SonicWall appliance must have Internet connectivity (including connection to a DNS server) to receive the latest threat protection statistics from the SonicWall backend server, which reports aggregated data from globally deployed SonicWall appliances. If you lose connectivity, cached data from the last update will display, and the latest data will not be available until connectivity is restored.

SonicWall Threat Reports Configuration Tasks

The SonicWall Threat Reports can be configured to display global or appliance-level statistics, to display statistics for different time periods, and to generate a custom PDF file.

The SonicWall Threat Reports displays automatically upon successful login to a SonicWall appliance. You can access the SonicWall Threat Reports at any time by navigating to Dashboard > Threat Reports in the left-hand menu. The introductory Dashboard > Threat Reports page, shown below, displays while the latest data is retrieved before the System > Security Dashboard page displays.

* 
NOTE: The System > Security Dashboard page contains the Threat Reports. To display this page, you need to navigate to the Dashboard > Threat Reports page.

Topics:  

Switching to Global or Appliance-Level View

To view SonicWall Threat Reports global reports, select the radio button next to Global in the top of the Dashboard > Threat Reports page. To view appliance-level reports, select the radio button next to the appliance serial number.

Selecting Custom Time Interval

SonicWall Threat Reports provide an aggregate view of threats blocked during a specified time period. You can configure each report to one of four time periods. Each report can be configured to reflect a different time period.

To change a report to reflect a different time period:
1
On the System > Security Dashboard page, select the report you want to change:
Viruses Blocked
Intrusions Prevented
Spyware Blocked
Multimedia (IM/P2P) Detected/Blocked
2
In the right-hand corner of the title bar of the selected report, select one of the following options from the Time Interval drop-down menu:

Last 12 Hours - Displays threat information from the last 12 hours
Last 14 Days (default) - Displays threat information from the last 14 days
Last 21 Days - Displays threat information from the last 21 days
Last 6 Months - Displays threat information from the last 6 months

Generating a Threat Reports PDF

To create a PDF version of the SonicWall Threat Reports, first select the desired view (global or appliance-level) and the desired time period for each report (the last 12 hours, 14 days, 21 days, or 6 months). Click the words, Download PDF (), at the top of the page.

Monitoring Active Users

Dashboard > User Monitor

The User Monitor tool provides a quick and easy method to monitor the number of active users on the SonicWall security appliance. To view the User Monitor tool, navigate to the Dashboard > User Monitor page.

The User Monitor tool provides these options to customize the display of recent user activity:

View Style: Sets the scale of the X-axis, which displays the duration of time. The available options are:
Last 30 Minutes
Last 24 Hours
Last 30 Days
Vertical Axis: Sets the scale of the Y-axis, which displays the number of users. The available options reflect the number of users. For example, two different systems would have different options:
 

Example of options for Y-axis based on number of users

Few Users

Many Users

10

800

100

8000

1000

80000

Configure icon: Displays the Select the user types to display pop-up window, where you can select the types of users to be displayed, indicated by the associated color:

Users Authenticated by Single-Sign-On (blue)
Remote Users via SSL VPN (yellow)
Remote Users with GVC/L2TP Client (green)
Users Authenticated by Web Login (orange)
Inactive Users (grey)

By default, all except Inactive Users are selected.

* 
NOTE: The display can become quite large.
Refresh button: Refreshes the display.

 

Monitoring Interface Bandwidth Traffic

Dashboard > BWM Monitor

The Dashboard > BWM Monitor page displays per-interface bandwidth management for ingress and egress network traffic. The BWM monitor charts are available for real-time, highest, high, medium high, medium, medium low, low and lowest policy settings. The view range is configurable in 60 seconds, 2 minutes, 5 minutes, and 10 minutes (default). The refresh interval rate is configurable from 3 to 30 seconds. The bandwidth management priority is depicted by guaranteed, maximum, and dropped.

Enabling BWM Monitor

BWM Monitor is not enabled by default. To view per-interface bandwidth traffic, you must enable it.

To enable BWM Monitor:
1
On the Dashboard > BWM Monitor page, click the link to the Network > Interfaces page.

2
Follow the procedure described in Enabling BWM.

Monitoring Active Connections

Dashboard > Connections Monitor

The Dashboard > Connections Monitor page displays details on all active connections to the SonicWall Security Appliance.

Topics:  

Filtering Connections Viewed

You can filter the results to display only connections matching certain criteria specified in the Connections Monitor Settings section. You can filter by

 

Source Address

Destination Address

Destination Port

Protocol

Flow Type

Src Interface

Dst Interface

 

Filter Logic displays how the filter is applied.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string looks for connections matching:

Source IP AND Destination IP

Check the Group box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group next to Source IP and Destination IP, the search string looks for connections matching:

(Source IP OR Destination IP) AND Protocol

Click Apply Filters to apply the filter immediately to the Active Connections table. Click Reset Filters to clear the filter and display the unfiltered results again.

You can export the list of active connections to a file. Click Export Results, and select if you want the results exported to a plain text file, or a Comma Separated Value (CSV) file for importing to a spreadsheet, reporting tool, or database. If you are prompted to Open or Save the file, select Save. Then enter a filename and path, and click OK.

Viewing Connections

The connections are listed in the Active Connections Monitor table.

 

Src MAC

MAC address of the source device.

Src Vendor

Manufacturer of the source device.

Src IP

IP address of the source device.

Src Port

Port number of the source device.

Dst MAC

MAC address of the destination device.

Dst Vendor

Manufacturer of the destination device.

Dst IP

IP address of the destination device.

Dst Port

Port number of the destination device.

Protocol

Protocol used for the connection, such as TCP or ICMPv6.

Src Iface

Interface on the source device.

Dst Iface

Interface on the destination device.

Flow Type

Flow type of the connection, such as generic or HTTP Management,

IPS Category

Type of Intrusion Prevention System (IPS) used; N/A = Not Available.

Expiry (sec)

Number of seconds remaining before the connection expires.

Tx Bytes

Number of bytes transferred.

Rx Bytes

Number of bytes received.

Tx Pkts

Number of packets transferred.

Rx Pkts

Number of packets received.

Flush

Contains the Flush icon for each entry.

Flushing Connections from the Table

To flush one or more connections from the table:
1
Select the checkbox(es) for the connection(s) to be flushed.
To flush all connections from the table:
1
Click the Flush All button.

Viewing IPv6 Connections

For complete information on the SonicOS implementation of IPv6, see IPv6.

The Connections Monitor is configured the same in IPv6 and IPv4. To change the view/configuration, toggle the View IP Version radio buttons.

 

Monitoring Individual Data Packets

Dashboard > Packet Monitor

* 
NOTE: For increased convenience and accessibility, the Packet Monitor page can be accessed either from Dashboard > Packet Monitor or System > Packet Monitor. The page is identical regardless of which page it is accessed through.
* 
NOTE: The Dashboard > Packet Monitor page for the SuperMassive 9800 is slightly different from that of the other firewalls. Differences are noted.

TZ Series, NSA Series, and SM 9200 - SM 9600 firewalls

SM 9800 firewall

About Packet Monitor

What is Packet Monitor?

Packet monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWall firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:

Interface identification
MAC addresses
Ethernet type
Internet Protocol (IP) type
Source and destination IP addresses
Port numbers
L2TP payload details
PPP negotiations details

You can configure the packet monitor feature in the SonicOS management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.

Benefits of Packet Monitor

The SonicOS packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features:

Control mechanism with improved granularity for custom filtering (Monitor Filter)
Display filter settings independent from monitor filter settings
Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall
Three output displays in the management interface:
List of packets
Decoded output of selected packet
Hexadecimal dump of selected packet
Export capabilities include text or HTML format with hex dump of packets, plus CAP file formats, pcap and pcapNG
Automatic export to FTP server when the buffer is full
Bidirectional packet monitor based on IP address and port
Configurable wrap-around of packet monitor buffer when full

How Does Packet Monitor Work?

As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.

Default settings are provided so that you can start using packet monitor without configuring it first. The basic functionality are listed in Packets: Basic functionality.

 

Packets: Basic functionality

Start

Click Start Capture to begin capturing all packets except those used for communication between the firewall and the management interface on your console system.

Stop

Click Stop Capture to stop the packet capture.

Clear

Click Clear to clear the status counters that are displayed at the top of the Packet Monitor page.

Refresh

Click Refresh to display new buffer data in the Captured Packets window. You can then click any packet in the window to display its header information and data in the Packet Detail and Hex Dump windows.

Export As

Display or save a snapshot of the current buffer in the file format that you select from the drop-down menu. Exported files are placed on your local management system (where the management interface is running).

PcapNG - Select to export a pacpNG (pacp Next Generation) file. A pcapNG file can be opened directly by Wireshark, which displays a new Packet comment section that contains useful diagnostic information. Selecting PcapNG simplifies generating a pcap file for diagnostics by eliminating the need to export HTML and text files along with the pcap file to determine the line number, in-interface, out-interface, and function name that acted on the packet.
Libpcap - Select if you want to view the data with the Wireshark (formerly Ethereal) network protocol analyzer. This is also known as libcap or pcap format. A dialog allows you to open the buffer file with Wireshark or save it to your local hard drive with the extension .pcap.
Html - Select to view the data with a browser. You can use File > Save As to save a copy of the buffer to your hard drive.
Text - Select to view the data in a text editor. A dialog allows you to open the buffer file with the registered text editor, or save it to your local hard drive with the extension .wri.
App Data - Select to view only application data contained in the packet. Packets containing no application data are skipped during the capture. Application data = captured packet minus L2, L3, and L4 headers.

Refer to Packet monitor subsystem showing filters for a high-level view of the packet monitor subsystem that shows the different filters and how they are applied.

Packet monitor subsystem showing filters

What is Packet Mirror?

Packet mirroring is the process of sending a copy of packets seen on one interface to another interface or to a remote SonicWall appliance.

There are two aspects of mirroring:

Classification – Refers to identifying a selected set of packets to be mirrored. Incoming and outgoing packets to and from an interface are matched against a filter. If matched, the mirror action is applied.
Action – Refers to sending a copy of the selected packets to a port or a remote destination. Packets matching a classification filter are sent to one of the mirror destinations. A particular mirror destination is part of the action identifier.

How Does Packet Mirror Work?

Every classification filter is associated with an action identifier. Up to two action identifiers can be defined, supporting two mirror destinations (a physical port on the same firewall and/or a remote SonicWall firewall). The action identifiers determine how a packet is mirrored. The following types of action identifiers are supported:

Send a copy to a physical port.
Encapsulate the packet and send it to a remote SonicWall appliance.
Send a copy to a physical port with a VLAN configured.

Classification is performed on the Monitor Filter and Advanced Monitor Filter tab of the Packet Monitor Configuration dialog.

A local SonicWall firewall can be configured to receive remotely mirrored traffic from a remote SonicWall firewall. At the local firewall, received mirrored traffic can either be saved in the capture buffer or sent to another local interface. This is configured in the Remote Mirror Settings (Receiver) section on the Mirror tab of the Packet Monitor Configuration dialog.

SonicOS supports the following packet mirroring options:

Mirror packets to a specified interface (Local Mirroring).
Mirror only selected traffic.
Mirror SSL decrypted traffic.
Mirror complete packets including Layer 2 and Layer 3 headers as well as the payload.
Mirror packets to a remote firewall (Remote Mirroring Tx).
Receive mirrored packets from a remote SonicWall appliance (Remote Mirroring Rx).

Related Information

Topics:  

Supported Packet Types

When specifying the Ethernet or IP packet types that you want to monitor or display, you can use either the standard acronym for the type, if supported, or the corresponding hexadecimal representation. To determine the hex value for a protocol, refer to the RFC for the number assigned to it by IANA. The protocol acronyms that SonicOS currently supports are shown in Supported packet types.

 

Supported packet types

Supported types

Protocol acronyms

 

Supported Ethernet types

ARP

 

IP

 

PPPoE-DIS

NOTE: To specify both PPPoE-DIS and PPPoE-SES, you can simply use PPPoE.

PPPoE-SES

Supported IP types

TCP

 

UDP

 

ICMP

 

IGMP

 

GRE

 

AH

 

ESP

 

File Formats for Export As

The Export As option on the Dashboard > Packet Monitor page allows you to display or save a snapshot of the current buffer in the file format that you select from the drop-down menu. Saved files are placed on your local management system (where the management interface is running). For a description of the formats, see Packets: Basic functionality.

Examples of the HTML and Text formats are shown in:

HTML Format

You can view the HTML format in a browser. HTML format example shows the header and part of the data for the first packet in the buffer.

HTML format example

Text File Format

You can view the text format output in a text editor. Text file format example shows the header and part of the data for the first packet in the buffer.

Text file format example

Configuring Packet Monitor

You can access the packet monitor tool on the Dashboard > Packet Monitor page of the SonicOS management interface. There are six main areas of configuration for packet monitor, one of which is specifically for packet mirror. The following sections describe the configuration options, and provide procedures for accessing and configuring the filter settings, log settings, and mirror settings:

Configuring General Settings

This section describes how to configure packet monitor general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 64. The buffer wrap option enables the packet capture to continue even when the buffer becomes full, by overwriting the buffer from the beginning.

To configure the general settings:
1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

Packet Monitor Configuration dialog

Packet Monior Configuration dialog – 9800

3
In the General Settings section, in the Number of Bytes To Capture (per packet) field, enter the number of bytes to capture from each packet. The minimum value is 64, the default value is 1520. You can enter this number as a hexadecimal figure.
4
To continue capturing packets after the buffer fills up, select the Wrap Capture Buffer Once Full checkbox. Selecting this option causes packet capture to start writing captured packets at the beginning of the buffer again after the buffer fills. This option has no effect if FTP server logging is enabled on the Logging tab because the buffer is automatically wrapped when FTP is enabled. This option is not selected by default.
5
In the Exclude Filter section, select the Exclude encrypted GMS traffic to prevent capturing or mirroring of encrypted management or syslog traffic to or from SonicWall GMS. This setting only affects encrypted traffic within a configured primary or secondary GMS tunnel. GMS management traffic is not excluded if it is sent via a separate tunnel. This option is not selected by default.
6
Use the Exclude Management Traffic settings to prevent capturing or mirroring of management traffic to the appliance. Select the checkbox for each type of traffic to exclude:
HTTP/HTTPS (selected by default)
SNMP
SSH

If management traffic is sent via a tunnel, the packets are not excluded.

7
Use the Exclude Syslog Traffic to settings to prevent capturing or mirroring of syslog traffic to the logging servers. Select the checkbox for each type of server to exclude (by default, neither is selected):
Syslog Servers
GMS Server

If syslog traffic is sent via a tunnel, the packets are not excluded.

8
Use the Exclude Internal Traffic for settings to prevent capturing or mirroring of internal traffic between the firewall and its High Availability partner or a connected SonicPoint. Select the checkbox for each type of traffic to exclude:
HA (selected by default)
SonicPoint (selected by default; not supported on the SuperMassive 9800)
* 
NOTE: The following options are for the SuperMassive 9800 only. When present, they are selected by default.
BCP
Inter-Blade
Back-Plane
9
To save your settings and exit the Packet Monitor Configuration dialog, click OK.

To restore default settings, click Default.

Configuring Monitoring Based on Firewall Rules

The Packet Monitor and Flow Reporting features allow traffic to be monitored based on firewall rules for specific inbound or outbound traffic flows. This feature set is enabled by choosing to monitor flows in the Firewall > Access Rules area of the SonicOS management interface.

To configure the general settings:
1
Navigate to the Firewall > Access Rules page

2
Click the Configure icon for the rule(s) on which to enable packet monitoring or flow reporting. The Edit Rule dialog displays.

3
Select the Enable packet monitor checkbox to send packet monitoring statistics for this rule.
4
Click the OK button to save your changes.
* 
NOTE: Further monitor filter settings are required on the Dashboard > Packet Monitor page to enable monitoring based on firewall rules.

Configuring Monitor Filter Settings

All filters set on this page are applied to both packet capture and packet mirroring.

To configure Monitor Filter settings:
1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

3
Click the Monitor Filter tab.

4
if you are using firewall rules to capture specific traffic, select Enable filter based on the firewall rule.
* 
NOTE: Before selecting this option, be certain you have selected one or more access rules on which to monitor packet traffic. This configuration is done from the Firewall > Access Rules page; for more information about configuring access rules, see Configuring Firewall Access Rules.
5
Specify how Packet Monitor will filter packets using these options:
* 
NOTE: If a field or option is left blank, no filtering is done on that field. Packets are captured or mirrored without regard to the value contained in that field of their headers.
Interface Name(s) - Specify the name(s) of the interface(s) on which to perform packet capture. You can specify up to ten interfaces separated by commas. The specified interface names should be the same as those listed in the Network > Interface page; for example:
NSA series: X0, X1, X2:V100
TZ family: WLAN, WWAN, Modem, OPT, WAN, LAN

To configure all interfaces except the one(s) specified, use a negative value; for example: !X0, or !LAN.

Ether Type(s) - Specify the name of the Ethernet type(s) on which to perform filtering of the captured packets. You can specify up to ten Ethernet types separated by commas. This option is not case-sensitive. Currently, the following Ethernet types are supported: ARP (arp), IP (ip), PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone.

For example, to capture all supported types, you could enter: ARP, ip, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.

You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, ip. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS. See Supported Packet Types.

IP Type(s) - Specify the name(s) of the IP packet type(s) on which to perform packet capture. You can specify up to ten IP types separated by commas. This option is not case-sensitive. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP.

You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP.

You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types.

* 
NOTE: The following option fields require either addresses or ports. You can specify up to 10 addresses or ports separated by commas. For example:
IP addresses: 10.1.1.1, 192.2.2.2, 1.2.3.4/24, 2.3.4.5/61
TCP or UDP port numbers: 20, 21, 22, 25, 80, 8080

You can use one or more negative values to capture packets from all but the specified addresses or ports; for example:

IP addresses: !10.3.3.3, !10.4.4.4., !1.2.3.4/24
TCP or UDP port numbers: !80, !8080, !20
Source IP Address(es) - Specify the source IP address(es) on which to perform packet capture.
Source Port(s) - Specify the source port(s) on which to perform packet capture.
Destination IP Address(es) - Specify the destination IP address(es) on which to perform packet capture.
Destination Port(s) - Specify the destination port address(es) on which to perform packet capture.
Enable Bidirectional Address and Port Matching - Select this option to match IP addresses and/or ports specified in the above source and/or destination fields against both the source and/or destination fields in each packet. This option is selected by default.
* 
NOTE: For normal operation, leave the following options unselected to capture all types of packets. Selecting an option restricts the type of packets captured.
Forwarded packets only - Select this option to monitor any packets forwarded by the firewall.
Consumed packets only - Select this option to monitor all packets consumed by internal sources within the firewall.
Dropped packets only - Select this option to monitor all packets dropped at the perimeter.
6
To save your settings and exit the configuration window, click OK.

Configuring Display Filter Settings

This section describes how to configure Packet Monitor display filter settings. The values you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. These settings apply only to the display of captured packets on the management interface and do not affect packet mirroring.

* 
NOTE: If a field is left blank, no filtering is done on that field. Packets are displayed without regard to the value contained in that field of their headers.
To configure Packet Monitor display filter settings, complete the following steps:
1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

3
Click the Display Filter tab.

4
Specify how Packet Monitor will filter packets using these options:
* 
NOTE: If a field or option is left blank, no filtering is done on that field. Packets are captured or mirrored without regard to the value contained in that field of their headers.
Interface Name(s) - Specify the name(s) of the interface(s) on which to perform packet capture. You can specify up to ten interfaces separated by commas. The specified interface names should be the same as those listed in the Network > Interface page; for example:
NSA series: X0, X1, X2:V100
TZ family: WLAN, WWAN, Modem, OPT, WAN, LAN

To configure all interfaces except the one(s) specified, use a negative value; for example: !X0, or !LAN.

Ether Type(s) - Specify the name of the Ethernet type(s) on which to perform filtering of the captured packets. You can specify up to ten Ethernet types separated by commas. This option is not case-sensitive. Currently, the following Ethernet types are supported: ARP (arp), IP (ip), PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone.

For example, to capture all supported types, you could enter: ARP, ip, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE.

You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, ip. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS. See Supported Packet Types.

IP Type(s) - Specify the name(s) of the IP packet type(s) on which to perform packet capture. You can specify up to ten IP types separated by commas. This option is not case-sensitive. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP.

You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP.

You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types.

* 
NOTE: The following option fields require either addresses or ports. You can specify up to 10 addresses or ports separated by commas. For example:
IP addresses: 10.1.1.1, 192.2.2.2, 1.2.3.4/24, 2.3.4.5/61
TCP or UDP port numbers: 20, 21, 22, 25, 80, 8080

You can use one or more negative values to capture packets from all but the specified addresses or ports; for example:

IP addresses: !10.3.3.3, !10.4.4.4., !1.2.3.4/24
TCP or UDP port numbers: !80, !8080, !20
Source IP Address(es) - Specify the source IP address(es) on which to perform packet capture.
Source Port(s) - Specify the source port(s) on which to perform packet capture.
Destination IP Address(es) - Specify the destination IP address(es) on which to perform packet capture.
Destination Port(s) - Specify the destination port address(es) on which to perform packet capture.
* 
NOTE: The following options are selected by default.
Enable Bidirectional Address and Port Matching - Select this option to match IP addresses and/or ports specified in the above source and/or destination fields against both the source and/or destination fields in each packet. This option is selected by default.
Forwarded - To display captured packets that the firewall has forwarded, select this checkbox.
Generated - To display captured packets that the firewall has generated, select this checkbox.
Consumed - To display captured packets that the firewall has consumed, select this checkbox.
Dropped - To display captured packets that the firewall has dropped, select this checkbox.
5
To save your settings and exit the dialog, click OK.

Configuring Logging

This section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption.

If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps.

Topics:  
Configuring Logging Settings
To configure logging settings:
1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

3
Click the Logging tab.

4
In the FTP Server IP Address field, enter the IP address of the FTP server where captured packets are to be logged.
* 
NOTE: Ensure that the FTP server IP address is reachable by the firewall. An IP address that is reachable only via a VPN tunnel is not supported.
5
In the Login ID field, enter the login name that the firewall should use to connect to the FTP server. The default value is admin.
6
In the Password field, enter the password that the firewall should use to connect to the FTP server. The default value is password.
7
In the Directory Path field, enter the directory path for the logged files. The captured files are written to this directory location at the FTP server relative to the default FTP root directory. The default value is captures.

Examples of file names for the different formats:

libcap format, files are named packet-log--<>.cap, where the <> contains a run number and date including hour, month, day, and year. For example, packet‑log‑h3‑22‑06292017.cap.
HTML format, file are named packet-log_h-<>.html, where the <> contains a run number and date including hour, month, day, and year. For example: packet‑log_h‑3‑22‑06292017.html.
8
To enable automatic logging of the capture file to a remote FTP server, select the Log To FTP Server Automatically checkbox. Captured files are named (where the <> contains a run number and date including hour, month, day, and year):
packet-log-<>.cap for libcap format; for example: packet‑log_3‑22‑06292017.cap.
packet-log-<>.html for HTML format; for example: packet‑log_3‑22‑06292017.html.

This option is not selected by default.

* 
NOTE: You must specify an FTP server address in the FTP Server IP Address field.
9
To enable logging of a new generation capture file with comments that include debug information to a remote FTP server, select the Log PCAPNG File To FTP Server checkbox. Captured files are named packet‑log-<>.pcapng, where the <> contains a run number and date including hour, month, day, and year; for example: packet‑log_3‑22‑06292017.pcapng. This option is selected by default.
10
To enable transfer of the file in HTML format as well as libcap format, select the Log HTML File Along With .cap File (FTP) checkbox. This option is selected by default.
11
To test the connection to the FTP server and transfer the capture buffer contents to it, click the Log Now. In this case, the file name contains an F. For example, packet-log-F-3-22-08292006.cap or packet-log_h-F-3-22-06292017.html.
12
To save your settings and exit the dialog, click OK.
Restarting FTP Logging

If automatic FTP logging is off, either because of a failed connection or simply disabled, you can restart it in Configure > Logging.

To restart FTP logging:
1
Navigate to the Dashboard > Packet Monitor page.
2
Click Configure. The Packet Monitor Configuration dialog displays.
3
click the Logging tab.
4
Verify that the settings are correct for each item on the page. See Configuring Logging Settings.
5
To change the FTP logging status on the Dashboard > Packet Monitor page to active, select the Log To FTP Server Automatically checkbox.
6
Optionally, test the connection by clicking the Log Now button.
7
To save your settings and exit the dialog, click OK.

Configuring Advanced Monitor Filter Settings

This section describes how to configure monitoring for packets generated by the firewall and for intermediate traffic.

1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

3
Click the Advanced Monitor Filter tab.

4
To capture packets generated by the firewall, select the Monitor Firewall Generated Packets (This will bypass interface filter) checkbox. This option is not selected by default.

Even when other monitor filters do not match, this option ensures that packets generated by the firewall are captured. This includes packets generated by such protocols as HTTP(S), L2TP, DHCP servers, PPP, PPPOE, and routing. Captured packets are marked with s in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.

* 
NOTE: Specify this option if firewall-generated packets need to be captured even if other capture filters fail to match.
5
To capture intermediate packets generated by the firewall as a result of various policies, select the Monitor Intermediate Packets checkbox. Included are such packets as intermediate encrypted packets, IP help-generated packets, multicast packets that are replicated, and those generated as a result of fragmentation or reassembly.

Selecting this checkbox enables, but does not select, the subsequent checkboxes for monitoring specific types of intermediate traffic. This option is not selected by default.

6
Select the checkbox for any of the following options to capture or mirror that type of intermediate traffic. The Monitor filter is still applied on these packets. None of these options is selected by default.
Monitor intermediate multicast traffic – For multicast traffic.
Monitor intermediate IP helper traffic – For replicated IP Helper packets.
Monitor intermediate reassembled traffic – For reassembled IP packets.
Monitor intermediate fragmented traffic – For packets fragmented by the firewall.
Monitor intermediate remote mirrored traffic – For remote mirrored packets after de-encapsulation.
Monitor intermediate IPsec traffic – For IPSec packets after encryption and decryption.
Monitor intermediate SSL decrypted traffic – For SSL decrypted packets.
* 
NOTE: SSL decrypted traffic are sent to the Packet Monitor, and some of the IP and TCP header fields may not be accurate in the monitored packets. IP and TCP checksums are not calculated on the decrypted packets. TCP port numbers are remapped to port 80.

DPI-SSL must be enabled to decrypt the packets along with any of the security services to be applied to such packets.

Monitor intermediate decrypted LDAP over TLS packets – For decrypted LDAP over TLS (LDAPS) packets. The packets are marked with ldp in the ingress/egress interface fields and have dummy Ethernet, IP, and TCP headers with some inaccurate fields. The LDAP server port is set to 389 so an external capture analysis program decode it as LDAP. Passwords in captured LDAP bind requests are obfuscated.
* 
NOTE: Decrypted LDAPS packets are sent to the Packet Monitor.
Monitor intermediate decrypted Single Sign On agent messages – For decrypted messages to or from the SSO authentication agent. The packets are marked with sso in the ingress/egress interface fields and have dummy Ethernet, IP, and TCP headers with some inaccurate fields.
* 
NOTE: Decrypted SSO packets are sent to the Packet Monitor.
7
To save your settings and exit the dialog, click OK.

Configuring Mirror Settings

This section describes how to configure Packet Monitor mirror settings. Mirror settings provide a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWall firewall.

To configure mirror settings:
1
Navigate to the Dashboard > Packet Monitor page.

2
Click Configure. The Packet Monitor Configuration dialog displays.

3
Click the Mirror tab.

4
Under Mirror Settings, enter the desired maximum rate for mirror data into the Maximum mirror rate (in kilobits per second) field. If this rate is exceeded during mirroring, the excess packets are not mirrored but counted as skipped packets. This rate applies to mirroring both locally to an interface or to a remote firewall. The default and minimum value is 100 kbps, and the maximum is 1 Gbps.
5
Select the Mirror only IP packets checkbox to prevent mirroring of any non-IP packets, such as ARP or PPPoE. If selected, this option overrides any non-IP Ether types entered in the Ether Type(s) field on the Monitor Filter tab.
6
Under Local Mirror Settings, select the destination interface for locally mirrored packets in the Mirror filtered packets to Interface drop-down menu. The default is None.
7
Under Remote Mirror Settings (Sender), in the Mirror filtered packets to remote Sonicwall firewall (IP Address) field, enter the IP address of the remote SonicWall where mirrored packets are sent. Packets are encapsulated and set to the remote device (specified IP address).
* 
NOTE: The remote SonicWall must be configured to receive the mirrored packets.
8
In the Encrypt remote mirrored packets via IPSec (preshared key-IKE) field, enter the pre-shared key to be used to encrypt traffic when sending mirrored packets to the remote firewall. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote firewall. This pre-shared key is used by IKE to negotiate the IPSec keys.
* 
NOTE: Enabling this option also enables an IPSec transport mode tunnel between this appliance and the remote firewall.
9
Under Remote Mirror Settings (Receiver), in the Receive mirrored packets from remote Sonicwall firewall (IP Address) field, enter the IP address of the remote appliance that receives mirrored packets. Packets are decapsulated and sent either to a local buffer or out of another interface as specified in the following options.
* 
NOTE: The remote SonicWall must be configured to send the mirrored packets.
10
In the Decrypt remote mirrored packets via IPSec (preshared key-IKE) field, enter the previously configured pre-shared key to be used to encrypt/decrypt traffic when receiving mirrored packets from the remote firewall. This pre-shared key is used by IKE to negotiate the IPSec keys.
* 
NOTE: Enabling this option also enables an IPSec transport mode tunnel between this appliance and the remote firewall.
11
To mirror received packets to another interface on the local SonicWall, select the interface from the Send received remote mirrored packets to Interface drop-down menu. The default is None.
12
To save all remote mirrored packets in the local capture buffer, select the Send received remote mirrored packets to capture buffer checkbox. This option is independent of sending mirrored packets to another interface, and both can be enabled if desired.
13
To save your settings and exit the dialog, click OK.

Configuring Packet Processing – SuperMassive 9800 Only

14
If you do not have a SuperMassive 9800 firewall, go to

15
 

Verifying Packet Monitor Activity

This section describes how to tell if your packet monitor, mirroring, or FTP logging is working correctly according to the configuration.

Topics:  

Understanding Status Indicators

The Packet Monitor section displays status indicators for packet capture (trace), mirroring, and FTP logging. Information popup tooltips display the configuration settings.

Topics:  
Packet Capture Status (Trace)

The first line in the Packet Monitor section is the packet capture status indicator, which is labeled Trace, and shows one of the following three conditions:

Red – Capture is stopped
Green – Capture is running and the buffer is not full
Yellow – Capture is on, but the buffer is full

The Trace also displays:

On/off indicator
Buffer size, in KB
Number of Packets captured
Percentage of buffer space used (Buffer is % full)
How much of the buffer has been lost (MB of Buffer lost). Lost packets occur when automatic FTP logging is turned on, but the file transfer is slow for some reason. If the transfer is not finished by the time the buffer is full again, the data in the newly filled buffer is lost.
* 
NOTE: Although the buffer wrap option clears the buffer upon wrapping to the beginning, this is not considered lost data.
Mirroring Status

There are three status indicators for packet mirroring:

Local mirroring – Packets sent to another physical interface on the same SonicWall

For local mirroring, the status indicator shows one of the following three conditions:

Red – Mirroring is off
Green – Mirroring is on
Yellow – Mirroring is on but disabled because the local mirroring interface is not specified

The local mirroring row also displays the following statistics:

On/off indicator
Mirroring to interface – The specified local mirroring interface
packets mirrored – The total number of packets mirrored locally
pkts skipped – The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
pkts exceeded rate – The total number of packets that skipped mirroring due to rate limiting
Remote mirroring Tx – Packets sent to a remote SonicWall

For Remote mirroring Tx, the status indicator shows one of the following three conditions:

Red – Mirroring is off
Green – Mirroring is on and a remote SonicWall IP address is configured
Yellow – Mirroring is on but disabled because the remote device rejects mirrored packets and sends port unreachable ICMP messages

The Remote mirroring Tx row also displays the following statistics:

On/off indicator
Mirroring to – The specified remote SonicWall IP address
packets mirrored – The total number of packets mirrored to a remote SonicWall appliance
pkts skipped – The total number of packets that skipped mirroring due to packets that are incoming/outgoing on the interface on which monitoring is configured
pkts exceeded rate – The total number of packets that failed to mirror to a remote SonicWall, either due to an unreachable port or other network issues
Remote mirroring Rx – Packets received from a remote SonicWall

For Remote mirroring Rx, the status indicator shows one of the following two conditions:

Red – Mirroring is off
Green – Mirroring is on and a remote SonicWall IP address is configured

The Remote mirroring Rx row also displays the following statistics:

On/off indicator
Receiving from – The specified remote SonicWall IP address
mirror packets rcvd – The total number of packets received from a remote SonicWall appliance
mirror packets rcvd but skipped – The total number of packets received from a remote SonicWall appliance that failed to get mirrored locally due to errors in the packets
FTP Logging Status

The FTP logging status indicator shows one of the following three conditions:

Red – Automatic FTP logging is off
Green – Automatic FTP logging is on
Yellow – The last attempt to contact the FTP server failed, and logging is now off
* 
NOTE: To restart automatic FTP logging, see Restarting FTP Logging.

The local mirroring row also displays the following statistics:

On/off indicator
FTP Server Pass/Failure count: 0/0 – the number of successful and failed attempts to transfer the buffer contents to the FTP server
FTP Thread is Busy/Idle – the current state of the FTP process thread
Buffer status – the status of the capture buffer
Current Buffer Statistics

The Current Buffer Statistics row summarizes the number of each type of packet in the local capture buffer:

Dropped – number of dropped packets
Forwarded – number of dropped packets
Consumed – number of dropped packets
Generated, – number of dropped packets
Current Configurations

The Current Configurations row provides dynamic information about configured settings for:

Filters, both Capture Filters and Display Filters
General, both General Settings and Advanced Settings
Logging
Mirroring, Mirror Settings

When you hover your mouse pointer over one of the information icons or its label, a popup tooltip displays the current settings for that selection.

Clearing the Status Information

You can clear the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging.

1
Navigate to the Dashboard > Packet Monitor page.
2
Click the Clear button.

Using Packet Monitor and Packet Mirror

In addition to the Configure button, the top of the Dashboard > Packet Monitor page provides several buttons for general control of the packet monitor feature and display:

Configure – Displays the Packet Monitor Configuration dialog. For more information, see Configuring Packet Monitor.
Monitor All – Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog displays when you click this button.
Monitor Default – Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog displays when you click this button.
Clear – Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging.
Refresh – Refreshes the packet display windows on this page to show new buffer data.

The Dashboard > Packet Monitor page is shown below:

For an explanation of the status indicators near the top of the page, see Understanding Status Indicators.

The other buttons and displays on this page are described in the following sections:

Starting and Stopping Packet Capture

You can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWall security appliance will capture all packets except those for internal communication, and will stop when the buffer is full or when you click Stop Capture.

1
Navigate to the Dashboard > Packet Monitor page.

2
Optionally click Clear to set the statistics back to zero.
3
Under Packet Monitor, click Start Capture.
4
To refresh the packet displays to show new buffer data, click Refresh.
5
To stop the packet capture, click Stop Capture.

You can view the captured packets in the Captured Packets, Packet Detail, and Hex Dump sections of the Packet Monitor page. See Viewing Captured Packets.

Starting and Stopping Packet Mirror

You can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror.

To start or stop Packet Monitor:
1
Navigate to the Dashboard > Packet Monitor page.

2
Under Packet Monitor, click Start Mirror to start mirroring packets according to your configured settings.
3
To stop mirroring packets, click Stop Mirror.

Viewing Captured Packets

The Dashboard > Packet Monitor page provides three sections to display different views of captured packets:

About the Captured Packets Display

The Captured Packets section displays statistics about each packet:

# - Packet number relative to the start of the capture.
Time - Date and time the packet was captured.
Ingress - Firewall interface on which the packet arrived is marked with an asterisk (*). The subsystem type abbreviation is shown in parentheses. Subsystem type abbreviations are defined in Subsystem type abbreviations.
 

Subsystem type abbreviations

Abbreviation

Definition

i

Interface

hc

Hardware based encryption or decryption

sc

Software based encryption or decryption

m

Multicast

r

Packet reassembly

s

System stack

ip

IP helper

f

Fragmentation

Egress - Firewall interface on which the packet was captured when sent out. The subsystem type abbreviation is shown in parentheses. See Subsystem type abbreviations for definitions of subsystem type abbreviations.
Source IP - Source IP address of the packet.
Destination IP - Destination IP address of the packet.
Ether Type - Ethernet type of the packet from its Ethernet header.
Packet Type - Type of the packet depending on the Ethernet type; for example:
 

Ethernet type

Packet type

IP packets

TCP, UDP, or another protocol that runs over IP

PPPoE packets

PPPoE Discovery or PPPoE Session

ARP packets

Request or Reply

Ports [Src, Dst] - Source and destination TCP or UDP ports of the packet
Status - Shows the state of the packet with respect to the firewall. A packet can be dropped, generated, consumed, or forwarded by the firewall. You can position the mouse pointer over dropped or consumed packets to show this information:
 

Packet status

Displayed value

Definition of displayed value

Dropped

Module-ID = <integer>

Value for the protocol subsystem ID

Drop-code = <integer>

Reason for dropping the packet

Reference-ID: <code>

SonicWall-specific data

Consumed

Module-ID = <integer>

Value for the protocol subsystem ID

Length [Actual] - Number of bytes captured in the buffer for this packet. Actual value, in brackets, is the number of bytes transmitted in the packet.
Blade (SuperMassive 9800 only) - Blade processing the packet.
About the Packet Detail Display

When you click on a packet in the Captured Packets section, the packet header fields are displayed in the Packet Detail section. The display varies depending on the type of packet that you select.

About the Hex Dump Display

When you click on a packet in the Captured Packets section, the packet data is displayed in hexadecimal and ASCII format in the Hex Dump section. The hex format is shown on the left side of the window, with the corresponding ASCII characters displayed to the right for each line. When the hex value is zero, the ASCII value is displayed as a dot.

 

Tracking Potential Security Threats

Dashboard > Log Monitor

* 
NOTE: For increased convenience and accessibility, the Log Monitor page can be accessed either from Dashboard > Log Monitor or Log > Log Monitor. The two pages provide identical functionality.

The SonicWall network security appliance maintains an Event log for tracking potential security threats.

The event log can be sent automatically to an Email address for convenience and archiving. Alerts from the Log Monitor can also be sent via Email and can alert you about such things as attacks to your firewall. Alerts are immediately e-mailed, either to an e-mail address or to an e-mail pager. Each log entry contains the date and time of the event and a brief message describing the event.

The displayed information is controlled by setting options for which categories you want to display in the log table. Use the Categories column to determine the baseline events to monitor and to configure event-specific information.

The Filter input field at the top left corner of the Log Monitor panel enables you to enter a search string that is used to filter the log events that are displayed in Log Monitor panel.

You can type any substring and press the Enter key to filter the Log Monitor table. The Log Monitor lists only log events that contain matches for that substring.

Topics:  

Configuring Logging

You configure logging events in the Log > Log Settings page. See Configuring Log Settings.

* 
NOTE: There are log messages that show the up/down status of some of the special network objects. These objects, however, live for only three seconds and then are deleted automatically.

Managing Event Logging

Some of the common tasks that you can perform to manage the Event Log are as follows:

Online Viewing of Log Events—The Event Log is not persistent. Older events in the run-time Event Log database buffer may be over-written with newer events.
Online Viewing Using the SonicOS Log Monitor UI—The UI takes snapshots of the Event Log database, so you can scroll forward and backwards in the Event Log using your browser.
Text Viewing Format Using the CLI—Shows only the current content of the Event Log database.
Log Monitor Display Filtering—You can customize the Log Event display.
Log Settings Capture Filtering—You can customize the Log Event capture.
Offline Viewing of Log Events—Offline viewing is persistent because the system saves the log events to an external source, such as your computer.
Viewing Log Events via Email—Using your email client, you can setup individual email alerts that are sent whenever an event occurs, or an email digest that sends batches of log events periodically.

Viewing Log Events via Syslog Viewer—You can view and configure log events and capture settings using a Syslog viewer.
Viewing Log Events via GMS Syslogs—You can view and configure log events using GMS.
Exporting the Event Log Database—You can export the Event Log database as a plain text file by clicking the Export button.

Deleting Entries from the Run-Time Event Log Database—You can permanently delete entries, using the Clear All button. So, proceed with caution. If automation is not enabled, export the database before using Clear All.

Deep Packet Forensics using a Data Recorder such as Solera—You can record deep packet events using a data recorder such as Solera. This feature is enabled under Log > Automation, and the events to record are configured under Log > Settings.

Log Monitor Table Functions

The Log Monitor table provides numerous settings to allow you to navigate, view, and export results. Table columns can be customized, so that you can view full data on any event, or only the data you need. Table entries can be sorted to display in either ascending or descending order.

You can sort the entries in the Log Monitor table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

The top row of the Log Monitor table contains several functional items:

Topics:  

Display Menu

From the Log Events Since menu, you can select the time interval in which to view log events. Time intervals range from the last 30 minutes to the last 30 days, or all log events in the database.

Functional Icons

The functional icons perform various functions of the Log Monitor. Pausing your cursor over an icons reveals the description of the button.

 

Log monitor: Functional icons

Button

Function

Clicking this icon

Export Log as CSV File

Displays a dialog that allows you to open or save the log in Comma-separated value (CSV) format. This format is used for importing into Excel or other presentation development applications.

Export Log as Plain Text File

Displays a dialog that allows you to save the log in Plain Text format. Two formats for Email can be configured on the Log > Automation page: Plain Text or HTML.

Select Columns to Display

Displays a dialog that allows you to select the columns that you want to show in the Log Monitor table.

Send Log to Email Address

Sends all logs to the configured email address.

Clear All Logs

Deletes all saved logs.

Configure Logging

Displays the Log > Settings page.

Status

Displays the total number of logs present in the database, as well as the latest reported time for each status category.

Force Refreshing

Updates the information in the Log Monitor table.

Refresh Field and Toggle Icon

At the far right of the table, in the Refresh field, you can specify how often the Log Monitor table is updated with events from the event log database. The default is to refresh every 60 seconds, but other intervals can be specified. To refresh all output immediately, click the pause/play toggle icon to the right of the Refresh field.

The pause/play toggle icon starts or stops the Log Monitor table from updating its content. This is useful in cases where the Log Monitor table is very busy and is being updated continually in quick succession. Users can pause the screen from updating long enough to inspect the messages.

Data Display

The Log Monitor is displayed in a table and can be sorted by column.

To select which columns you want to appear in the table:
1
Click the Tools button.

The Select Columns to Display popup window appears.

2
Select the columns you want to display.
3
Click Apply.

The default log table columns include:

Local Time - The date and time of the event.
ID - Identifying number for the event. ID is most useful when using GMS or Syslog. The ID is shown in Syslog packets and is used to identify data in generated reports.
Category - To make it easier to find and configure the settings for an event, events can be displayed by Category, Group, or Event, as selected from the Select Columns to Display dialog.
Priority - The level of priority associated with your log event. Syslog uses eight priorities to characterize messages: Emergency, Alert, Critical, Error, Warning, Notice, Informational, and Debug.
Src. Int - Displays source network and IP address.
Dst. Int - Displays the destination network and IP address.
Src. IP - Displays the source IP address.
Src. Port - Displays the source port.
Dst. IP - Displays the destination IP address.
Dst. Port - Displays the destination port.
IP Protocol - The IP protocol (TCP or IP) in use
User Name - Displays the name of the originating user
Application - Displays the application accessing the network.
Notes - Provides dynamic, detailed information about the event.
Message - Provides a general description of the event.
* 
NOTE: The Time, ID, and Message columns are always displayed and cannot be hidden by customization.
* 
NOTE: For more information on specific log events, refer to the SonicOS Log Event Reference Guide.

Filtering the Log Monitor Table

Topics:  

Filter Bar

The filter bar allows you to filter the log table based on selected criteria.

1
Select a filter item by clicking on the desired column cell. The selected cell turns blue. Multiple cells can be selected.

2
When finished making selections, click the + in the filter bar.

The filter criteria is applied to the display, and you see the filter type in the filter bar.

3
Click on the arrow , beside the column name (in this case Category), to view the filter value.

4
To remove a filter, click the x next to the Filter type.

Filter View

Filter View allows you to set the filtering without any existing matches in the Log Monitor table.

In normal view, you can only set filtering based on an existing event that you can select in the Log Monitor table. In Filter View, you can select only one combination of Category/Priority at a time. In normal view, you can select several categories at the same time.

You can configure multiple filter views for categories using the filter bar.

To configure a filter view:
1
Go to the Log > Monitor page.
2
Click the + sign next to the Filter View bar. The Filter View dialog appears.

3
From the Priority menu, select the priority that you want.
4
From the Category menu, select the category that you want.
5
From the Source Interface menu, select the interface that you want.
6
From the Destination Interface menu, select the interface that you want.
7
In the Source IP box, enter the IP address of the source interface.
8
In the Destination IP box, enter the IP address of the destination interface.
9
Click Apply. The Log Monitor table displays the filtered results.

Log Event Messages

For a complete reference guide of log event messages, refer to the SonicOS Log Event Reference Guide at SonicWall Support.

Log Persistence

Lower end TZ models can store up to 800 event entries in the log buffer. All other SonicWall Release 6.2 models can store 1000 to 10,000 event entries in the log buffer.

When the log becomes full, one or a couple of the oldest log entries are deleted. You can also click the Clear all logs button to clear all log entries.

Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method.

The option to deliver logs as either plain-text or HTML provides an easy method to review and replay events logged.

Log Details

Clicking on the Information icon for a log entry displays the Log Details popup, which displays detailed information about the entry:

 

General

General information about the log event

Time

Local date and time the event occurred.

 

ID

Identifying number for the event.

 

Category

Category of the event.

 

Group

Group designation of the event.

 

Event

Name of the event.

 

Msg Type

Type of message; usually Standard Message String

 

Priority

Priority level of the event, such as Inform (information) or Error

 

Message

Information about the event

 

Src. Name

Name of the source device, if applicable.

 

Dst. Name

Name of the destination device, if applicable.

 

Notes

Further information about the event, if applicable.

Protocol

Information about the protocol of the packet triggering the event.

 

Src. IP

IP address of the source device.

 

Src. Port

Port number of the source.

 

Src. Int.

Source network and IP address, if applicable.

 

Dst. IP

IP address of the destination device.

 

Dst. Port

Port number of the destination.

 

Dst. Int.

Destination network and IP address, if applicable.

 

Ether Type

Ethernet type of the packets, if known.

 

Src. MAC

MAC address of the source device, if known.

 

Src. Vendor

Name of the source device’s manufacturer, if known. 1

 

Src. Zone

Source zone, if known.

 

Dst. MAC

MAC address of the destination device, if known.

 

Dst. Vendor

Name of the destination device’s manufacturer, if known. a

 

Dst. Zone

Destination zone, if known.

 

IP Protocol

Protocol used to send error and control messages, if known.

 

ICMP Type

ICMP packet’s ICMP type, if known.

 

ICMP Code

ICMP packet’s ICMP code, if known.

NAT

Information about the NAT policy in effect, if any.

 

Src. NAT IP

Source address from the Source NAT IP address pool.

 

Src. NAT Port

Port number for the Source NAT.

 

Dst. NAT IP

Destination address from the Source NAT IP address pool.

 

Dst. NAT Port

Port number for the Destination NAT.

 

NAT Policy

Name of the NAT policy.

Policy

Information about SPI, Access and IDP Rules, and/or VPN policy, if any.

 

In SPI

Indicates whether the ingress packet is in Stateful Packet Inspection (SPI) mode, if applicable.

 

Out SPI

Indicates whether the egress packet is in Stateful Packet Inspection (SPI) mode, if applicable.

 

Access Rule

Name of the Access Rule triggering the event, if any.

 

VPN Policy

Name of the VPN policy triggering the event, if any.

 

IDP Rule

Name of the IDP Rule triggering the event, if any.

 

IDP Priority

Priority of the IDP Rule.

Traffic

Information about the traffic.

 

TX Bytes

Number of bytes transmitted.

 

RX Bytes

Number of bytes received.

 

HTTP OP

NPCS object op requestMethod HTTP OP code.

 

URL

URL of the NPCS object op requestMethod HTTP OP code.

 

HTTP Result

HTTP result code (such as, 200, 403) of Website hit rpkt cn1Label Packet received.

 

Block Cat

Block category that triggered the event.

 

FW Action

Configured firewall action. If no action has been specified, displays N/A.

Others

Information about the user, session, and application, if known.

 

User Name

Name of the user whose action triggered the event.

 

Session Time

Duration of the session before the event.

 

Session Type

Type of session triggering the event.

 

Application

Name of the application triggering the event.


1
Every wired or wireless networking device has a 48-bit MAC address assigned by its hardware manufacturers. An organizationally unique identifier (OUI) is a 24-bit number that uniquely identifies a vendor, manufacturer, or other organization globally or worldwide. The first three octets of the MAC address are the OUI.

GMS

To provide the ability to identify and view events across an entire enterprise, a GMS update will be required. Device-specific interesting-content events at the GMS console appear in Reports > Log Viewer Search page, but are also found throughout the various reports, such as Top Intrusions Over Time.