Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Configuring IPFIX w/ Extensions Flow Reporting (SonicOS 5.8.1 and above)

03/26/2020 15 People found this article helpful 212,881 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Configuring IPFIX w/ Extensions Flow Reporting (SonicOS 5.8.1 and above)

    Resolution

    Configuring SNMP on the UTM appliance

    1. To configure SNMP, log into the UTM appliance. Browse to System | Administration.
    2. Enable SNMP. Click Configure.

    Image
    3. Enter the unit-specific information. The Get Community Name by default is “public”. This can be changed, however in the example below, it has been left as “public”. Enter the IP of the SonicWall Scrutinizer system in one of the Host fields. Click OK.
    Image

    4. Ensure that SNMP is enabled on the interface that SonicWall Scrutinizer will communicate with. In this example, SNMP will be enabled on the X0 LAN interface. For deployments where the Netflow collector is reached over a VPN tunnel, SNMP must be allowed from the Netflow collector to the UTM appliance using Access Rules.

    Image
    Configuring External Flow Reporting

    1. Browse to Log | Flow Reporting. Enable “Report to EXTERNAL flow collector”. Optionally, you can turn on Flow Reporting and Visualization (Internal Reporting) for access to the App Flow Monitor in the UTM appliance.
    2. SonicWall Scrutinizer supports collection of IPFIX (Netflow version-10) with Extensions. Advanced SonicWall-specific reporting is available only with IPFIX with Extensions. Set the “External flow reporting type” to “IPFIX with Extensions”.
    3. Enter the IP of the SonicWall Scrutinizer server. The default port number for Netflow reporting is UDP/2055. Customize this based on the port selected when SonicWall Scrutinizer was installed.
    4. The “Source IP to use for collector on a VPN tunnel” should be configured if the SonicWall Scrutinizer collector is accessed over a VPN tunnel. The IP entered will the source IP of the Netflow traffic sent to SonicWall Scrutinizer. For example, the X0 IP of the UTM appliance can be used. SNMP must be allowed from SonicWall Scrutinizer to the IP entered into this text field.
    5. Ensure that both the “Send templates at regular intervals” and “Send static flows at regular intervals” are checked. This ensures that SonicWall Scrutinizer always receives up-to-date templates and static flows from the UTM appliance.
    6. Ensure that all of the tables are selected for the following three drop-down menus:
    “Send static flows for the following tables”
    “Send dynamic flows for the following tables”
    “Include following additional reports via IPFIX”
    7. The recommended “Flow reporting mode” is “Realtime with bulk”. Realtime with bulk allows the firewall to send multiple Netflow records per Netflow packet.
    Image

    8. Report Settings allow you to selectively enable Netflow reporting based on Interface or Firewall/App Rules. In this example, the appliance is set to report flows on all interfaces/access rules. Setting this to Firewall/App Rules-based will require that you enable Flow Reporting on an Access Rule or App Rule in order to report flows. Interface-based will only report on interfaces that have Flow Reporting enabled on them.
    Image

    • “Report flows on connection OPEN” will report a flow when the connection is opened. This is enabled by default. Not reporting on connection open will result in potential inaccurate reporting to an external collector. This would be especially noticeable when a flow doesn’t close for a long period of time, for example during a large download.
    • “Report flows on threat detection” will report a flow when a threat is detected in the flow. This is enabled by default.
    • “Report flows on application detected” will report a flow when an application is detected by the DPI engine.
    • “Report flows on user detection” will report a flow when the flow is identified for a logged-in user.
    • “Report flows on VPN tunnel detection” will report a flow when the flow is identified as being used over a VPN tunnel.
    • “Reporting flows on Kilobytes exchanged” will report a flow when the set number of Kilobytes has been transferred on a connection. This means a flow will be reported multiple times throughout the life of the flow (each time the set number of Kilobytes has been transferred). It is recommended to turn on this option. Not using this setting, or setting it too high or too low will potentially result in inaccurate (understated or overstated) reports, or spikes in reporting where usage appears too high for a short period of time. A good baseline is 100 Kilobytes (the default). The “Report ONCE” option will cause the flow to only be reported one time on Kilobytes exchanged. Instead of reporting every 100 Kilobytes, it’ll report once 100 Kilobytes has been transferred. In most situations, this option should be disabled, as reporting will be affected.
    • “Report flows on connection CLOSE” will report a flow when the connection has closed. This is enabled by default.
    • “Report DROPPED flows” will report a flow when the connection is dropped. This is enabled by default.
    • “Skip reporting of STACK flows (connections)” is enabled by default, and does not report connections generated by the system stack. Disabling this will result in additional reported flows to the external collector.
    • “Include following URL types” will report URLs accessed with the selected file types. By default, all of the file types listed in the drop-down menu are enabled.

    After making all desired changes, the unit requires a reboot. Browse to System | Restart. Click the Restart button to reboot the appliance.

    Related Articles

    • How to get the URI associated to the Viruses being blocked by SonicWall?
    • SonicWall SonicOS 7 Dashboard Threat Page Features
    • How to upgrade from 6.5.0 to 6.5.4 firmware version on Gen6.

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top