Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Viewing SonicWall URL and Source/Destination Domain reports in Scrutinizer

03/26/2020 5 People found this article helpful 97,065 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    SonicWall Scrutinizer, in combination with SonicOS Enhanced 5.8 Flow Reporting (when using IPFIX with Extensions) can display reports based criteria such as users, IPS and App Control detections, Gateway Anti-Virus and Anti-Spyware detections, URLs, and more. This article describes ways to configure a report based on users, and customize that report to see the utilized applications, detected threats, accessed domains/URLs, etc.

    There are multiple ways to view your reports. This method describes how to view the “SonicWall Users” report, and based on this report; select a user and view Applications/App Conversations, URLs/Domains, Conversations on Well Known Ports (Conversations WKP), and many more.

    Filters can be applied manually as well; however that is not covered in this document.

    Resolution

    Viewing the SonicWall Users Report

    1. Log in to SonicWall Scrutinizer. Go to the Status tab.
    2. Choose the UTM appliance, and click on an interface to view reports on that interface. By default, Bi-directional reporting is used on the interface you select. In this example, I have chosen the X1 (WAN).
      Image
    3. Using the report menu, go to “SonicWall Reports” and click on “Users” to view the default “SonicWall Users” report. The reporting period should be set to “Last 24 Hours” by default. In this example, users were not logged in over the last 24 hours, so the “Last Hour” reporting period has been selected. This report lists the users that were logged in over the reporting period. The top 10 users are represented in the chart by color. Any user outside of the top 10 will be represented in gray.

      It is important to note that “Others” may total up to more data than some of the entries in the top 10. This occurs because “Others” is adding up all the users (outside of the top users) together. Top users are represented by their own data and color.
      Image
    4. By default, the report will display Bi-directional flows, so both Inbound and Outbound data on the interface will be displayed. This can make reports confusing at first. If you selected the X1 WAN interface, as shown in the example, change the direction from “Bidirectional” to “Outbound” on the drop-down menu near the top of the page.
      Image
      At this point, all logged in users that have been passing traffic appear in the report. This report is displaying the user, number of packets, and the amount of bytes transferred. The Bytes drop-down menu can be set to Bits, Bytes, or Percent.

    Viewing SonicWall URL Reports Based on SonicWall Users

    1. Perform the steps described in “Viewing the SonicWall Users Report”. More users have logged in and have begun generating flows since the screenshot in the previous section was taken, as seen by the screenshot below.
      Image
    2. To view the “SonicWall URLs” report based on a user, click on a user, go to SonicWall Reports > URLs. A popup window will appear and display the SonicWall URLs report with a filter on the selected user.
      Image
    3. The SonicWall URLs report will display full URLs visited by the user. It is important to note that these full URLs do not collapse per domain. Individual URLs will make up the report—not individual domains. In the example below, the direction is set to “Outbound”, thus displaying the top 10 URLs visited by the filtered user, only displaying outbound traffic to the reported URL on the filtered interface.
      Image

    Viewing Source & Destination Domain Reports Based on SonicWall Users
    To view a less verbose report that reports on domains rather than URLs, go back to the SonicWall Users report (refer to: ‘Viewing the SonicWall Users Report’ at the beginning of this article), click on a user, and run the Destination Reports > Domains report. When the report opens, ensure that the Direction drop-down menu is set to Outbound. The example below is filtering specifically on the X1 WAN interface.
    Image

    Image
    The screenshot above displays all domains visited in the Last Hour (the reporting period) by the “macuser” account. Some of these sites may be somewhat misleading. The best examples are right in the top 10. We’ll go over some of the potentially confusing ones below:

     Image

    • Unknown – Unknown will appear when an IP cannot be resolved to a domain name. When several IPs do not resolve to a domain, they all fall under Unknown. In this example, Unknown actually accounts for 14 different IPs that cannot be resolved back to an FQDN. Further research using SonicWall Scrutinizer can help determine where these hosts are, and potentially who they belong to. The screenshot below displays the 14 IPs that cannot be resolved.

      The report shown above is called a Host to Host Pair Report. To view this report, click on the “Unknown” entry in the Domain report, and then go to Pair Reports > Host to Host.

      A quick nslookup test on the first IP in the top 10 confirms that it cannot be resolved.
      Image
    • Prolexic.com, 2o7.net, Akamaitechnologies.com, 1e100.net – Although the user did not specifically visit these sites, they came up as top domains. These could have been advertisements or other content from another visited site. Some of these sites are used for content distribution networks or are general web hosting sites.

    Customizing the Report Period

    Report data can be further customized by using custom report periods, additional filters, or different time intervals. For example, the line graph is interactive, and allows you to drill down to a specific time period. If there’s a specific time period that you’re interested in drilling into, the time period can be highlighted for a closer look. In the screenshot below, I highlighted the spike from the above screenshot. The resulting report shows a closer look at the spike, using 1 minute intervals. In the example below, the user’s traffic spike spanned about 2 minutes, and peaked at the one minute mark. This may look like a large spike on first glance (especially compared to the rest of the hour that had practically no data), but in reality it was a very small bump that at its peak, hit a rate of about 23 to 24KB/s.

    It is important to note that when drilling down to a specific period of time, the reporting period changes to “Custom”, and the period is displayed to the right, above the data table. Custom reporting periods are not dynamic. If the report is saved with the custom reporting period, the same period will be used whenever the saved report is opened. The default listed time periods are dynamic, so it is recommended that reports you wish to save and schedule emails for are saved using one of the provided reporting periods, instead of “Custom”.

    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall NSA Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:8aab0ed913a2dfc0ab0713be2a845ae2-92