Viewing SonicWall URL and Source/Destination Domain reports in Scrutinizer
03/26/2020 5 14584
SonicWall Scrutinizer, in combination with SonicOS Enhanced 5.8 Flow Reporting (when using IPFIX with Extensions) can display reports based criteria such as users, IPS and App Control detections, Gateway Anti-Virus and Anti-Spyware detections, URLs, and more. This article describes ways to configure a report based on users, and customize that report to see the utilized applications, detected threats, accessed domains/URLs, etc.
There are multiple ways to view your reports. This method describes how to view the “SonicWall Users” report, and based on this report; select a user and view Applications/App Conversations, URLs/Domains, Conversations on Well Known Ports (Conversations WKP), and many more.
Filters can be applied manually as well; however that is not covered in this document.
Viewing the SonicWall Users Report
- Log in to SonicWall Scrutinizer. Go to the Status tab.
- Choose the UTM appliance, and click on an interface to view reports on that interface. By default, Bi-directional reporting is used on the interface you select. In this example, I have chosen the X1 (WAN).
- Using the report menu, go to “SonicWall Reports” and click on “Users” to view the default “SonicWall Users” report. The reporting period should be set to “Last 24 Hours” by default. In this example, users were not logged in over the last 24 hours, so the “Last Hour” reporting period has been selected. This report lists the users that were logged in over the reporting period. The top 10 users are represented in the chart by color. Any user outside of the top 10 will be represented in gray.
It is important to note that “Others” may total up to more data than some of the entries in the top 10. This occurs because “Others” is adding up all the users (outside of the top users) together. Top users are represented by their own data and color.
- By default, the report will display Bi-directional flows, so both Inbound and Outbound data on the interface will be displayed. This can make reports confusing at first. If you selected the X1 WAN interface, as shown in the example, change the direction from “Bidirectional” to “Outbound” on the drop-down menu near the top of the page.
At this point, all logged in users that have been passing traffic appear in the report. This report is displaying the user, number of packets, and the amount of bytes transferred. The Bytes drop-down menu can be set to Bits, Bytes, or Percent.
Viewing SonicWall URL Reports Based on SonicWall Users
- Perform the steps described in “Viewing the SonicWall Users Report”. More users have logged in and have begun generating flows since the screenshot in the previous section was taken, as seen by the screenshot below.
- To view the “SonicWall URLs” report based on a user, click on a user, go to SonicWall Reports > URLs. A popup window will appear and display the SonicWall URLs report with a filter on the selected user.
- The SonicWall URLs report will display full URLs visited by the user. It is important to note that these full URLs do not collapse per domain. Individual URLs will make up the report—not individual domains. In the example below, the direction is set to “Outbound”, thus displaying the top 10 URLs visited by the filtered user, only displaying outbound traffic to the reported URL on the filtered interface.
Viewing Source & Destination Domain Reports Based on SonicWall Users
To view a less verbose report that reports on domains rather than URLs, go back to the SonicWall Users report (refer to: ‘Viewing the SonicWall Users Report’ at the beginning of this article), click on a user, and run the Destination Reports > Domains report. When the report opens, ensure that the Direction drop-down menu is set to Outbound. The example below is filtering specifically on the X1 WAN interface.
The screenshot above displays all domains visited in the Last Hour (the reporting period) by the “macuser” account. Some of these sites may be somewhat misleading. The best examples are right in the top 10. We’ll go over some of the potentially confusing ones below:
- Unknown – Unknown will appear when an IP cannot be resolved to a domain name. When several IPs do not resolve to a domain, they all fall under Unknown. In this example, Unknown actually accounts for 14 different IPs that cannot be resolved back to an FQDN. Further research using SonicWall Scrutinizer can help determine where these hosts are, and potentially who they belong to. The screenshot below displays the 14 IPs that cannot be resolved.
The report shown above is called a Host to Host Pair Report. To view this report, click on the “Unknown” entry in the Domain report, and then go to Pair Reports > Host to Host.
A quick nslookup test on the first IP in the top 10 confirms that it cannot be resolved.
- Prolexic.com, 2o7.net, Akamaitechnologies.com, 1e100.net – Although the user did not specifically visit these sites, they came up as top domains. These could have been advertisements or other content from another visited site. Some of these sites are used for content distribution networks or are general web hosting sites.
Customizing the Report Period
Report data can be further customized by using custom report periods, additional filters, or different time intervals. For example, the line graph is interactive, and allows you to drill down to a specific time period. If there’s a specific time period that you’re interested in drilling into, the time period can be highlighted for a closer look. In the screenshot below, I highlighted the spike from the above screenshot. The resulting report shows a closer look at the spike, using 1 minute intervals. In the example below, the user’s traffic spike spanned about 2 minutes, and peaked at the one minute mark. This may look like a large spike on first glance (especially compared to the rest of the hour that had practically no data), but in reality it was a very small bump that at its peak, hit a rate of about 23 to 24KB/s.
It is important to note that when drilling down to a specific period of time, the reporting period changes to “Custom”, and the period is displayed to the right, above the data table. Custom reporting periods are not dynamic. If the report is saved with the custom reporting period, the same period will be used whenever the saved report is opened. The default listed time periods are dynamic, so it is recommended that reports you wish to save and schedule emails for are saved using one of the provided reporting periods, instead of “Custom”.