Manufacturer: SonicWall

Model(s): SonicWall TZ, NSa and NSsp Firewalls

Version(s):  SonicOS 7

URL: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-0-0-0-appflow_device/Content/appflow-d-flow-reporting-netflow-tables.htm

Notes: Dell SonicWall AppFlow supports NetFlow Version 5, NetFlow Version 9, IPFIX, and IPFIX with Extensions.

Configuration steps

The Settings tab has configurable options for local internal flow reporting, AppFlow Server external flow reporting, and the IPFIX collector.

  • Under the Settings section, enable Report All Collections.
  • Enable Real-Time Data Collection and make sure all options are selected.
  • Enable Aggregate AppFlow Report Data Collection, select all reports.
  • Under the Other Report Settings, Select all of the following URL types in the Include Following URL Types

Gifs (selected by default)

Jsons

Jpegs (selected by default)

Css

Pngs (selected by default)

Htmls (selected by default)

Js

Aspx (selected by default)

Xmls

Cms
  • Enable Report DROPPED Connections
  • Make sure the Disable Reporting IPv6 Flows (ALL) selection is disabled.

The External Collector tab provides configuration settings for AppFlow reporting to an external IPFIX collector.

  • Enable Send Flows and Real-Time Data To External Collector.

Note: When enabling/disabling this option, you might need to reboot the device to enable/disable this feature completely.

  • External AppFlow Reporting Format—after the Report to EXTERNAL Flow Collector option is selected, select the flow-reporting type from the drop-down menu by selecting IPFIX with extensions
  • Set the External Collector’s Server Address to IP and enter the IP address of the Scrutinizer collector. If the collector is reachable through a VPN tunnel, then the source IP must be specified in Source IP to Use for Collector on a VPN Tunnel.
  • Set the Source IP to Use for Collector on a VPN Tunnel— If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy.

Note: Select Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets always take the VPN path.

  • Set External Collector’s UDP Port Number— to the UDP port number that Netflow/IPFIX packets are being sent over. The default port is 2055.
  • Enable Send IPFIX/Netflow Templates at Regular Intervals — For the SonicWall appliance to send Template flows at regular intervals. This option is selected by default.
  • Enable Send Static AppFlow at Regular Interval— Enables the hourly sending of IPFIX records for the specified static appflows tables.   This option must be set to work with Scrutinizer.
  • Enable Send Static AppFlow for Following Tables— Select the static mapping tables to be generated to a flow from the drop-down menu.

 

Applications (selected by default)

Services (selected by default)

Viruses (selected by default)

Rating Map (selected by default)

Spyware (selected by default)

Table Map

Intrusions (selected by default)

Column Map

Location Map

  

 

  • Enable Send Dynamic AppFlow for Following Tables— Select the dynamic mapping tables to be generated to a flow from the drop-down menu.

 

Connections (selected by default)

DEVICES

Users (selected by default)

SPAMS

URLs (selected by default)

LOCATIONS

URL ratings (selected by default)

VoIPs (selected by default)

VPNs (selected by default)

  
  • Enable Include Following Additional Reports via IPFIX— Select additional IPFIX reports to be generated to a flow. Select values from the drop-down menu. By default, none are selected. Statistics are reported every five seconds.
    1. System Logs – Generates system logs such as interface state change, fan failure, user authentication, HA failover and failback, tunnel negotiations, configuration change. System logs include events that are typically not flow-related (session/connection) events, that is, not dependent on traffic flowing through the firewall.
    2. Top 10 Apps– Generates the top 10 applications.
    3. Interface Stats– Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
    4. Core utilization– Generates per-core utilization.
    5. Memory utilization– Generates statuses of available memory, used memory, and memory used by the AppFlow collector.
  • Report On Connection OPEN— Reports flows when a new connection is established. All associated data related to that connection might not be available when the connection is opened. This option, however, enables flows to show up on the external collector as soon as the new connection is established. By default, this setting is enabled.
  • Report On Connection CLOSE— Reports flows when a connection is closed. This is the most efficient way of reporting flows to an external collector. All associated data related to that connection are available and reported. By default, this setting is enabled.
  • Enable Report Connection On Active Timeoutto Report connections based on Active Timeout period.
  • Set Number of Seconds— to 60 seconds the Active Timeout. The range is 1 second to 999 seconds for the Active Timeout.
  • Click both Actionsbuttons to Generate templates and static flow data asynchronously.
    1. Generate ALL Templates—begins building templates on the IPFIX server; this takes up to two minutes to generate.
    2. Generate Static AppFlow Data—begins generating a large amount of flows to the IPFIX server; this takes up to two minutes to generate.
  • Log Settings To External Collector— Sends the necessary fields of log settings to the external collector when you click Send All Entries.

Note: Ensure the connection between SonicOS and the external collector server is ready before clicking Send All Entries.

Note: Click the button again to sync the settings whenever SonicOS is upgraded with new added log events or the connection between SonicOS and the external server has been down for some time and log settings might have been edited.