SonicOS 7.0 Device AppFlow
External Collector
The External Collector tab in AppFlow allows you to configure the reporting of flow data to an external IPFIX (Internet Protocol Flow Information Export) collector. IPFIX is a standard protocol for exporting flow data, which is typically used for network traffic analysis. When you configure AppFlow to report to an external IPFIX collector, it sends flow data to the collector for further analysis and storage. This can be useful for a variety of purposes, such as identifying trends and patterns in network traffic, troubleshooting network issues, and performing security and compliance monitoring.
When sizing the external collector, it is important to consider the event rate, retention period, and storage capacity required to meet your needs. The event rate is the number of AppFlow records that are generated per second, and it can vary widely depending on the size and complexity of your network. The retention period is the length of time that you want to store the AppFlow data, and it can also vary depending on your needs and the resources available to you. The storage capacity is the amount of disk space that you need to store the AppFlow data for the desired retention period. To determine the size of the external collector required to meet your needs, you will need to estimate the event rate, retention period, and storage capacity and then use this information to calculate the size of the external collector that you need.
You can use an external collector such as Analytics, refer to Analytics Administrator guide in Technical Documentation.
- Send Flows and Real-Time Data To External Collector-Enables the specified flows to be reported to an external flow collector. This option is disabled by default.
When enabling or disabling this option, you might need to reboot the device to enable or disable this feature completely.
- External AppFlow Reporting Format- If the Report to EXTERNAL Flow Collector option is selected, you must select the flow-reporting type from the drop-down menu:
-
NetFlow version-5 (default) IPFIX NetFlow version-9 IPFIX with extensions - Your selection for External Flow Reporting Format changes the available options.
- IPFIX with extensions v2 is still supported by enabling an internal setting. For instructions on how to enable this option, contact SonicWall Support. Currently, AppFlow Agent does not support this IPFIX version.
- If the reporting type is set to:
- Netflow versions 5 or 9 or IPFIX, then any third-party collector can be used to show flows reported from the firewall that uses standard data types as defined in IETF. Netflow versions and IPFIX reporting types contain only connection-related flow details per the standard.
- IPFIX with extensions, then only collectors that are SonicWall-flow aware can be used to report SonicWall dynamic tables for:
connections users applications locations URLs logs devices VPN tunnels devices SPAMs wireless threats (viruses/spyware/intrusion) real-time health (memory/CPU/face statistics) - Flows reported in this mode can either be viewed by another SonicWall firewall configured as a collector (specially in a High Availability pair with the idle firewall acting as a collector) or a SonicWall Linux collector. Some third-party collectors also can use this mode to display applications if they use standard IPFIX support. Not all reports are visible when using a third-party collector, though.
- When using IPFIX with extensions, select a third-party collector that is SonicWall-flow aware, such as Scrutinizer.
- External Collector’s IP Address - Specify the external collector’s IP address to which the device sends flows through Netflow/IPFIX. This IP address must be reachable from the SonicWall firewall for the collector to generate flow reports. If the collector is reachable through a VPN tunnel, then the source IP must be specified in Source IP to Use for Collector on a VPN Tunnel.
- Source IP to Use for Collector on a VPN Tunnel - If the external collector must be reached by a VPN tunnel, specify the source IP for the correct VPN policy.
- Select Source IP from the local network specified in the VPN policy. If specified, Netflow/IPFIX flow packets always take the VPN path.
- External Collector’s UDP Port Number - Specify the UDP port number that Netflow/IPFIX packets are being sent over. The default port is 2055.
- Send IPFIX/Netflow Templates at Regular Intervals - Enables the appliance to send Template flows at regular intervals. This option is selected by default.
- This option is available with Netflow version-9, IPFIX, IPFIX with extensions only.
- Netflow version-9 and IPFIX use templates that must be known to an external collector before sending data. Per IETF, a reporting device must be capable of sending templates at a regular interval to keep the collector in sync with the device. If the collector does not need templates at regular intervals, you can disable the function here.
- Send Static AppFlow at Regular Interval - Enables the hourly sending of IPFIX records for the specified static appflows tables. This option is disabled by default.
- This option is available with IPFIX with extensions only. This option must be selected if SonicWall Scrutinizer is used as a collector.
- Send Static AppFlow for Following Tables - Select the static mapping tables to be generated to a flow from the drop-down menu. For more information on static tables, refer to NetFlow Tables.
Applications (selected by default) Services (selected by default) Viruses (selected by default) Rating Map (selected by default) Spyware (selected by default) Table Map Intrusions (selected by default) Column Map Location Map
- When running in IPFIX with extensions mode, the firewall reports multiple types of data to an external device to correlate User, VPN, Application, Virus, and Spyware information. Data is both static and dynamic. Static tables are needed only once as they rarely change. Depending on the capability of the external collector, not all static tables are needed.
- In the IPFIX with extension mode, the firewall can asynchronously generate the static mapping table(s) to synchronize the external collector. This synchronization is needed when the external collector is initialized later than the firewall.
- Send Dynamic AppFlow for Following Tables - Select the dynamic mapping tables to be generated to a flow from the drop-down menu. For more information on dynamic tables, refer to NetFlow Tables.
- This option is available with IPFIX with extensions only. The firewall generates reports for the selected tables. As the firewall does not cache this information, some of the flows not sent could create failures when correlating flows with other related data.
Connections (selected by default) Devices Users (selected by default) SPAMs URLs (selected by default) Locations URL ratings (selected by default) VoIPs (selected by default) VPNs (selected by default) - Include Following Additional Reports via IPFIX - Select additional IPFIX reports to be generated to a flow. Select values from the drop-down menu. By default, none are selected. Statistics are reported every five seconds.
- This option is available with IPFIX with extensions only.
- System Logs – Generates system logs such as interface state change, fan failure, user authentication, HA failover and failback, tunnel negotiations, configuration change. System logs include events that are typically not flow-related (session/connection) events, that is, not dependent on traffic flowing through the firewall.
- Top 10 Apps – Generates the top 10 applications.
- Interface Stats – Generates per-interface statistics such as interface name, interface bandwidth utilization, MAC address, link status.
- Core utilization – Generates per-core utilization.
- Memory utilization – Generates statuses of available memory, used memory, and memory used by the AppFlow collector.
- When running in either mode, SonicWall can report more data that is not related to connection and flows. These tables are grouped under this section (Additional Reports). Depending on the capability of the external collector, not all additional tables are needed. With this option, you can select tables that are needed.
- Report On Connection OPEN - Reports flows when a new connection is established. All associated data related to that connection might not be available when the connection is opened. This option, however, enables flows to show up on the external collector as soon as the new connection is established. By default, this setting is enabled.
- Report On Connection CLOSE - Reports flows when a connection is closed. This is the most efficient way of reporting flows to an external collector. All associated data related to that connection are available and reported. By default, this setting is enabled.
- Report Connection On Active Timeout - Reports connections based on Active Timeout sessions. If enabled, the firewall reports an active connection every active timeout period. By default, this setting is disabled.
- If you select this option, the Report Connection On Kilo BYTES Exchanged option cannot be selected also. If this option is already checked, this message is displayed when attempting to select Report Connection on Kilo BYTES Exchanged:
- Number of Seconds - Set the number of seconds to elapse for the Active Timeout. The range is 1 second to 999 seconds for the Active Timeout. The default setting is 60 seconds.
- Report Connection On Kilo BYTES Exchanged - Reports flows based on when a specific amount of traffic, in kilobytes, is exchanged. If this setting is enabled, the firewall reports an active connection whenever the specified number of bytes of bidirectional data is exchanged on an active connection. This option is ideal for flows that are active for a long time and need to be monitored. This option is not selected by default.
- If you select this option, the Report Connection On Active Timeout option cannot be selected also. If this option is already checked, this message is displayed when attempting to select Report Connection on Active Timeout:
- Kilobytes Exchanged - Specify the amount of data, in kilobytes, transferred on a connection before reporting. The default value is 100 kilobytes.
- Report ONCE - When the Report Connection On Kilo BYTES Exchanged option is enabled, the same flow is reported multiple times whenever the specified amount of data is transferred over the connection. This could cause a large amount of IPFIX-packet generation on a loaded system. Enabling this option sends the report only once. This option is selected by default.
- Report Connections On Following Updates - Select from the drop-down menu to enable connection reporting for the following (by default, all are selected):
This selection Reports flows threat detection Specific to threats. Upon detections of virus, intrusion, or spyware, the flow is reported again. application detection Specific to applications. Upon completing a deep packet inspection, the SonicWall appliance is able to detect if a flow is part of a certain application. When identified, the flow is reported again. user detection Specific to users. The SonicWall appliance associates flows to a user-based detection based on its login credentials. When identified, the flow is reported again. VPN tunnel detection Sent through the VPN tunnel. When flows sent over the VPN tunnel are identified, the flow is reported again. - Actions - Generate templates and static flow data asynchronously when you click these buttons:
- Generate ALL Templates - Click the button to begin building templates on the IPFIX server; this takes up to two minutes to generate.
- This option is available with Netflow version-9, IPFIX, and IPFIX with extensions only.
- Generate Static AppFlow Data - Click the button to begin generating a large amount of flows to the IPFIX server; this takes up to two minutes to generate.
- This option is available with IPFIX with extensions only.
- Send Log Settings To External Collector - Sends the necessary fields of log settings to the external collector when you click Send All Entries.
- This option displays only when IPFIX with extensions is selected for External Flow Reporting Format.
- Ensure the connection between SonicOS and the external collector server is ready before clicking Send All Entries.
- Click the button again to sync the settings whenever:
SonicOS is upgraded with new added log events
The connection between SonicOS and the external server has been down for some time and log settings might have been edited.
Was This Article Helpful?
Help us to improve our support portal