SonicWall On-Premises Analytics€¦ · On-Premises Analytics Getting Started Guide Prerequisites 8 4 Click on Continue to go the Company page. 5 Complete the company information

SonicWall® On-Premises AnalyticsGetting Started Guide

Contents

About On-Premises Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Browser Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

MySonicWall Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Firewall Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Interface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Creating a MySonicWall Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Licensing On-Premises Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Licensing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Registering your Analytics Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Other Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

CAS-Shadow IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Firewall Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Moving between Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Adding Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring a Firewall in Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Firewall Configuration for Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Firewall Configuration for IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Overview of Syslog-Based Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Reports for Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Group Based Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Data Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Downloading Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Overview of IPFIX-Based Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Discover Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Live Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Detailed Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Group-Based Analytics and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Graph-Based Analytics and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Schedule Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

SonicWall CSC Getting Started

Contents2

Download Reports in PDF or .csv Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Check Web Activity of Specific IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

View Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Investigate Suspicious External IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

SonicWall CSC Getting Started

Contents3

1

About On-Premises Analytics

SonicWall® On-Premises Analytics provides different ways view to everything that is happening inside a network environment protected by SonicWall firewalls. Two reporting options are offered:

• Syslog-based

• IPFIX-based

Syslog is a message logging standard, allowing almost any device to send data about status, events diagnostics and more. Syslog messages have a built-in severity level. Analytics takes the data, sorts and aggregates it and then displays it. Many different types of reports are available for Syslog-based reporting. Refer to Overview of Syslog-Based Analytics for more information.

For IPFIX-based reporting, flow information is collected from the network devices and processed by Analytics. At its core is a powerful, intelligence-driven engine that automates the aggregation, normalization, correlation and contextualization of security data flowing across all SonicWall firewalls and wireless access points. The application’s interactive dashboard uses various forms of time-use charts and tables to create knowledge representation of the data models. Refer to Overview of IPFIX-Based Analytics for more information.

This Getting Started Guide document helps you deploy On-Premises Analytics in a virtual environment and then connect your on-premises firewalls to it. Once connected the Syslog or IPFIX data and other firewall data are collected, processed and then presented for monitoring and review.

The rest of this chapter covers the following topics.

Topics:

• System Requirements

• Interface Conventions

• Guide Conventions

System RequirementsYour security infrastructure must meet certain minimum requirements:

• Browser Levels

• MySonicWall Account

• Firewall Requirements

NOTE: You need to choose either Syslog-based reporting or IPFIX-based reporting. On-Premises Analytics does not offer a mixed mode.

On-Premises Analytics Getting Started Guide

About On-Premises Analytics4

Browser LevelsSince On-Premises Analytics is a cloud service, you only need access to a web browser and an internet connection to access On-Premises Analytics. The following browser levels are supported:

MySonicWall AccountTo login into the set up your On-Premises Analytics account and access licensing information, you must have an active MySonicWall account. Your MySonicWall credentials are also used to log into On-Premises Analytics.

Refer to Prerequisites for information on how to set up an account.

Firewall RequirementsThe following firewall models can be managed by the Management, Reports, and Analytics services.

Additional requirements include the following:

• Each firewall must be licensed with the Comprehensive/Advanced Gateway Security Suite (CGSS/AGSS).

• Firewalls supported by an Analytics instance must be in a single Group or Tenancy.

• The firewalls connected to the Analytics instance must not be associated with a Cloud GMS 1.0 implementation.

• Each firewall must have HTTPS management enabled..

Browser Supported Notes

Google Chrome (latest version) This is the preferred browser for the real-time graphics display on the Dashboard.

Apple Safari (latest version)

Microsoft Edge (latest version)

Mozilla Firefox (latest version)

Entry-Level Firewalls SOHO W

TZ Series

NSv 10—100

Mid-Range Firewalls NSA 2500—6600

NSa 2650—6650

NSv 200—400

High-End Firewalls SuperMassive 9000 Series

NSa 9250—9650

NSv 800—1600

IMPORTANT: For manually added firewalls, if a firewall is behind a NAT device, then the HTTPS management port must be opened for the cloud services to communicate with the firewall.



Interface ConventionsWhen acquiring devices for management and reporting, the Status screen (viewable on the HOME, MANAGE, REPORTS, and ANALYTICS views) uses colored icons to indicate the various states of the devices being monitored and managed.

Guide ConventionsThe following text conventions are used in this guide:

Status Icon Definition

Indicates that a process is in progress. In some instances, specific details are provided: for example, Requesting Licenses.

Indicates that a process has completed successfully. May provide the message Success or something with more detail like Device parameters set up in Cloud GMS complete.

Indicates that a task is in process or pending the completion of another task. The message Pending is usually displayed, as well.

Indicates a potential issue. Messages provide additional detail to help you resolve the issue.

Indicates an error. Additional information may be provided via an information icon. Click the icon or mouse over it to see the message:

For example, Gateway Firewall is not available in GMS.

Convention Use

Bold text Used in procedures to identify elements in the user interface like dialog boxes, windows, screen names, messages, and buttons. Also used for file names and text or values you are being instructed to select or type into the interface.

Menu divider | Menu item > Menu item

Indicates a multiple step menu choice on the user interface. For example, System Setup | Users, Groups & Organizations > Users means find the menu or section divider System Setup first, select Users, Groups & Organizations, and then select Users.

Computer code Indicates sample code or text to be typed at a command line.

<Computer code italic>

Represents a variable name when used in command line instructions within the angle brackets. The variable name and angle brackets need to be replaced with an actual value. For example in the segment serialnumber=<your serial number>, replace the variable and brackets with the serial number from your device: serialnumber=C0AEA0000011.

Italic Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence, such as the first instance of a significant term or concept.



2

Prerequisites

Prior to configuring and deploying On-Premises Analytics cloud services, you need to create or validate your MySonicWall account. A MySonicWall account is critical to receiving the full benefits from SonicWall security services, firmware updates, and technical support. MySonicWall is also used to license your site and to activate or purchase licenses for other security services, support, or software specific to your security solution.

If you already have a MySonicWall account skip to Licensing On-Premises Analytics.

Creating a MySonicWall AccountTo create a new MySonicWall account from any computer:

1 Navigate to https://www.mysonicwall.com.

2 In the login screen, click the SIGN UP link.

3 Complete the Account information, including email and password.

NOTE: Your password must be at least 8 characters, but no more than 30 characters. The system reports how safe your password as you enter it.


Prerequisites7

https://www.mysonicwall.com/

4 Click on Continue to go the Company page.

5 Complete the company information and click Continue.

6 On the Your info page, provide your name and title.

7 Select whether you want to receive security renewal emails.

8 Identify whether you are interested in beta testing new products.

9 Click Continue to go to the Extras page.

10 Select whether you want to add additional contacts to be notified for contract renewals.

11 To set up additional contacts:

a Input the First name.

b Input the Last name.

c Add the Email address for that person

d Click Add Contact.

12 Select whether you want to add tax information.

13 If providing tax information:

a In the Reseller for field, select the state from the drop-down menu.

b Add your Federal Tax ID.

c Add the Expiry (expiration) Date.

d Enter the Certificate ID.

e Click on ADD TAX ENTRY.

14 Select whether you want to add your distributor information.

15 To set up the distributor information:

a Input the Distributor Name.

b Input the Customer Number.

c Click Add Distributor.

16 Click DONE.

17 Check your email address for a verification code and enter it in the Verification Code* field. If you did not receive a code, contact Customer Support by clicking on the link.

18 Click DONE. You are returned to the login window so you can login into MySonicWall with your new account.

NOTE: This only applies to licensed partners or reseller.


Prerequisites8

3

Licensing On-Premises Analytics

SonicWall Analytics are offered in several different packages. Each package offers different features to meet your needs. This chapter describes the different packages you may be licensed to use, how to navigate among them, and how to complete licensing steps for On-Premises Analytics.

Licensing PackagesSonicWall offers several licensing packages for management, reporting, and analytics web applications.

Package Description CSC Tile

Basic Management Provides basic firewall management at the unit level. Is automatically included when purchasing the CGSS or AGSS package for your firewall.

Management Includes a more robust set of management features including group management, inheritance, work flows and others.

Management and Reporting Combines full management with a reporting subscription. The reporting includes status reports, Live Monitor, dashboards, and the ability to download or schedule reports.

Analytics Adds additional data collection, analysis and drill down capability. Also includes the license for Cloud App Security (CAS). This product can be added to any level of Management service.


Licensing On-Premises Analytics9

Registering your Analytics InstanceBefore starting this section, be sure to have the Activation Code. You receive this from your SonicWall representative.

To register the appliance:

1 Navigate to https://cloud.sonicwall.com.

2 Login with your MySonicWall credentials to get to the Capture Security Center.

3 Select the MySonicWall tile.

4 On the MySonicWall Dashboard, click on the Add Product icon.

5 Enter the Activation Code and click Continue.

6 Provide the Friendly name.

7 Select the Product group from the drop-down menu.

8 Click Register.

Now when you go to MyProducts on MySonicWall, you see the Analytics package:

9 Click on the information icon to the right.

You see the Serial Number and Authorization Code for the Analyzer Instance:



https://cloud.sonicwall.com

10 Now write down the Serial Number and Authorization Code to enter into the installation wizard the first time you launch your Analytics instance as shown below.

Other LicensingTopics:

• CAS-Shadow IT

• Firewall Licensing

CAS-Shadow ITAnalytics licensing includes Cloud App Security or CAS-Shadow IT. This supports On-Premises Analytics:

• Shadow IT discovery

Leverages existing firewall data to automate cloud discovery to identify risky applications being used.

• Application classification and control

Sets policies for unmanaged cloud applications based on an application risk score derived from regulations, security certifications and reputation databases to classify as sanctioned (approved by IT) or unsanctioned (allowed, but not approved by IT) applications.

For further information, refer to SonicWall Cloud App Security User Guide.

NOTE: To launch your Analytics instance, follow the instructions for the applicable virtual environment, for example, in EXSi Environment for On-Premises Analytics.



Firewall LicensingThe Analytics instance only analyzes data which associated firewalls are licensed to collect.

To this end, On-Premises Analytics make good use of firewalls licensed for:

• Mandatory: CGMS or AGMS licensing

• Highly recommended: Licensing for Gateway AV/Anti-Spyware/Intrusions Prevention/App Control/App Virtualization

• Recommended: Capture Advance Threat Protection

NavigationYou can use the Capture Security Center to navigate between the SonicWall web service offerings. On the SERVICES view, which is the default shown in the following figure, you can see quickly which services are active by looking at the tiles. The active services are white and selectable, and the disabled services are grayed out. Click on a tile to access that service.

You can also click on the THREAT METERS view to see a summary of the data coming into the SonicWall Capture Labs. It provides a three-page view of the worldwide attacks: world-wide attacks over the last 24 hours, Capture Labs threat metrics, and Security News.



Moving between ServicesYou can move easily between services on the Capture Security Center. Click on a tile to activate a service and

click on the down arrow at the top, , to return to Capture Security Center. Clicking the up arrow at the

bottom of Capture Security Center, , allows you to return to the most recently selected service.

ManagementManagement offers two-top level navigation items.

ReportsReports offers two top level navigation items.

Refer to Analytics HOME Administration and Analytics REPORTS Administration for more information.

Views Function

MANAGE The MANAGE view provides commands grouped by function. The functions include: SETUP, SYSTEM, and SECURITY for the device selected. The commands under each function can be expanded for additional options. These commands can be used to manage your appliances. When you initially select MANAGE, the default view is the Setup| System > Status.

CONSOLE The CONSOLE view provides commands grouped by function. The functions include: WORKFLOW, TOOLS, SYSTEM SETUP, and HELP for the device selected. The commands under each function can be expanded for additional options. These commands can be used to manage your appliances. When you initially select MANAGE, the default view is the Tools | View Log.

Views Function

HOME The HOME view provides an Overview and Summary or the device selected. You can expand each of those options for more details. When you initially select HOME, the default view is the Overview > Dashboard.

REPORTS The REPORTS view provides the options for Overview, Details, and Scheduled Reports for the device selected. You can expand each of those options for more details. When you initially select REPORTS, the default view is the Overview > Live Reports.



AnalyticsYou can expand each of those options for more details. When you initially select ANALYTICS, the default view is the Overview > Status.



4

Adding Firewalls

This chapter describes how to add firewalls to Analytics for monitoring.

Topics:

• Configuring a Firewall in Analytics

• Firewall Configuration for Syslog

• Firewall Configuration for IPFIX

Configuring a Firewall in AnalyticsCurrently, setting up additional firewalls requires that the firewalls meet the requirements in Firewall Requirements.

When you first launch Analytics, it opens with Overview > Status selected:

To add a firewall:

1 Click on the DEVICE MANAGER icon to see the current collection of firewalls and security appliances reporting to this Analytics instance.

NOTE: Zero Touch addition of firewalls is not currently supported.

NOTE: The images for IPFIX-based Analytics and Syslog-based Analytics varies slightly; however, the instructions essentially the same. Differences are noted when required for clarity.


Adding Firewalls15

2 Once the DEVICE MANAGER panel appears, click on the + sign to show the Add Firewall dialog box.

3 Fill in the Friendly Name of the firewall, the Serial Number and Model.

4 Click OK.

5 Open another browser window and log into the firewall.

6 If you have Syslog-based Analytics, refer to Firewall Configuration for Syslog for firewall configuration. If you have IPFIX-based Analytics refer to Firewall Configuration for IPFIX for firewall configuration.

NOTE: Each version of Analytics has slightly different instructions after connecting to the firewall below. Refer to the KB article listed in the interface for details.

For Syslog-based system For IPFIX-based system


Adding Firewalls16

Firewall Configuration for SyslogTo configure the firewall for Syslog-based Analytics:

1 Navigate to Manage > Log Settings > SYSLOG.

2 Click Add.

3 Select the Name or IP address of the Syslog server from the drop-down list.

4 In Syslog Format, select Enhanced from the drop-down list.

5 Click OK and the newly added Syslog system is listed.


Adding Firewalls17

Firewall Configuration for IPFIXTo configure the firewall for IPFIX-based Analytics:

1 Navigate to MANAGE > Appflow Settings > Flow Reporting:

2 In the Flow Reporting panel, take these steps:

a Enable Send AppFlow to SonicWall GMSFlow Server.

b Enable Send Real-Time Data To SonicWall GMSFlow Server.

c Enable Report on Connection CLOSE.

d In Report Connections On Following Updates, enable all options:

• Threat detection

• Application detection

• User detection

• VPN tunnel detection

• URL detection

e In Send Dynamic AppFlow For Following Tables, enable all options:

• Connections

• Users

• URL ratings

• VPNs

• Devices

• SPAMs

• Locations


Adding Firewalls18

• VOIPs

f Click on the Accept button at the bottom of the page to confirm the configuration.

3 Go to MANAGE > AppFlow Settings > GMS Flow Servers:

4 In the GMS Flow Server panel take these steps:

a Enable Auto-Synchronize GMSFlow Server.

b Enter the IP address of the Analytics instance as the GMSFlow Server Address.

c Set the Server Communication Timeout; 60 seconds is recommended.

d Click on the Test Connectivity button to ensure the Analytics instance is accessible. The UP/REGISTERED message should appear.

e When configuration in this panel is complete, click on the Accept button to confirm the configuration.

NOTE: If connectivity with the Analytics instance is a problem, go to MySonicWall and check that the firewall and Analytics instance are in the same Group or tenancy/


Adding Firewalls19

5

Overview of Syslog-Based Analytics

This chapter describes the Syslog-based reporting. It walks through several representative user scenarios to familiarize you with some of these reports and how navigate them.

• Reports for Devices

• Group Based Reporting

• Data Usage

• Applications

• User Activity

• Scheduling Reports

• Downloading Reports

Reports for DevicesThe Syslog-based reporting is aggregated into several types of reports which are grouped into related topics. Click on the topics in the left menu to expose the specific reports that are available. The topics include:

• Data usage

• Applications

• User activity

• Web activity

• Web filter

• VPN usage

• Intrusions

• Botnet

• Geo-IP

• Gateway Viruses

• Spyware

• Attacks

• Authentication

• Up/down status

• Custom reports

• Analyzers

• Configuration

SonicWall <Product Name> <Version> <GuideType>

Overview of Syslog-Based Analytics20

Group Based ReportingIn addition to reporting on individual devices, Syslog-based reporting provides aggregate group reporting. The reports are summaries, but not all topics are available for the group view. The group reports include the following:

• Data usage

• Applications

• Web activity

• Web filter

• VPN usage

• Threats

• Gateway viruses

• Intrusions

• Configuration

Data UsageAfter choosing the firewall to view, navigate to REPORTS > Data Usage to see the reports that summarize data usage. By selecting the appropriate report, you can see how the data is distributed over time, who initiates the request, who responds and what services are being accessed. If you select the Details report, all the data shown in the other reports can be seen by clicking the tabs across the top of the graph. The countries where the initiators and responders reside are also identified.

You can also access Data Usage from a Group point of view. Select GlobalView in the DEVICE MANAGER and then select Data Usage. A summary is provided of all the devices in that group or view.



ApplicationsTo view application data, navigate to REPORTS > Applications and then select the report you want to view. You can customize each of these reports by:

• Filtering the data displayed

• Selecting a time span

• Customizing the time span

• Showing the data in table form instead of a graph

User ActivityUser activity details can be viewed by navigating to REPORTS > User Activity > Details. You can filter this report for a specific user, initiator IP, service, or responder IP. Select the operator from the drop-down list and enter the filter text in the open field. You can make a stronger filter by combining filter criteria.

Scheduling ReportsTo schedule custom Syslog reports:

1 Navigate to CONSOLE > Reports > Scheduled Reports.

2 Click the icon to Add a Scheduled Report.



3 Type the Schedule Name in the field provided.

4 Select an interval for the report: Daily, Weekly or Monthly.

5 Check whether you want the report emailed to you or archived or both.

6 If you select email, provide the information requested for the recipients

7 Select the Format/Settings for your report.

8 Click Next.

9 Select the units you want included in the report and click Next.

10 Select which reports you want included and click Next.

11 Define the COVER PAGE SETTINGS and click Next.

12 Select the PERMISSION SETTINGS to apply to this report and click Next.

13 Review the details of the report you scheduled and click Create.

14 Close the window to exit the wizard to create scheduled report.



Downloading ReportsTo download reports:

1 Click on the Export Options icon to create and export reports.

2 Select whether you want the report exported to PDF, XML, or CSV.

3 Click Download to start downloading the report.

4 Go to your Downloads folder to find the report.



6

Overview of IPFIX-Based Analytics

This chapter walks through several representative user scenarios while presenting an overview of an IPFIX-based system’s capabilities.

• Discover Network Topology

• Live Monitoring

• Detailed Reports

• Group-Based Analytics and Reports

• Graph-Based Analytics and Reports

• Schedule Reports

• Download Reports in PDF or .csv Format

• Check Web Activity of Specific IPs

• View Session Logs

• Investigate Suspicious External IP Addresses

Discover Network TopologyNetwork Topology provides a visual summary of the firewall’s environment. This feature allows security administrators and analysts to:

• Find details about the firewall IP address, MAC address and UP/DOWN status

• Drill-down into the firewall’s details for more insights

• Find details regarding nodes whose traffic is passing through specific interfaces of the firewall

• For nodes behind the firewall, drill down for all traffic, web activities, blocked issues or threats for an end-user system

To display Network Topology:

1 Go Analytics > Overview > Network Topology.

2 Select the firewall in the Device Manager column to the left.

The visual may take 20 seconds to reach a final summary display:

On-Premises Analytics <z.z> Getting Started Guide

Overview of IPFIX-Based Analytics26

3 Double click on the icons displayed for additional detail.

Live MonitoringLive Reports (Reports > Overview > Live Reports) provides a historical view of the real-time monitor charts. You can customize the view for any time in the past. You can choose one of the pre-defined periods with the sliding bar, or you can define a custom period by selecting Custom. Individual charts can be rearranged manually. Show or hide legends by clicking the Legends button. You can drill-down into sessions logs, or view based on groups or graphs.

The Live Reports panel presents a visual summary of firewall activity over the last 60 minutes, 1 hour, 3 hours, 6 hours, 12 hours, 24 hours, 3 days, 7 days, and 30 days.



The following charts are shown in Live Reports:

• APPLICATIONS — collects the top 25 applications that are flowing through the firewall in bits per second.

• BANDWIDTH — indicates the bandwidth utilization in bits per second.

• PACKET RATE — shows average packets per second traversing the firewall.

• PACKET SIZE— collects the packets size, in bytes, for each interface during the collection period.

• CONNECTION RATE— is plotted by collecting outgoing + incoming connection rate for each interface.

• CONNECTION COUNT— shows the current number of active connections each refresh period.

• MULTI-CORE MONITOR—shows the CPU utilization for each core each refresh period.

To see a graphical summary of firewall activity over the last 3 hours:

1 In Analytics, go to Reports > Overview | Live Reports:

2 Select the firewall in the DEVICE MANAGER panel to the left.

3 Adjust the time resolution of the display to 3 hours.



4 Click on the Legend button to see the composition of activity:

Note that a circular cursor can be planted along the time line to bring up details on the composition of activity. See the following examples:



5 To see the ingress and egress bandwidth utilization over the last 30 minutes, adjust the time scale setting and go down to the next graph, BANDWIDTH:

6 To see the packet rate over the same interfaces, go down to the next graph, PACKET RATE. Note that the interface drop down can be used to select specific interfaces.

7 Scroll further down to see graphs for CONNECT RATE, CONNECTION COUNT and MULTI-CORE MONITOR.



Detailed ReportsDetailed reports are available under Reports > Details. These include detailed reports for the various types of data being tracked for your security infrastructure. These are the detailed reports that can help you evaluate performance or find the source of an issue. If an issue is reported, you can drill down to individual devices, applications or features.

• ApplicationProvides data related to the health of the applications traversing the firewall. You can use these reports to answer questions about whether the service is up or down or if application response time is slow, for example. You can select from several different filters or views.

• UsersProvides data at it relates to the users connected to the system. You can identify user level transactions and activities by filtering on several different options.

• VirusesReports the viruses that have been detected. You can filter on connections viruses occurred on or by which viruses were blocked.

• IntrusionsReports the intrusions that have been detected. You can filter on connections intrusions occurred on or by which intrusions were blocked.

• SpywareReports the spyware that has been detected. You can filter on connections spyware occurred on or by which spyware ws blocked.

• BotnetReports the Botnets detected and blocked.

• Web CategoriesDisplays the number of connections based on web categories. You can filter on the categories in the View drop-down list.

• SourcesDisplays the number of connections based on IP address of the source. You can filter on the IP addresses listed in the View drop-down list or on other options listed in the By drop-down list.

• DestinationsDisplays the number of connections based on IP address of the source. You can filter on the source type listed in the View drop-down list or on other options listed in the By drop-down list.

• Source LocationsDisplays the number of connections based on location of the source. You can filter on the connection type listed in the View drop-down list or on other options listed in the By drop-down list.

• Destination LocationsDisplays the number of connections based on country of the destination. You can filter on the locations listed in the View drop-down list or on other options listed in the By drop-down list.

• BW QueuesReports the bandwidth data. The default is the Inbound Realtimeview, but you can choose the Outbound Realtime view from the View drop-down list. You can also filter on other options listed in the By drop-down.

• BlockedReports the number of blocked connections. The default view is Total, but you can select Threats or Botnet from the View drop-down list. Data for both options are shown in the table.

• ThreatsReports the connections with threats. Defaults to Total, but Intrusions or Virus can be filtered by the View drop-down list. You can also filter on other options listed in the By drop-down list.



To view the Application report for a firewall:

1 Select the firewall in the DEVICE MANAGER column to the left.

2 Click on Reports > Details > Applications to view activity at one firewall.

3 To see activity over a group, select the group level icon in the DEVICE MANAGER panel.

To check over categories of websites accessed recently through this firewall:


2 Click on Reports > Details > Web Categories to view activity at one firewall.




To view a report of recent destinations accessed through a firewall:


2 Click on Details > Destinationss to view activity at one firewall.


To get tips for using detailed reports:

1 Click on the vertical ellipsis symbol at the uper left, and then click on Page Tips.

Group-Based Analytics and ReportsIPFIX-based, On-Premises Analytics enables search through any specific traffic fields in group-based analysis, and allows drill-down into more details or the generation of reports. Traffic fields include:

• App Categories • Countries

• App Risk • Responder Devices



Analytics allows group-based reports associated with traffic for required date/time range. It allows extraction of details around # of sessions, total packets, total bytes, and number of threats. Report types include:

• Applications related reports: Generate reports based on Applications, Application category or Application signatures

• Web-activities related reports: Generate reports based on Websites, urls and web categories

• Traffic source or destination related reports: Generate reports based on IP Address, Interfaces and Countries

• Threats related reports: Generate reports based on Intrusions, Viruses, Spyware, Botnets

• Device Related reports: Generate reports based on IP Address, Interfaces and Names

• BWM related reports: Generate reports based on Inbound and Outbound sessions

• Blocked traffic related reports: Generate reports based on traffic-blocked-based firewall rules

Graph-Based Analytics and ReportsThe Graphs option provides a graphical representation of the traffic. You can sort, filter, view, and take action on this data in a number of different ways.

• ApplicationsSorts traffic graph by applications using the network. Get group views by categories and signatures.

• DestinationsShows the IP addresses for the destinations of the traffic and how they are all linked. Get group views by interfaces and countries.

• Applications • Responder Gateway

• Blocked • Responder Interface

• Botnet • Responder MAC

• Bandwidth Management • Responder Port

• Devices • Responders

• Device Interface • Signatures

• Devices IP • Spams

• Devices Names • Spyware

• Initiator Destinations • Status

• Initiator Gateway • Threat ID

• Initiator Interface • Threat Name

• Initiator Port • Threat Type

• Initiators • URLs

• Intrusions • Virus

• Protocol • Web Categories

• Responder • Websites



• Web ActivitiesShows which devices are accessing which web services. When available, you can see details by clicking on the category. Get group views by websites and urls.

• ThreatsShows which systems are trying to access items that are categorized as threats. Get group views by intrusions, virus, spyware, botnet.

• BlockedShows the threats that have been blocked and which IP addresses were trying to access them.

To see a graphical presentation of destinations accessed through a firewall or group of firewalls.

1 Select Analytics > Web Activity > Graphs and adjust the orange time resolution slider as required.

2 Use the five-to-one icons to the right to switch between: Locations, Devices, Interfaces, Sources, and Users.



3 To drill down into details on a particular destination, point and click with left and right mouse keys:

Schedule ReportsCustomized reports can be scheduled. When ready they can be archive and/ or e-mailed. Reports can be defined for a single firewall or a group.



To setup a regular report:

1 Go to Reports > Scheduled Reports | Schedules.

2 When the list of schedule reports displays, click on the add reports icon:

3 When the Create Report dialog box comes up, fill it out:

4 Review the schedule details.



Download Reports in PDF or .csv FormatTo download reports:

1 Click on the vertical ellipsis to the upper right and select PDF or csv.

2 Or click on the export icon to create reports and downloads.



Check Web Activity of Specific IPsTo check on activity sourced by specific IP address:

1 Go to: Web Activities | Groups.

2 Select session logs.



3 Chcek URL Category column in session logs.



View Session LogsTo view a specific session log in which access is blocked:

1 Select Blocked | Session logs:

To view a specific session log in which acces is allowed:

1 Select Web Activities | Session logs:



Investigate Suspicious External IP AddressesTo get details on specific IP addresses:

1 Go to Blocked | Graphs and right click on the suspicious IP address:

2 Or, as in the case below, from Threats | Graphs, left click on the suspicious IP Address.



7

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.


SonicWall Support43

https://www.sonicwall.com/support

https://www.sonicwall.com/support/contact-support

About This Document

On-Premises Analytics 2.5 Getting Started GuideUpdated - November 2019232-005166-00 Rev A

Copyright © 2019 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements.

Open Source Code

SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.


SonicWall Support44

https://www.sonicwall.com/legal

https://www.sonicwall.com/en-us/legal/license-agreements

SonicWall On-Premises Analytics€¦ · On-Premises Analytics Getting Started Guide Prerequisites 8 4 Click on Continue to go the Company page. 5 Complete the company information

Documents