ManualsPro SONICWALL SONICWALL 7.1 SonicOS Monitor Appflow User Guide

SONICWALL 7.1 SonicOS Monitor Appflow User Guide

June 17, 2024
SONICWALL

SONICWALL 7.1 SonicOS Monitor Appflow

SONICWALL-7-1-SonicOS-Monitor-Appflow-PRODUCT

Product Information

Specifications

  • Product Name: SonicOS 7.1 Monitor Appflow
  • Administration Guide: Yes
  • Supported Firewalls: TZ Series, NSa Series, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, NSv Series
  • Modes: Policy Mode, Classic Mode

About SonicOS

This guide is a part of the SonicOS collection of administrative guides that describe how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators with the management interface, API (Application Program Interface), and Command Line Interface (CLI) for firewall configuration by setting objects to secure and protect the network services, manage traffic, and provide the desired level of network service. This guide focuses on:

  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions

Working with SonicOS

SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system. The SonicOS management interface facilitates:

  • Policy Mode: Provides a unified policy configuration workflow. It combines Layer 3 with Layer 7 policy enforcement for security policies and optimizes the workflow for other policy types. This unified policy workflow gathers many security settings into one place, which were previously configured on different pages of the management interface.
  • Classic Mode: More consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.

The table below identifies which modes can be used on the different SonicWall firewalls:

Firewall Type| TZ Series| NSA Series| NSsp 10700, NSsp 11700, NSsp 13700| NSsp 15700| NSv Series
---|---|---|---|---|---
Classic Mode| Yes| Yes| Yes| No| Yes
Policy Mode| No| No| No| No| No

Product Usage Instructions

Generate & Download CTA Report

To generate and download a CTA (Content Threat Assessment) report, follow these steps:

  1. Login to the SonicOS management interface.
  2. Navigate to the “Monitor” section.
  3. Select “Appflow” from the menu.
  4. Click on “Generate & Download CTA Report”.
  5. Specify the desired report options.
  6. Click on “Generate Report”.
  7. Once the report is generated, click on “Download” to download the report.

About This Document

The “SonicOS 7.1 Monitor Appflow Administration Guide” provides detailed information and instructions on how to use the SonicOS Monitor Appflow. It is a valuable resource for network administrators and users of SonicWall firewalls.

FAQ

  • Q : What is SonicOS?
  • A: SonicOS is the operating system used by SonicWall firewalls. It provides network administrators with a management interface, API, and CLI for configuring and securing network services.
  • Q: What are the different modes in SonicOS?
  • A : SonicOS has two modes: Policy Mode and Classic Mode. Policy Mode combines Layer 3 to Layer 7 policy enforcement for security policies, while Classic Mode requires individual policies and actions for specific security services.
  • Q: How do I generate and download a CTA report?
  • A: To generate and download a CTA report, log in to the SonicOS management interface, navigate to the “Monitor” section, select “Appflow”, click on “Generate & Download CTA Report”, specify the report options, and click on “Generate Report”. Once the report is generated, click on “Download” to download it.
  • Q : How do I access advanced options in SonicOS Monitor Appflow?
  • A: To access advanced options, log in to the SonicOS management interface, navigate to the “Monitor” section, select “Appflow”, and click on “Advanced Options”. Configure the desired settings and click on “Save” to apply the changes.
  • Q : Where can I view and manage completed reports?
  • A: You can view and manage completed reports in the SonicOS Monitor Appflow. Login to the SonicOS management interface, navigate to the “Monitor” section, select “Appflow”, and click on “Completed Reports”. From there, you can view, download, or delete the completed reports.
  • Q : How can I contact SonicWall Support?
  • A: To contact SonicWall Support, login to the SonicOS management interface, navigate to the “Monitor” section, select “Appflow”, and click on “SonicWall Support”. Follow the provided instructions to reach out to SonicWall Support.

About SonicOS

This guide is a part of the SonicOS collection of administrative guides that describe how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators with the management interface, API (Application Program Interface), and Command Line Interface (CLI) for firewall configuration by setting objects to secure and protect the network services, manage traffic, and provide the desired level of network service. This guide focuses on
Topics:

  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions

Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system.
The SonicOS management interface facilitates:

  • Setting up and configuring your firewall
    Configuring external devices like access points or switches

  • Configuring networks and external system options that connect to your firewall

  • Defining objects and policies for protection

  • Monitoring the health and status of the security appliance, network, users, and connections

  • Monitoring traffic, users, and threats

  • Investigating events

SonicWall offers two different modes of operation in SonicOS; the modes differ mainly in the areas of policy, object configuration and diagnostics.

  • Policy Mode provides a unified policy configuration workflow. It combines Layer 3 to Layer 7 policy enforcement for security policies and optimizes the workflow for other policy types. This unified policy work flow gathers many security settings into one place, which were previously configured on different pages of the management interface.
  • Classic Mode is more consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.

This table identifies which modes can be used on the different SonicWall firewalls:

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-1

In addition to the management interface, SonicOS also has a full-featured API and a CLI to manage the firewalls. For more information, refer to:

  • SonicOS Command Line Interface Reference Guide

SonicOS Workflow
When working with SonicWall products, you can use the following workflow as a guide for setting up your security solution.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-2

You begin your planning as you start making your purchasing decisions. Your sales partners can help you assess your network and make recommendations based on the kinds of security services you need. You can learn more about SonicWall products by reviewing product information and solutions. After selecting the solution, you can schedule your implementation.
After planning and scheduling your solution, you begin setting up the firewalls. The Getting Started Guides for your products can help you begin setting up the pieces to your solution. The Getting Started guides are designed to help you install the firewall to a minimal level of operation. Before performing any detailed configuration tasks described in the SonicOS Administration Guides, you should have your firewall set up and basic operation validated.
The configuration block of the workflow refers to the many tasks that combine to define how your firewall is integrated into your security solution and how it behaves when protecting your environment. Depending on the features of your security solution, this task can be quite complex. The System Administration Guides are broken into the key command sets and features. Some documents may be used for all solutions, but others may be used use only if you integrated that feature into your solution. For example, High Availability or Wireless Access Points are not necessarily used by all customers. More information about a feature’s workflow is presented in the feature administration guide. Refer to the specific Administration Guide for a SonicOS feature for more information.
Configuration tends to be a one-time activity, although you might make minor adjustments after monitoring performance or after diagnosing an issue. The configuration activity can be broken down into the more detailed flow as the following figure shows. This also mirrors the key functions that are listed across the top of the management interface.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-3

There is some flexibility in the order in which you do things, but this is the general workflow you would follow when configuring your firewall. Start by defining the settings on the firewall. Next you set up the system and other devices that your firewall is connected to, and you can choose to implement High Availability when done. After your device, network, and system are configured, you should define the objects that you want to monitor. Then you use those objects to define the policies that protect your network. The final step to preparing your setup is to validate the user authentication.

How to Use the SonicOS Administration Guides

The SonicOS Administration Guide is a collection of guides that detail the features represented by each of the main menu items in the management interface. Within each guide, you can find topics covering commands in that menu group, along with procedures and in-depth information. The exceptions are the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine the topics for each of those functions into a single book.

To help you understand how the books align with the features and commands, the following figure shows the books organized like the SonicWall management interface.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-4

The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available at the https://www.sonicwall.com/support/technical- documentation/.

Guide Conventions

These text conventions are used in this guide:

  • NOTE: A NOTE icon indicates supporting information.
  • IMPORTANT: A n IMPORTANT icon indicates supporting information.
  • TIP: A TIP icon indicates helpful information.
  • CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
  • WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-5

AppFlow Report

The MONITOR | AppFlow > AppFlow Reports page displays the following reports:

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-6

The MONITOR | AppFlow > AppFlow Report page enables you to view top-level aggregate reports of what is going on in your network and, at a quick glance, answer such questions as the following:

  • What are the top-most used applications running in my network?
  • Which applications in terms of a total number of sessions and bytes consume my network bandwidth?
  • Which applications have viruses, intrusions, and spyware?
  • What website categories are my users visiting?

The report data can be viewed from the point of the last system restart or since the data was last reset.
To enable and configure the reports, follow the procedures described in Managing Flow Reporting Statistics in the SonicOS Logs documentation. The green check mark icon at the top of the MONITOR | AppFlow > AppFlow Report page displays a link to the DEVICE | AppFlow Settings > Flow Reporting page, where you can configure the reports.
The top of the page displays the following settings and information:

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-7

  • P Version – Select IPv4, IPv6, or IPv4 and IPv6 to view the reports for that traffic.
  • View – Choose View type to display reports based on the total activity Since the Restart of the firewall, and activity Since the Last Restart by the user of activity based on the configured schedule. If On Schedule then you can configure to export report either by way of FTP/e-mail. Choose one:
    • Since Restart – Shows the aggregate statistics since the last appliance restart.
    • Since Last Reset – This shows the aggregate statistics since the last time you cleared the statistics.
    • On Schedule – You can configure to export your report either by FTP or e-mail.
  • Limit – Limits the number of resulting entries.
  • Check mark – Click or mouse over to expose a popup showing the Appflow Report Status. Links are provided to connect you to additional data.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-8

  • Refresh – Click to refresh the report data.

Topics:

  • Top Applications
  • Top Users
  • Top IP Addresses
  • Top Viruses
  • Top Intrusions
  • Top Spyware
  • Top Locations
  • Top Botnets
  • Top Web Categories

Applications
Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by a user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. When viewing the application data, the key information is provided in the table:

  • Session s — Number of connections or flows
  • Initiator Bytes — Number of bytes sent by the initiator
  • Responder Bytes — Number of bytes sent by the responder

Additionally, the report provides the following information:

  • Application Name — Name of the application – Signature ID
  • Percentage of Applications — The frequency of this application as a percentage of the total number of applications
  • Access Rules — Number of connections/flows blocked by the firewall rules
  • App Rules — Number of connections/flows blocked by DPI engine
  • Location Block — Number of connections/flows blocked by GEO enforcement
  • Botnet Block — Number of connections/flows blocked by BOTNET enforcement
  • Virus — Number of connections/flows with virus
  • Intrusion — Number of connections/flows identified as intrusions
  • Spyware — Number of connections/flows with spyware

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Users

Using the View drop-down list, select Since Restart, Since Last Reset, or On Schedule. These selections are defined as:

  • Sessions — Number of sessions/connections initiated/responded
  • Bytes Received — Number of bytes received by the user
  • Bytes Sent — Bytes of data sent by the user

The report provides the following information:

  • User Name — Name of the user, or UNKNOWN
  • Percentage of Users — The activity of this user as a percentage of the total activity of users
  • Blocked — Connections/sessions blocked
  • Virus — Number of connections/flows with virus
  • Spyware — Sessions/connections detected with spyware
  • Intrusion — Number of Sessions/connections identified as intrusions
  • Botnet — Sessions/Connections detected as botnets columns in the table can be customized so it displays only what you want to see.

Click the gear icon to select columns.

IP Addresses

Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since Last Reset by a user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. When viewing the IP Address data, the key information is provided in the table:

  • Sessions — Number of sessions/connections initiated/responded
  • Bytes Received — Number of bytes received by the user
  • Bytes Sent — Bytes of data sent by the user

The report provides the following information:

  • IP Address — The IP address
  • Percentage of IP Addresses — The frequency of connections/flows involving this IP address as a percentage of the total number of connections/flows for all IP addresses
  • Blocked — Connections/sessions blocked
  • Virus — Number of connections/flows with virus
  • Spyware — Sessions/connections detected with spyware
  • Intrusion — Number of Sessions/connections identified as intrusions
  • Botnet — Sessions/Connections detected as botnet

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Viruses
Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by the user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. The report provides the following information:

  • Sessions — Number of sessions/connections with this virus

The report provides the following information:

  • Virus Name — The name of the virus, or UNKNOWN
  • Percentage of Viruses — The frequency of this virus as a percentage of the total number of viruses

Intrusions
Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by a user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. The report provides the following information:

  • Sessions — Number of sessions/connections with this virus

The report provides the following information:

  • Intrusion Name — The name of the intrusion, or UNKNOWN
  • Percentage of Intrusions — The frequency of this intrusion as a percentage of the total number of intrusions

Spyware
Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by the user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. The report provides the following information:

  • Sessions — Number of sessions/connections with this virus

The report provides the following information:

  • Spyware Name — The name of the spyware signature, or UNKNOWN
  • Percentage of Spyware — The frequency of this spyware as a percentage of the total number of spyware

Locations

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-9

Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since Last Reset by a user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email. These selections are defined as:

  • Sessions — Number of sessions/connections initiated/responded
  • Bytes Received — Number of bytes received by the user
  • Bytes Sent — Bytes of data sent by the user

The report provides the following information:

  • Country Name — Name of the location or country
  • Percentage of Locations — The frequency of connections/flows involving this location as a percentage of the total number of connections/flows for all locations
  • Dropped — Number of sessions/Connections dropped

Botnets
Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by the user, or activity based on the configured schedule. If you select On Schedule, you can configure to export report either via FTP or email.

  • Botnet Name — Name of the Botnet
  • Count — Sessions or connections detected as a botnet report provides the following information:

Web Categories

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-10

Using the View drop-down list, select what you want included in the Applications report. The view type defines reporting based on the total activity Since the Restart of the firewall, activity Since the Last Reset by a user, or activity based on the configured schedule. If you select On Schedule, you can configure to export reports either via FTP or email.

The report provides the following information:

  • Sessions — Number of sessions/connections

The report provides the following information:

  • Rating Name — The name of the URL category
  • Percentage of Viruses — The frequency of access to URLs in this rating category as a percentage of the total number of URL accesses

AppFlow Monitor

The MONITOR | AppFlow > AppFlow Monitor page displays a series of reports. Select the appropriate tab for one of the reports:

  • Top Applications
  • Top Users
  • Top Web Activity
  • Top Initiator IPs
  • Top Responder IPs
  • Top Threats
  • Top VoIP
  • Top VPN
  • Top Devices
  • Top Contents
  • Top Policies

The MONITOR | AppFlow > AppFlow Monitor page enables you to monitor top- level aggregate reports of what is going on in your network and, at a quick glance, answer such questions as the following:

  • What are the top-most used applications running in my network?
  • Which applications in terms of total number of sessions and bytes consume my network bandwidth?
  • Which applications have viruses, intrusions, and spyware?
  • What website categories are my users visiting?

To enable and configure the reports, follow the procedures described in Managing Flow Reporting Statistics in the SonicOS Logs documentation. The green check mark icon at the top of the MONITOR | AppFlow > AppFlow Monitor page displays a link to the DEVICE | AppFlow Settings > Flow Reporting page, where you can configure the reports. The top of the page displays the following settings and information:

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-11

  • +Create – Click to create filtering on incidents

  • +Add to Filter – Click to add filter criteria to selected applications

  • IP Version – Select IPv4, IPv6, or IPv4 and IPv6 to view the reports on that traffic.

  • Slider – Use the slider to filter flow results as of the Last 60 secs, 2 minutes, 10 minutes, 15 minutes, 30 minutes, 60 minutes, 3 hours, 6 hours, 12 hours, 24 hours, 7 days, 15 days, 30 days, or All Flows

  • Group By – Filters results by grouping flows based on Application, Category, or Signature

  • Check mar k – Click or mouse over to expose a popup showing the Appflow Monitor Status. Links are provided to connect you to additional data.

  • Refresh – Click to refresh the report data.

Applications

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-13

You can filter flows by Application. Applications can be grouped by Application, Category, or Signature. These selections are defined as:

  • Application — Name of the application – Signature ID
  • Sessions — Number of connections or flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions or connections identified with intrusions, spyware, or a virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Users

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-14

The Users report allows filtering by Users. Users can be grouped the following:

  • User — Name of the user- Signature ID
  • Sessions — Number of connections/flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions/spyware/virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Web Activity

You can filter flows by Web Activity. Web URLs can be grouped by Domain Name, URL, or Ratings. These selections are defined as:

  • Domain Name — Name of the web domain
  • Add entry to filter — An Icon appears allowing you to add specific domain names to your filtering
  • Sessions — Number of connections or flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions, spyware, or a virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Initiator IPs

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-15

You can filter flows by Initiator IP. Initiator IPs can be grouped by IP Address, Interface, or Country. These selections are defined as:

  • Initiator — Name of the initiator IP address
  • Add entry to filte r — An Icon appears allowing you to add specific initiator IP addresses into your filtering
  • Sessions — Number of connections/flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions/spyware/virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.
Responder IPs

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-16

You can filter flows by Responder IPs. Responder IPs can be grouped by IP Address, Interface, or Country. These selections are defined as:

  • Responder — Name of the responder IP address
  • Add entry to filter — An Icon appears allowing you to add specific responder IP addresses into your filtering
  • Sessions — Number of connections or flows
  • Total Packet s — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions, spyware, or a virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Threats
You can filter flows by Threat. Threats can be grouped as All, Intrusion, Virus, Spyware, Anti-Spam, or Botnet. These selections are defined as:

  • Threat — Name of the threat
  • Add entry to filter — An Icon appears allowing you to add specific threats to your filtering
  • Sessions — Number of connections or flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions, spyware, or a virus

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

VoIP

You can filter flows by VoIP. VoIP can be grouped as Media Type or Caller ID. These selections are defined as:

  • VoIP — Name of the VoIP
  • Sessions — Number of connections or flows.
  • Total Packets — Number of packets.
  • Total Bytes — Number of bytes sent by the initiator.
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections).
  • Out of Sequence/Lost Pkts — Number of out-of-sequence or lost packets.
  • Average Jitter (msec) — The average jitter or time delay between when a signal is transmitted and when it is received. It is measured in milliseconds.
  • Maximum Jitter (msec) — The maximum amount of jitter between when a signal is transmitted and when it is received, measured in milliseconds.Threats — Number of sessions/connections identified with intrusions, spyware, or a virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

VPN

You can filter flows by VPN. VPN can be grouped by Remote IP Address, Local IP Address, or Name. These selections are defined as:

  • VPN — Name of the VPN
  • Sessions — Number of connections/flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions/spyware/virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Devices
You can filter flows by Device IP address. Devices can be grouped by IP Address, Interface, Name, or Vendor.  These selections are defined as:

  • Device — Name of the device
  • Sessions — Number of connections/flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions/spyware/virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

Contents
You can filter flows by Contents. Content can be grouped by File Type or Email Address. These selections are defined as:

  • Content — Name of the content
  • Sessions — Number of connections/flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions/spyware/virus.

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.
Policies

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-17

You can filter flows by Policies. Security Policies can be grouped by Access Rule, NAT Rule, Initiator Route Policy, or Responder Route Policy. These selections are defined as:

  • Policies — Name of the security policy to be monitored
  • Sessions — Number of connections or flows
  • Total Packets — Number of packets
  • Total Bytes — Number of bytes sent by the initiator
  • Average Rate (KBPS) — Current average rate (calculated over the lifetime of connections)
  • Threats — Number of sessions/connections identified with intrusions, spyware, or a virus

The columns in the table can be customized so it displays only what you want to see. Click the gear icon to select columns.

AppFlow Sessions

NOTE: Appflow Session are a feature of SonicOS running Policy Mode. It is not available in Classic Mode. The MONITOR | AppFlow > AppFlow Sessions page displays the following reports:

  • All
  • Threats
  • Web Access

The MONITOR | AppFlow > AppFlow Sessions page enables you to monitor the status of top-level aggregate reports of what is going on in your network and, at a quick glance, answer such questions as the following:

  • What are the top-most used applications running in my network?
  • Which viruses, intrusions, and spyware have threatened my network?
  • What website categories are my users visiting?

To enable and configure the reports, follow the procedures described in Managing Flow Reporting Statistics in the SonicOS Logs documentation. The top of the page displays the following settings and information:

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-18

  • Slider – Use the slider to filter flow results as of the Last 60 secs, 2 minutes, 10 minutes, 15 minutes, 30 minutes, 60 minutes, 3 hours, 6 hours, 12 hours, 24 hours, 7 days, 15 days, 30 days, or All Flows
  • Limit – Limits results by filtering flows based on the number of entries
  • Check mark – The green check mark icon at the top of the MONITOR | AppFlow > AppFlow Sessions page displays a popup showing the Appflow Monitor Status for Policy Mode. Links are provided to connect you to additional data and procedures.

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-19

  • Refresh – Click to refresh the report data.

All

Choose the All tab to see all the AppFlow sessions. Application entries can be displayed as either limited or unlimited. Column Grid Settings can be added or removed, or expanded and rearranged. Click Grid Settings, and use the arrows next to the column name to expand column options. A checkbox next to a name adds the selection to the grid.
Threats
Select the Threats tab to show the monitoring status of AppFlow sessions that contain threats. Entries can be displayed as either limited or unlimited. Column Grid Settings can be added or removed or expanded and rearranged. Click Grid Settings, and use the arrows next to the column name to expand column options. A checkbox next to a name adds the selection to the grid.
Web Access
Select the Web Access tab to monitor the status of AppFlow sessions that have Web Access. Application entries can be displayed as either limited or unlimited. Column Grid Settings can be added or removed, or expanded and rearranged. Click Grid Settings, and use the arrows next to the column Name to expand column options. A checkbox next to a name adds the selection to the grid.

CTA Report

Use the Capture Threat Assessment (CTA) Report to generate a SonicFlow Report (SFR) that you can download and post to the Capture Threat Assessment service.

Generate & Download CTA Report

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-20

To generate and post the SonicFlow Report (SFR):

  1. Navigate to the Capture Threat Assessment screen on the MONITOR | AppFlow > CTA Report page.
  2. On the Generate & Download CTA Report tab, click Generate Report.
  3. After the report is generated, you have the option to download the report or generate a new one.SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-21
  4. Click Download Report to download the report.

Advanced Options
The values on the Advance Options tab are not saved to the firewall. Customized data is lost after you log out or clear your browser cache.

  1. Navigate to the MONITOR | AppFlow > CTA Report page.
  2. Click the Advanced Options tab.To configure Advanced CTA Report options:SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-22
  3. Customize data for your CTA Reports using Advanced Options, Report Types, and Desired Sections to appear, or include a customized Report logo.
  4. After completing customized data entries, return to Generate & Download CTA Report and click Generate Report. The customized Report appears in the Completed Reports tab.

Completed Reports

SONICWALL-7-1-SonicOS-Monitor-Appflow-FIG-23

Generated reports appear in the table and are available for download, viewing, and deleting.

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self- help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support. The Support Portal enables you to:\

  • View knowledge base articles and technical documentation
  • View and participate in the Community forum discussions at https://community.sonicwall.com/technology-and-support.
  • View video tutorials
  • Access https://mysonicwall.com
  • Learn about SonicWall Professional Services
  • Review SonicWall Support services and warranty information
  • Register for training and certification
  • Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support /contact-support.

About This Document

  • SonicOS Monitor Appflow Administration Guide
  • Updated – December 2023
  • Software Version – 7.1
  • 232-006094-00 Rev A

Copyright © 2023 SonicWall Inc. All rights reserved.
The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS OUTLINED IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties concerning the accuracy or completeness of the contents of this document and reserve the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document.
For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/legal/end-user-product-agreements/.
Open Source Code
SonicWall Inc. is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, and AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with a certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

  • General Public License Source Code Request Attn: Jennifer Anderson
  • 1033 McCarthy Blvd
  • Milpitas, CA 95035

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

SONICWALL User Manuals

SONICWALL x700 Series M.2 Module Instruction Manual
SONICWALL
SONICWALL Capture Client and Microsoft Endpoint Manager User Guide
SONICWALL
SONICWALL 232-006128-00 Global Management System User Guide
SONICWALL
SONICWALL Capture Client Integrates and Datto RMM User Guide
SONICWALL
SONICWALL NSsp/High-End NSa Series Power Supply Installation Guide
SONICWALL
SONICWALL Global Management System 9.3 User Guide
SONICWALL
SONICWALL NSsp 13700 – Appliance Only User Guide
SONICWALL
SONICWALL 1RK54-118 Network Security Appliance User Guide
SONICWALL
SONICWALL NSsp 13700 – security appliance User Guide
SONICWALL
SONICWALL Organization Account App User Guide
SONICWALL
SONICWALL SonicWave 641 Wireless Access Point User Guide
SONICWALL
SONICWALL SonicWave 621 Wireless Access Point User Guide
SONICWALL
SONICWALL TZ Series Entry Level Next Generation Firewalls Instructions
SONICWALL
SONICWALL TZ400 Firewall with Total Secure Advanced Edition User Guide
SONICWALL
SONICWALL SMA 200 Secure Mobile Access User Guide
SONICWALL
SONICWALL 02-SSC-3919 Nsa 5700 Total Secure Advanced Edition 1 User Guide
SONICWALL
SONICWALL POE60U-1BT-5 Multi-Gigabit PoE Injector Installation Guide
SONICWALL
SONICWALL APL67-107 SonicWave 641 Wireless Access Point User Guide
SONICWALL
SONICWALL TZ470W Wireless-AC INTL TotalSecure User Guide
SONICWALL
Sonicwall TZ270W Wireless Network Security Appliance User Guide
SONICWALL

Related Manuals

OMRON CK3M Laser Interface Unit Instruction Manual
Omron
Godox TL180 RGB Tube Light Instruction Manual
Godox
CORSTON 18247 Flat Plate Sprung Handle Installation Guide
CORSTON
Druid D25 NEMTEK Connect Device Gateway 2G Instruction Manual
NEMTEK
PHILIPS INtelliVue MX40 Single Patient Use Cables Instruction Manual
Philips
Naked Sun B08Z67958C Ion Corded Handheld Spray Tanning Machine Instruction Manual
NAKED SUN
tp-link TC70 Pan Tilt Home Security Wi-Fi Camera User Guide
tp-link
TAKSTAR OD200 Instrument Speaker User Manual
TAKSTAR
FUJIFILM X100V Digital Camera User Guide
Fujifilm
COOK N HOME Stovetop Popcorn Popper with Crank Instruction Manual
Cook N Home
FISHER PAYKEL OS60SDTDB1 60cm Combination Steam Oven User Guide
Fisher & Paykel
FLOS 09.2111.40C Fort Knox Wall Instruction Manual
FLOS
AJAX FireProtect 2 Jeweller Wireless Fire Detector User Manual
ajax
JBL LS360C Manual
JBL
ENTHUZE L6502 Air Spring Kit Installation Guide
ENTHUZE
UMEXUS Cordless Rechargeable LED Table Lamp User Manual
UMEXUS
Roth Minishunt Plus Wireless Room Thermostat Installation Guide
Roth
AIDOT OS0600112261 Elves HDMI Sync Box with Lighting Kits User Guide
AIDOT
BOSE Recommended third-party USB extenders for use with VB1 User Guide
Bose
LENA LIGHTING UV-C Sterilon Max Flow Luminaires Instruction Manual
LENA LIGHTING
HYDRO EvoBoost Booster Tank User Manual
HYDRO
VEIKK VK1560Pro Pen Display User Manual
VEIKK
QUALISPORTS PLUS Quali Bike Beluga User Manual
Qualisports
HUDSON VALLEY H676703 Alana Pendant Instruction Manual
HUDSON VALLEY
SMC IITV23 Series Electro Pneumatic Regulator Manifold Type User Manual
SMC
Godox SL150R RGB LED Light User Manual
Godox
elc ALR3206D Programmable Power Supply User Guide
ELC
PHILIPS B1 Fidelio Nano Cinema Speaker User Manual
Philips
SureCall EZ 4G Plug-and-Play Cell Signal Booster User Guide
SureCall
Shenzhenshiyingzhiyingdianzikejiyouxiangongsi YY-766 Kids Tablet User Manual
Shenzhenshiyingzhiyingdianzikejiyouxiangongsi
Contact Us   Privacy Policy   7.971ms