TechNote

SonicWALL Application Risk Management Report (SWARM)

Network Security
Implementation Guide

Contents

Contents ..................................................................................................................................................................... 1
Overview..................................................................................................................................................................... 1
Deploying a SonicWALL Appliance in Layer 2 Bridge Mode ..................................................................................... 2
Layer 2 Bridge Mode Configuration Overview ........................................................................................................ 2
Configuring Initial Settings ...................................................................................................................................... 3
Configuring Layer 2 Bridge Mode ........................................................................................................................... 4
Deploying a SonicWALL Appliance in Wire-Mode ..................................................................................................... 5
Wire-Mode Overview .............................................................................................................................................. 5
Configuring Tap-Mode ............................................................................................................................................ 8
Advanced Wire-Mode Deployments ........................................................................................................................... 9
Network Insertion: Augmenting Existing Firewalls.................................................................................................. 9
Configuring Wire-Mode when Augmenting Existing Firewalls .............................................................................. 11
Configuring Application Intelligence ......................................................................................................................... 13
Creating the SWARM Report ................................................................................................................................... 17
Configuring Alerts (Optional) .................................................................................................................................... 19
Enabling NetFlow Reporting (Optional) .................................................................................................................... 20
Configuring Single Sign On (Optional) ..................................................................................................................... 21

Overview
On SonicWALLs next generation firewalls, it is possible to detect, classify, and enforce policy for over 3,000
unique applications, while simultaneously preventing thousands of intrusions, attacks, exploits, and malware,
thanks to the superior patented deep-packet-inspection (DPI) engine running inside your SonicWALL. Application
Intelligence (AI) holds the key to the tools that allow network administrators to regain control over their network
usage and more importantly, employee productivity. Reclaiming bandwidth, wasted time at work, and improving
mission critical applications is all within your grasp. AI can help you save money in more ways than one.

Have you ever been put in a situation where you needed to know what a particular user is doing on the network?
For example, should you have challenges with VOIP call quality, how do you quickly identify the bandwidth being
used for VOIP, and all the other applications on the network? With real-time monitoring you can quickly identify
traffic from given users, devices, applications, URLs, bandwidth consumption, intrusions, and more, enabling you
to intelligently define policy to control the network. This all becomes possible with the next generation firewall
from SonicWALL; quickly identify offenders or problem spots, control applications, block malware, and report on
all network activity.

Deploying a SonicWALL for Application Risk Management Reporting

 TechNote
This TechNote will provide step by step instructions to deploy a SonicWALL firewall in a customers network for
the purpose of collecting Application Intelligence data. Once data is collected over a designated period of time, (a
few days to a week) an automated SonicWALL Application Risk Management (SWARM) Report can be produced.

There are many ways to insert a SonicWALL into a network as a bump on the wire:

1. Layer 2 bridge mode

2. Wire-Mode (NSA 3500 and higher)
3. One arm sniffer mode

We recommend that you deploy in either Layer 2 Bridge mode or the newly created Wire-Mode. Deploying in this
configuration allows for minimal network interruption and doesnt require any drastic changes for an existing
network. It also makes it easy to migrate to full NAT/router mode when ready.

The Layer 2 Bridge mode/Wire-Mode configuration is shown below:

Note: If one-port sniffer mode is desired, utilize the Wire-Mode Tap mode unless you have a SonicWALL that
does not support Wire-Mode. In that case reference the following Tech Note:
http://www.sonicwall.com/downloads/Integrating_SonicWALL_and_HP.pdf

Deploying a SonicWALL Appliance in Layer 2 Bridge Mode

This section contains configuration procedures for the initial setup of your SonicWALL Security Appliance and
Layer 2 Bridge Mode.

Layer 2 Bridge Mode Configuration Overview

Upon initial unpacking and setup of your SonicWALL, proceed directly to the management interface and log in
using the admin account.

Note: In this case, SonicWALL recommends that you do not use the Getting Started Wizard.

You will need to perform the following tasks:

1. Configure X0 as the LAN interface and X1 as the WAN interface.
2. Define the X1 interface with a free IP address that is on the same internal subnet you are inserting
SonicWALL into. For example, if the LAN subnet was 192.168.169.0/24 you could define the X1 interface as
192.168.169.1/24. The IP address assigned to X1 will be used for managing the SonicWALL. After
everything is configured, SonicWALL should sit in between the upstream firewall/router and the LAN switch.
The X1 WAN interface will connect to the existing Internet firewall or router and X0 to the LAN switch.

Deploying a SonicWALL for Application Risk Management Reporting

2
 TechNote
3. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section. The X0 interface will then be bridged to
the X1 interface forming the Layer 2 Bridge to allow all Internet traffic to pass through the SonicWALL for
inspection.

Configuring Initial Settings

The initial configuration of SonicWALL will be done out of band, attaching the firewall to the network for
configuration and later placing it in line (Layer 2 Bridge) mode. Network interruption time is minimal with this
configuration.

In preparation for Layer 2 Bridge Mode configuration, perform the following steps:
a. To allow for management of the SonicWALL, connect a laptop to the X0 LAN interface with a default IP of
192.168.168.168 and assign your laptop an IP of 192.168.168.169.
b. Open a browser and navigate to 192.168.168.168. Enter the default admin credentials (admin/password).
Bypass the Getting Started Wizard and proceed directly to management.
c. Navigate to Network > Interfaces and configure X1 with an appropriate IP address for the local network.
Then, attach the X1 interface to a spare LAN switch port. In this example, we have an existing LAN subnet of
192.168.169.0/24.
d. Attach the X1 interface to a free switch port as depicted in the diagram below.

Deploying a SonicWALL for Application Risk Management Reporting

3
 TechNote

Configuring Layer 2 Bridge Mode

After initial configuration, the SonicWALL is ready for the final configuration of Layer 2 Bridge mode.

1. On the Network > Interfaces page, click the Configure icon in the right column of the X0 (LAN) interface.
2. If not completed earlier, configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP
Redirects).
Note: If you are performing Application Intelligence testing with an NSA model other than an E7500 or E8500,
there is a slight risk to installing into an existing network in Layer 2 Bridge Node. If the SonicWALL appliance
has a hard crash or power failure, all Internet traffic will effectively be blocked. The NSA E7500 and E8500
models have fail open interfaces which allow network traffic to flow even in the event of a failure. For more
details on the setup, refer to:
http://www.sonicwall.com/downloads/SonicOS_5.5_L2_Bridge_Bypass_Feature_Module.pdf
3. In the IP Assignment drop-down list, select Layer 2 Bridged Mode.
4. In the Bridged to drop-down list, select the X1 interface.

Deploying a SonicWALL for Application Risk Management Reporting

4
 TechNote
Note: After this step is completed, you may lose management access to the firewall as the X0 interface is
now on a different subnet. To ensure the configuration is correct, change the IP of the laptop to a spare
address on the network (e.g. 192.168.169.15) and browse to the IP address previously configured for the X1
Interface.
The SonicWALL is now ready to be inserted in to the network.
5. Connect the X1 interface to the LAN interface of the existing router/firewall.
6. Connect the X0 interface to the existing LAN switch.
7. Connect your laptop to a spare switch port and login to the SonicWALL.
Traffic is now configured to flow through the SonicWALL and the Real-Time monitors should be displaying
info.
8. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.

Deploying a SonicWALL Appliance in Wire-Mode

This section details the deployment and configuration of the SonicWALL security appliance in Wire-Mode.

Wire-Mode Overview
With the NSA 3500 and higher models, SonicOS 5.8.1+ introduces Wire-Mode, which provides four new methods
of non-disruptive, incremental insertion into networks.
Note: To enable remote management and dynamic security services and application intelligence updates, a WAN
interface (separate from Wire-Mode interfaces) must be configured for Internet connectivity. This is easily done
given that SonicOS supports interfaces in mixed-modes of most any combination. Consider the network interface
settings shown below:

Deploying a SonicWALL for Application Risk Management Reporting

5
 TechNote
The table below describes the four Wire-Mode settings:

Wire-Mode Description
Setting
Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction
of the SonicWALL into a network. Upon selecting a point of insertion into a
network (e.g. between a core switch and a perimeter firewall, in front of a VM
server farm, at a transition point between data classification domains) the
SonicWALL is inserted into the physical data path, requiring a very short
maintenance window. While Bypass Mode does not offer any inspection or
firewalling, this mode allows the administrator to physically introduce the
SonicWALL into the network with a minimum of downtime and risk, and to
obtain a level of comfort with the newly inserted component of the
networking and security infrastructure. The administrator can then transition
from Bypass Mode to Inspect or Secure Mode instantaneously through a
simple user-interface driven reconfiguration.
Inspect Mode Inspect Mode extends Bypass Mode without functionally altering the low-risk,
zero-latency packet path. Packets continue to pass through the SonicWALL,
but they are also mirrored to the multi-core RF-DPI engine for the purposes
of passive inspection, classification, and flow reporting. This reveals the
SonicWALLs Application Intelligence and threat detection capabilities
without any actual intermediated processing.
Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the
SonicWALLs multi-core processors into the packet processing path. This
unleashes the inspection and policy engines full-set of capabilities, including
Application Intelligence and Control, Intrusion Prevention Services, Gateway
and Cloud-based Anti-Virus, Anti-Spyware, and Content Filtering. Secure
Mode affords the same level of visibility and enforcement as conventional
NAT or L2 Bridge mode deployments, but without any L3/L4 transformations,
and with no alterations of ARP or routing behavior. Secure Mode thus
provides an incrementally attainable NGFW deployment requiring no logical
and only minimally physical changes to existing network designs.
Tap Mode Tap Mode is designed for use in environments employing network taps,
smart taps, port mirrors, or SPAN ports to deliver packets to external devices
for inspection or collection. Tap Mode provides the same visibility as Inspect
Mode, but differs from the latter in that it ingests a mirrored packet stream via
a single port on the SonicWALL, eliminating the need for physically
intermediated insertion. Like all other forms of Wire-Mode, Tap Mode can
operate on multiple concurrent port instances, supporting discrete streams
from multiple taps.

Deploying a SonicWALL for Application Risk Management Reporting

6
 TechNote
To summarize the key functional differences between modes of interface configuration:

L2 Bridge,
Bypass Inspect Secure Tap
Transparent, NAT,
Mode Mode Mode Mode
Route Modes
Active/Active
No No No No Yes
Clustering (a)
Application Control No No Yes No Yes
Application Visibility No Yes Yes Yes Yes
ARP/Routing/NAT (a) No No No No Yes
Comprehensive
No No No No Yes
Anti-Spam Service (a)
Content Filtering No No Yes No Yes
DHCP Server (a,b) No No No No Yes
DPI Detection No Yes Yes Yes Yes
DPI Prevention No No Yes No Yes
DPI-SSL (a) No No No No Yes
High-Availability (a,c) No No No No Yes
Link-State
Yes Yes Yes No No
Propagation (d)
SPI No Yes Yes Yes Yes
TCP Handshake
No No No No Yes
Enforcement (e)
Virtual Groups (a) No No No No Yes

a. These functions or services are unavailable on interfaces configured in Wire-Mode, but remain available on a system-wide
level for any interfaces configured in other compatible modes of operation.
b. Not available in L2 Bridge Mode.
c. Not available on the E10100. Active/Passive HA can be achieved using Active/Active Clustering in singleton mode.
d. Link State Propagation is a feature whereby interfaces in a Wire-Mode pair will mirror the link-state triggered by transitions
of their partners. This is essential to proper operations in redundant path networks, in particular, and will be described in
the Augmenting Existing Firewalls network insertion scenario below.
e. Disabled by design in Wire-Mode (and possible to disable in L2 Bridge Mode) to allow for failover events occurring
elsewhere on the network to be supported when multiple Wire-Mode paths, or when multiple SonicWALL units are in use
along redundant or asymmetric paths.

Deploying a SonicWALL for Application Risk Management Reporting

7
 TechNote

Configuring Tap-Mode

The quickest, easiest way to get an evaluation started is to place the SonicWALL unit into Tap Mode:

1. Rack and power the SonicWALL unit and, physically connect one of the interfaces, (e.g. X2) to a link from the
distribution tap.
2. Using the dedicated management interface (default IP 192.168.168.168), select an interface (e.g. X1) to
serve as the WAN interface for dynamic updates.
3. Connect this interface to a segment of the network with outbound Internet access (minimally, for services
DNS, NTP, HTTP, and HTTPS), and address accordingly.
4. Consult the reference documents 1 for steps on configuring Security Services, Application Intelligence, Flow
Reporting 2, and Visualizations.
5. On the SonicWALL Network > Interface page, select the X2 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Tap Mode

6. Additional configuration will need to be done on the Layer 2 Managed switch that the SonicWALL is
connected to. In particular a gigabit Ethernet port needs to be placed into Sniffer/Promiscuous mode in order for
the SonicWALL NSA to capture all the data.

1
ApplicationControlFeatureModulehttp://www.sonicwall.com/us/support/230_17452.html
NetFlowReportingFeatureModulehttp://www.sonicwall.com/us/support/230_17455.html
VisualizationDashboardFeatureModulehttp://www.sonicwall.com/us/support/230_17458.html
IntrusionPreventionServicePrimerhttp://www.sonicwall.com/us/support/2134_4169.html
2
FlowReportingrequiresthattheconfiguredflowcollectorbereachablebyIPfromtheSonicWALL.Aninterface,suchas
thededicatedmanagementinterfaceorsomeotheravailableX0X21interface,mustbeconfiguredandconnected
accordingly.

Deploying a SonicWALL for Application Risk Management Reporting

8
 TechNote

7. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.

Advanced Wire-Mode Deployments

This section details the deployment and configuration of a SonicWALL Next Generation Firewall using Wire-Mode
for high availability.

Network Insertion: Augmenting Existing Firewalls

While Wire-Mode does not support the set of High Availability options of other interface operation modes
described below, Wire-Mode deployments need not introduce a single point of failure into the network.

Tap Mode, as described above, never introduces a point of failure, and Bypass, Inspect, and Secure mode
deployments can be as redundant as the topology into which they are being introduced. For example, consider
the following environment:

Diagram 3 Redundant Network / Data Center

Deploying a SonicWALL for Application Risk Management Reporting

9
 TechNote
Assume that the current firewalls in use are older models, incapable of providing essential next generation firewall
protection, but still providing other services and deemed not quite ready for retirement. Assume further that traffic
rates at this point on the network average around 1Gbps with occasional spikes up to 3Gbps. A reasonable point
of insertion for the appropriately sized SonicWALL E10400 would be between the core-switches and the existing
firewalls:

Diagram 4 Wire-Mode E10400 Insertion

The redundant paths between the switches and the firewalls are fully preserved across the two Secure Mode
interface pairs through each SonicWALL E10400, and although the addition of another component technically
increases the systems calculated hazard rate, the system is still spared a single point of failure. In the event of a
failure of any of the elements in the diagram (e.g. a switch, a fiber path, an SPF+ transceiver, a firewall, etc.) the
traffic would proceed through the redundant counterpart.

Deploying a SonicWALL for Application Risk Management Reporting

10
 TechNote
The Link-State Propagation feature of Wire-Mode supports this kind of resiliency in redundant path networks.
Consider what would happen if there were a fiber cable failure on the primary link between the E10400s X1
interface and the upstream firewall. Without Link-State Propagation, the switch below, connected to the E10400s
X0, would not know of the path failure (since its link to the E10400 would still be in an up state) and it would not
fail over to its redundant path to the upstream firewall on the right (connected through the E10400s X2 and X3
Wire-Mode interfaces). With Link-State Propagation, when the X1 link state changes to down, its paired interface
X0 is switched to an administratively down state, allowing path failover to occur. When link state is restored on
X1, X0 is brought back up, and the path again becomes available.

Because Wire-Mode also disables TCP handshake enforcement, previously established connections are allowed
to continue unimpeded. So in the example above, when the path transitions from the X0:X1 Wire-Mode pair to the
X2:X3 pair, all of the connections (as supported by the underlying applications and protocols) will resume without
needing to be re-established. This would also be true for path failures from one E10400 to the other (such as in
the event of total switch failure). 3

With the newly inserted application intelligence layer, the security administrator is finally able to see precisely the
sort of traffic that is passing through the access rule access-list SIEVE permit TCP any object-group
LOCALNETS eq http on their existing firewalls, and to define real access controls.

Configuring Wire-Mode when Augmenting Existing Firewalls

To configure Wire-Mode in this case, perform the following steps:
1. Rack and power both E10400 units, prepare 4 additional fiber cables for interconnection.
2. Using the dedicated management interface (default IP 192.168.168.168), select an interface (e.g. X6) to
serve as the WAN interface for dynamic updates.
3. Connect this interface to a segment of the network with outbound Internet access (minimally for services
DNS, NTP, HTTP, and HTTPS), and address accordingly.
4. Consult the reference documents 4 for steps on configuring Security Services, Application Intelligence and
Control, Flow Reporting 5, and Visualizations.
5. If possible, determine which of the paths between the two core-switches and the two upstream firewalls are
active and which are idle. For this configuration, we assume that the paths between the core-switches and the
firewalls situated above them in the diagram are active, and that the diagonally cross-linked paths are idle.
6. Beginning on one side of the network (e.g. the core-switch on the left), disconnect the link between the core-
switch and the diagonally cross-connected firewall.
7. Connect this link from the switch to the X2 interface on the left E10400.
8. Cable the X3 interface on the left E10400 to the diagonally situated upstream firewall.
9. On the left E10400 Network > Interface page, select the X2 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Secure Mode
Paired Interface = X3

3
Statefulinspectioncontinuesonallconnectionsinpathfailoversofthissort,butDPIscanningonlyoccursonnewly
establishedconnections.
4
ApplicationControlFeatureModulehttp://www.sonicwall.com/us/support/230_17452.html
NetFlowReportingFeatureModulehttp://www.sonicwall.com/us/support/230_17455.html
VisualizationDashboardFeatureModulehttp://www.sonicwall.com/us/support/230_17458.html
IntrusionPreventionServicePrimerhttp://www.sonicwall.com/us/support/2134_4169.html
5
FlowReportingrequiresthattheflowcollectorbereachablebyIPfromtheE10400.Aninterface,suchasthededicated
managementinterfaceorsomeotheravailableX0X21interface,mustbeconfiguredandconnectedaccordingly.

Deploying a SonicWALL for Application Risk Management Reporting

11
 TechNote
10. Move to the other (e.g. right) side of the network, and disconnect the link between the core-switch and the
diagonally cross-connected firewall.
11. Connect this link from the switch to the X0 interface on the right E10400.
12. Cable the X1 interface on the right E10400 to the diagonally situated upstream firewall.
13. On the right E10400 Network > Interface page, select the X1 interface and set the Zone to Unassigned.
14. On the right E10400 Network > Interface page, select the X0 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Secure Mode
Paired Interface = X1
15. Staying on the right side of the network, disconnect the link between the core-switch and the firewall situated
above it.
16. Connect this link from the switch to the X2 interface on the right E10400.
17. Cable the X3 interface on the right E10400 to the upstream firewall
18. Beginning on one side of the network (e.g. the core-switch on the left), disconnect the link between the core-
switch and the diagonally cross-connected firewall.
19. Return to the other (e.g. left) side of the network and disconnect the link between the core-switch and the
firewall situated above it.
20. Cable the X1 interface on the left E10400 to the upstream firewall.
21. On the right E10400 Network > Interface page, select the X1 interface and set the Zone to Unassigned.
22. On the right E10400 Network > Interface page, select the X0 interface and configure as follows:
Zone = LAN
IP Assignment = Wire Mode
Wire Mode Type = Secure Mode
Paired Interface = X1
23. Activate all the security services, Gateway Anti-Virus, Anti-Spyware, IPS, and Application Control as
described below in the Configuring Application Intelligence section.

Deploying a SonicWALL for Application Risk Management Reporting

12
 TechNote

Configuring Application Intelligence

1. Once Internet connectivity is established over the X0 interface, proceed with registering the appliance. If
security services have not been purchased, activate the 30 day trial of Gateway AV, IPS, App Control, CFS,
and Anti-Spyware.

Navigate to System > Diagnostics and run all the tests under Check Network Settings. If you have an
unsuccessful result, double check cabling and IP settings. (Note: the upstream gateway device may not allow
ping. Failing this particular test is not conclusive enough to indicate an issue. The license servers for
MySonicWALL should all come back with positive results.)

2. When the appliance is successfully registered, go to the System > Licenses page and click Synchronize
under Manage Security Services Online. This will contact the SonicWALL licensing server and ensure that
the appliance is properly licensed.
3. To check licensing status, go to the System > Status page and view the license status of all the services.
4. Download the latest firmware (5.8.1 or newer) from www.mysonicwall.com. On the SonicWALL, navigate to
System > Settings upload the new firmware and boot the new firmware image.
5. When using a SonicWALL network security appliance in Layer 2 Bridge Mode in a network configuration
where another device is acting as the DHCP server, you must first disable its internal DHCP engine, which is
configured and running by default. On the Network > DHCP Server page, clear the Enable DHCP Server
check box, and then click on the Apply button at the top of the screen.

Deploying a SonicWALL for Application Risk Management Reporting

13
 TechNote

6. On the Network > Interfaces page, click the configure icon for X1 and X0. Enable HTTP/HTTPS
management boxes and optionally the others.
7. OPTIONAL (when you have an SNMP management solution) On the System > Administration page, make
sure the checkbox next to Enable SNMP is checked, and then click on the Accept button at the top of the
screen. Then, click the Configure button. On the SNMP Settings page, enter all the relevant information for
your network security appliance: the GET and TRAP SNMP community names that the SNMP server expects
and the IP address of the SNMP server. Click OK to save and activate the changes.
8. On the Log > Viewpoint page, click on the Add button and create an entry for the Viewpoint server. Click OK
to save and activate the change.
9. On the Network > Zones page, enable GAV, Anti-Spyware, IPS, and App Control on the WAN and LAN
zones.
10. Then, on the Security Services page for each service, enable and configure the settings that are most
appropriate for your environment. The recommended settings are shown below:

Gateway Anti-Virus settings

Deploying a SonicWALL for Application Risk Management Reporting

14
 TechNote
Intrusion Prevention settings

Anti-Spyware settings

Application Control Settings

Deploying a SonicWALL for Application Risk Management Reporting

15
 TechNote
11. On the Firewall > Access page, create access rules that allow WAN > LAN for ANY traffic. By default all
traffic is allowed from LAN > WAN.
12. On the Log > Categories page, set the Logging Level to Informational and the Alert Level to Critical.
Click Accept to save and activate the change. Enable Log and Sys Log for Application Control,
Application Firewall, and any other pertinent areas. If you wish to receive alerts for a particular activity,
enable the Alert checkbox.

13. Go to the Log > Name Resolution page and set the Name Resolution Method to DNS then NetBIOS.
Ensure the correct DNS servers are specified. Click Accept to save and activate the change.

Deploying a SonicWALL for Application Risk Management Reporting

16
 TechNote

Creating the SWARM Report

There are a variety of Application Intelligence reports that can be generated from a SonicWALL Next Generation
Firewall. The simplest and quickest is the SonicWALL Application and Risk Management (SWARM) report.

1. From the SonicWALL Administrator interface, select DashboardApp Flow Monitor and select the paper
icon:

2. The following popup window will appear. Select the blue Download button to download the database and
save the file to a local directory:

3. Login to MySonicWall (http://www.mysonicwall.com) and select the SW Tools section from the main menu:

Deploying a SonicWALL for Application Risk Management Reporting

17
 TechNote

4. This will expand the section and present a sub menu. Select App Reports:

5. This will open up a dialog that allows you to upload the database you saved in Step #2 by selecting the
Upload button:

6. After the report is created, it will be available in Open Office or Word formats for editing or a PDF format for
distribution:

Deploying a SonicWALL for Application Risk Management Reporting

18
 TechNote

Configuring Alerts (Optional)

To receive logs and/or alerts via email, configure the Logs > Automation with the appropriate email address and
SMTP mail server settings. Only items that are selected from the Log > Categories log and alert fields will be
sent via email.

Deploying a SonicWALL for Application Risk Management Reporting

19
 TechNote

Enabling NetFlow Reporting (Optional)

SonicOS 5.8 offers the ability to use NetFlow/IPFIX based reporting for NetFlow v5, v9, and IPFIX. The
recommendation is to use IPFIX as it provides the richest reporting along with custom templates. Templates are
additional extensions to the IPFIX standard that allow the export of custom data to an external IPFIX collector (like
SonicWALL Scrutinizer).

In this release, SonicWALL templates include the following: Applications, Virus, Spyware, Intrusions, Users,
URLs, URL Ratings, Location Map (Countries), Services, Connections, VPNs, SPAM, VOIP, Logs, Interface
Stats, Core Utilization, and Memory Utilization.

Note: Even though SonicWALL is capable of exporting this extra data via templates, the NetFlow/IPFIX collector
needs to support these templates as well if you wish to get reporting data from them. SonicWALL Scrutinizer
supports many of the custom templates the firewall exports.

Note: The App Flow Monitor is dependent on having the Flow Reporting enabled for the internal collector.

To start collecting and exporting NetFlow data:

1. Install an external NetFlow collector such as SonicWALL Scrutinizer. If using Scrutinizer, a Windows Server
(2008/2003) is required. For more details on server capacity planning and installing Scrutinizer, refer to the
Scrutinizer release notes and documentation. An online capacity planning tool is available at the following
URL:
http://www.plixer.com/products/NetFlow-sflow/netflow-bandwidth-calculator.php
2. Under Network > Interfaces (WAN, LAN, etc.) ensure that flow based reporting is enabled.
3. Navigate to Log > Flow Reporting.
4. Enable the following boxes:
Enable Flow Reporting Type : Local
Report to EXTERNAL collector
Report Flows > All
5. For external flow reporting, use IPFIX with extensions, provided you are using Scrutinizer or a NetFlow
collector that recognizes SonicWALL templates. If you are using a collector that does not understand custom
templates, select IPFIX.
6. Enter the external collectors IP address. This will be the IP address of the server running Scrutinizer.
7. Ensure the external UDP collector Port is set to 2055. This is the default value.
Note: The Scrutinizer server must not block port 2055. You may need to disable Windows firewall for this
service.
8. Enable the boxes for Sending Templates and Static Flows at regular intervals.
9. Enable the Realtime with bulk setting for flow-based reporting.
10. Under Event Settings, enable all the checkboxes except Report Once.
11. Restart the SonicWALL.

Deploying a SonicWALL for Application Risk Management Reporting

20
 TechNote

Configuring Single Sign On (Optional)

Generating user data in the real-time monitor and syslog files requires the SonicWALL to be authenticated; this
can be done two different ways. In manual user level authentication (ULA), the first time the users attempt to pass
traffic through the appliance, they are directed to a login screen to enter their credentials. Their credentials can
come from an LDAP server or the local user database on the SonicWALL. This method may work in small
environments, but most enterprise customers want seamless authentication and user tracking. In this case, the
SonicWALL single-sign on (SSO) agent along with LDAP integration is required. When using the SSO agent,
users are never prompted to login to the SonicWALL, provided they are using Windows or Linux machines.

A basic outline of how to deploy SSO:

1. Configure the SonicWALL User > Settings to LDAP+Local Users.
2. On the LDAP screen configure access to your LDAP server with proper credentials.
3. Import user groups that you wish to use for policies, e.g., domain users, domain admins, etc.
4. Define the IP addresses of the SSO agent(s).
Note: In larger environments, or very busy networks, you may want to use multiple SSO agents to provide
additional scalability and reliability in user tracking. Up to 8 SSO agents are supported.
5. Test a user login to ensure proper communication with the LDAP server and appropriate group membership is
retrieved. Install and configure the SSO agents on a Windows 2003/2008 server(s).

For more details on SSO and policy actions that can pertain to given users or groups in LDAP, refer to the
TechNote available in the Support section of www.sonicwall.com entitled, Leveraging LDAP Groups and Users
with SonicWALL network security appliances.

For instructions on how to deploy SSO agents, see the following TechNote:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_Single_Sign_On_Feature_Module.pdf

Deploying a SonicWALL for Application Risk Management Reporting

21