NGFW: V olume flow reporting using SonicWALL Scrutinizer and visualiz...

http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=9376&p=t

NGFW: Volume flow reporting using SonicWALL Scrutinizer and visualization for streaming multimedia.
Article Applies To:
Gen6: NSA E10800, NSA E10400, NSA E10200, NSA E10100, Gen5: NSA E8510, NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240 Gen5 TZ Series: TZ 210, TZ 210 Wireless Firmware Version: SonicOS 5.8 and above Software Version: SonicWALL Scrutinizer 8.6.2.16204 and above Services: Real-Time Monitor, App Flow Monitor, Flow Reporting

Feature/Application:
Leveraging flow reporting and visualization in order to determine streaming multimedia traffic and flow volume over time by means of filtering reports, showing used ambiguous services/ protocols like HTTP. Online multimedia often uses HTTP as the streaming protocol, which presents a challenge in differentiating it from other applications using it. Application signatures can identify many different services and applications for session establishment, but in cases where these use common protocols like HTTP for streaming the relevant application signatures cannot be used for volume type reports. Visualization can be used well as a first real-time identification but flow reporting using IPFIX w/ extensions is the recommended follow-up method for more historical reports. If the main focus is analyzing the type(s) of services and applications used by top bandwidth users / hosts and the application or service is known, a pair report can be used to identify the top responders IP. If, on the other hand, the main objective is to identify the bandwidth used by multi-media type services and applications on a global level and over an extended period, follow the below described procedure:

Procedure:
Pre-requisites: Licensed and configured visualization on the firewall running 5.8 and above. Configured flow reporting to external collector (in this case SonicWALL Scrutinizer) supporting IPFIX with SonicWALLs proprietary extensions. Multi-media type traffic traversing the firewall. 1. Use both Real-Time and App Flow dashboard monitors to identify the most bandwidth intensive multi-media services and applications, their directionality and involved interfaces, ports and hosts.

1 of 4

8/31/2013 10:30 AM

NGFW: V olume flow reporting using SonicWALL Scrutinizer and visualiz...

http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=9376&p=t

2. Increase the App Flow Monitor (AFM) interval and group based on categories, further validating the results, while taking into account that the bulk of the traffic can be specified under categories like Protocols and Services instead of the expected Multi-Media.

3. Check the AFMs URLs grouped on Domain Name or Rating to more easily find the content delivery networks (CDNs), most likely with very high total values and possibly rated as Multimedia (48).

2 of 4

8/31/2013 10:30 AM

NGFW: V olume flow reporting using SonicWALL Scrutinizer and visualiz...

http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=9376&p=t

4. Leverage SonicWALL Scrutinizer to report on applications using the previously identified ambiguous port (e.g. 80) over a more extensive period of time.

5. Filter the report by using the address(es) of the most used CDNs, further differentiating the streaming application(s)/ service(s) from the common ambiguous protocol.

3 of 4

8/31/2013 10:30 AM

NGFW: V olume flow reporting using SonicWALL Scrutinizer and visualiz...

http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=9376&p=t

6. Identify streaming multi-media applications such as MPEG-4 or Windows Media Video (ASF) next to the ambiguous protocol like HTTP to finalize report filtering. 7. Change report type to gain even more insights in the traffic patterns over time and culprit sources. 8. Save/ export report and use the information to take appropriate action. Tip: upcoming Dashboard s App Flow Report can, when available, be most easily used to determine the exact protocol or application which is used by the top bandwidth users/ hosts.

Related Articles
UTM: Flow reporting and visualization FAQ (5.8 onwards)

4 of 4

8/31/2013 10:30 AM