® SonicWall Analytics Administration Contents About Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 About Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using On-Premises On-Premises Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Using Analytics with CSC-MA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Work Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6 6 6 Notification Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Accessing ANALYTICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Acquisition History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Flow Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Flow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Firmware Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Synchronize with MySonicWall.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 End User License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Map Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Using Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Navigating IPFIX-Based Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Using the Groups Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Using Other Filtering and Sorting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Using the Data Management Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Using the Groups Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Using the Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Using the Graphs Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Using Graphs Filtering and Sorting Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Using the Graph Management Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Using the Graphs Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Using the Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Using Filtering and Sorting Options for Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Using the Session Logs Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Using the Session Log Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 ANALYTICS Administration Contents 2 Using the Session Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 ANALYTICS Administration Contents 3 1 About Analytics SonicWall® Analytics extends security event analysis and reporting by providing real-time visualization, monitoring and alerts based on correlated security data. NOTE: The Syslog-based implementation of On-Premises Analytics does not include an ANALYTICS view. Key Syslog-based information is provided in the REPORTS view. For more information, refer to Analytics REPORTS Administration for Syslog Solution. Topics: • About Analytics • Navigation • Notification Center • Accessing ANALYTICS • Related Documents About Analytics With On-Premises Analytics, you can perform flexible drill-down and analysis and gain insight into your network, user access, connectivity, application use, threat profiles and other firewall-related data. It provides the following key features: • Data collection that includes normalizing, correlating, and contextualizing the data to the environment • Streaming analytics in real time • Analytics including activity trends and connections across the entire network • Real-time dynamic visualization of the security data from a single point • Real-time detection and remediation SonicWall On-Premises Analytics is designed for customers requiring long-term storage of firewall logs and supports all SonicWall firewalls. It also supports integration with Capture Security Center-Management, Reporting, and Analytics (CSC-MA). For firewalls not under management, you can do reporting and analysis using On-Premises Analytics. It can be deployed as a virtual machine using OVA on VMware ESXi. Refer to the On-Premises Analytics ESXi Deployment Guide which can be found at the Technical Documentation portal. Using On-Premises On-Premises Analytics SonicWall Analytics can be used as a standalone On-Premises solution for collecting and storing flows and log data from firewalls and use for data analytics and reporting. NOTE: In this kind of deployment, you do not have firewall management capabilities. ANALYTICS Administration About Analytics 4 Using Analytics with CSC-MA SonicWall Analytics can be used in conjunction with CSC. This allows users to manage firewalls from CSC and also view reporting and analytics data in CSC from On-Premises Analytics while storing data locally. When you click on the firewall whose data is stored in Analytics, CSC-MA fetches the data from the On-Premises Analytics and shows it in the CSC. Data is encrypted and compressed so that no data integrity issues are experienced. Navigation The interface for Analytics varies because of the different configurations and types of reporting that can be selected. The images provided do not match every implementation, but should be viewed as an example that you can use as a guide while moving through the interface. Major differences are noted when needed to avoid confusion. When you first open the HOME view, the interface shows three work areas: Device Manager Work space Command menu Topics: • Device Manager • Command Menu • Work Space ANALYTICS Administration About Analytics 5 Device Manager In the DEVICE MANAGER, you can group the devices in your security infrastructure using the pre-defined views. Under each view you see a summary of all of the devices that are being managed in your security infrastructure. The appliances are listed in alphabetic order. You can change the views, and additional views include: • GlobalView • FirmwareView • ModelView. In FirmwareView and ModelView, the devices are grouped by firmware version and model number, respectively. Refer to Device Manager for more information. Command Menu The command menu is located directly under the SonicWall logo. You can manage your devices using these commands. The commands are grouped under similar functions. Click on the command to expand it and see the options. For example, Status, Dashboard, and Live Monitor are grouped under Overview for IPFIX-based reporting. If you select a different view from the top of the work area, different menu items are shown. Work Space The work space is where all the data is displayed. This is where you monitor status, see reports, set schedules, drill down for data and so forth. Similar tasks are grouped under the views identified by the icons across the top navigation of the work space. The options may vary according to your configuration. The following figures shows two sample implementations, along with a description of the views. Top Navigation for Syslog-Based, On-Premises Analytics Top Navigation for Analytics in CSC-MA I Icon Description HOME The default view when you login with most implementations. Navigate here to view the general data such as status, Dashboard, and summary reports. NOTE: The Syslog-based, On-Premises Analytics is missing the HOME view. MANAGE When Analytics is licensed with a firewall management system this view takes you to the commands for managing your firewalls. REPORTS Various reports, including live reports, when available, are shown and scheduled in this view. ANALYTICS Available for the IPFIX-based Analytics. Navigate here to see details and perform a deep dive on the information. ANALYTICS Administration About Analytics 6 Icon Description NOTIFICATIONS Shows the status of your network system, allows you to set rules and configure settings, and shows the history of the rules. NOTE: This view is available with only with IPFIX-based Analytics. CONSOLE Provides access to the CONSOLE (also labeled the Application Configuration Panel on the interface) where you can view logs, manage your appliance and perform other tasks. At the upper right corner of the work space, additional icons provide information and facilitate your work. Icons Description Appliance text box Indicates the type of device being monitored. System Status icons Provides system status. Click the individual icons for more detail. • CPU/Processor • Memory/RAM • Storage/Disk • Estimated Capacity (shown for On-Premises Analytics implementations) Alerts and Notifications icon Opens the Alerts and Notifications Center. (Refer to Notification Center for more information.) NOTE: This is only available with IPFIX-based Analytics operating in a cloud environment. Online Help Accesses the online help and the Analytics API. User ID Indicates the user and the version of the product, and allows you to log out of the application. Notification Center NOTE: The Notification Center is only available with IPFIX-based Analytics operating in a cloud environment. The Notification Center provides an overview of the status and activities being monitored and recorded by Analytics. It displays all alerts, network usage, threats, web activities, and geo (geological) locations. Each option shows how many unread alerts appear in that particular category. Tile Description ALL Shows the all alerts for all the categories. NETWORK USAGE Shows the alerts generated specifically by network usage. THREATS Shows the alerts generated by threats such as botnet, virus, intrusion, spyware, and so forth. WEB ACTIVITIES Shows alerts generated by websites and web categories. ANALYTICS Administration About Analytics 7 In the search bar, you can search by firewall name, alert name, message or details. To mark a single alert as read, click on the alert to acknowledge it. Click the white checkmark to mark all alerts in that view a having been read. To delete a single alert, click on the X on each alert. Click the trash icon at the top right to delete all the alerts in the view. Accessing ANALYTICS You would typically access On-Premises Analytics through the CSC portal. To access On-Premises Analytics: 1 Log in to your Capture Security Center (CSC) portal with your MySonicWall username and password. 2 If you access Analytics through CSC-MA: a Log in with your MySonicWall credentials. b Choose a tenant or group. c Select the ANALYTICS tile. d Go to ANALYTICS in the top navigation menu. ANALYTICS Administration About Analytics 8 Analytics 2.5 Flow View Unit Level Analytics 2.5 Flow View Global Level IMPORTANT: Zero Touch is not supported with CSC-MA when implemented with on-premises Analytics. NOTE: The sub-commands available in the Overview command vary according to the type of view you selected in the Device Manager. For example, when using the global view flow Analytics, you can select the Devices option. When using the unit view for a specific firewall, you can select the Status or Network Topology options instead. Related Documents The following documents provide additional information about Analytics or related firewall management applications: • Analytics HOME Administration • Analytics REPORTS Administration • Analytics NOTIFICATIONS Administration • Analytics CONSOLE Administration Guide ANALYTICS Administration About Analytics 9 2 Overview • Status • Device List • Network Topology Status The system goes through a series of steps when acquiring a firewall, and these steps can be monitored on the Overview > Status page, whether you use Zero Touch Deployment or manually bring it under management. The unit must first be plugged in for power and wired to both LAN and WAN for the device to be detected. The Status page shows different things depending upon whether you have firewall management with Analytics or on-premises Analytics, the Syslog-based option or IPFIX-based option. The interface shows which options are applicable to your implementation. NOTE: You need to license Analytics to get access to these options. If you licensed Reporting, you only have access to the Home and REPORTS views. Contact your sales representative if you have questions about your product licensing. The information on the Status pages is broken into the following: • Acquisition History • Firewall • Flow Management • Flow Details • Firmware Details • Synchronize with MySonicWall.com • End User License Agreement Acquisition History The steps taken while a unit is being acquired is tracked in the Acquisition History section of the Status page. As each stage is completed, success is indicated by a green check mark inside a small green box along with a message indicating status. If you want more information about each stage, you can expand it by clicking on the right arrow. More messages and status are displayed. ANALYTICS Administration Overview 10 If an error occurs, or if a process seems to be taking too long, you can use the information from the expanded options to determine where to begin your troubleshooting. When the acquisition completes successfully, green check marks are shown for every stage. NOTE: Acquisition History is not shown for on-premises Analytics. Firewall The Firewall section of the Status page shows the data for the selected firewall. A green up arrow indicates that ipfix packets are being received from the firewall. If the acquisition has not completed successfully, the status shows a red down arrow, indicating that the firewall is not online or that there is some kind of error. You can use the messages from the page to help diagnose what the issue might be. Flow Management The Flow Management section of the Status page, for Analytics 2.5 flow-based reporting at the unit level, shows statistics about the flow agent you set up on this device. ANALYTICS Administration Overview 11 The green arrow symbol means that the VPN tunnel was successfully established. Flow Details The Flow Details sections of the Status page, for Analytics 2.5 flow and syslog based reporting at the global level, show statistics about data storage, disk size per the licenses issued, and available (mounted) disk sizes. Firmware Details The Firmware Details is visible at the global view. It shows the information about how many firewalls are licensed for Reporting and Analytics. Synchronize with MySonicWall.com SonicWall appliances check their licenses/subscriptions with MySonicWall once every 24 hours. You can manually synchronize with MySonicWall by clicking on the Synchronize with MySonicWall.com button if you want to synchronize immediately. ANALYTICS Administration Overview 12 End User License Agreement The End User License Agreement button at the bottom of the Status page provides the SonicWall End User General Product Agreement, SonicWall Service Terms for Capture Security Center (Hosted Offering), and the End User License Agreement for SonicWall NSv. Click the button to learn more about end user product agreements and legal resources. Device List On an implementation that integrates CSC-MA with Analytics, you have the Device List option when the GroupView or GlobalView is selected in the DEVICE MANAGER. You have the option to view your devices instead: Devices The following images show you the Device List for the group or global view you selected when in CSC-MA. The firewalls or virtual units that make up that view are listed in the table on the default view, which is the Devices tab. A summary showing the status of the devices in the group is shown at the top of the table. You can also search for a specific device to display, refresh the display or customize the table by using the search field and icons above the table. ANALYTICS Administration Overview 13 Map Locations By selecting the Map Locations tab, you can see how the devices are distributed over a world map. ANALYTICS Administration Overview 14 Network Topology The Network Topology page provides a visual representation of your network. The following shows a small network configuration. Larger, more complex configurations can also be easily represented. By clicking on a node in the configuration, you get the details for that node. Depending on the node type, the details might include IP address, MAC address and status. Other node types may include the name and links to options in other views, like the Dashboard, for example. Click away from the pop-up window to hide the details. ANALYTICS Administration Overview 15 Some nodes have a red number associated with them. That indicates the number of devices attached to that node, including itself. Double-click on the node to view a device list. The icons at the top right corner of the Network Topology page provide the following options: Option Description Export/Download Options Click to generate a PDF file of the network topology and the details for each node. Refresh Click to refresh data on the page. Additional Options Click to see a list of additional options. These include Page Tips, Go To Schedules, and Go to Archives. • Page Tips provides information on how to use this page. • Go To Schedules is a link to Reports | Scheduled Reports > Schedules. • Go to Archives is a link to Reports | Scheduled Reports > Archive. The icons to the left of the network graphic can be used to manipulate the view of the data. Option Description Reset Click to center the topology graph when you’re done moving things around. Selection Mode Choose Select mode or Drag mode. You can select or drag any of the nodes in the topology diagram. Zoom Use the sliding node to zoom in or zoom out of the topology diagram. You can also use the mouse wheel. Each click of the wheel represents a 10% change in zoom factor. For some nodes displayed on the topology map, you can drill down to get more information. Once the node is highlighted, you can right-click on your mouse to see a list of options associated with that particular kind of node. As shown in the following examples, you can chose to drill down on all traffic, web activities, blocked issues or threats for an end user system. For a firewall, you see a different set of options that are links to different reports available on the other views. ANALYTICS Administration Overview 16 ANALYTICS Administration Overview 17 3 Using Analytics This section describes the kinds of data displayed when using IPFIX-based Analytics. It discusses how the data is structured and presented, but the most effective way to learn how to use Analytics is to click on the options and see what they show you for your network infrastructure. The following information is a reference to get you started. Topics: • Navigating IPFIX-Based Analytics • Groups • Graphs • Session Logs Navigating IPFIX-Based Analytics Analytics has the most value when trying to get specific detail on a situation or when trying to diagnose an issue. Typically, you see something unusual in your environment which triggers the need to investigate. For example, you may be monitoring your network through the Dashboard, and you see something that is behaving differently than you expect. In your first attempt at a drill down, you may be taken to the Reports view of the tool to see details behind the deviation. For example, you might notice on the Attacks page that the number of attempts is higher than usual. Going to the Intrusions reports you can see more information about the intrusions detected, blocked, and other relevant data. Continuing the example above, click on the number of connections for a particular intrusion and see the Session Logs for Threats. (Intrusions are one kind of threat.) Drilling down on other types of information may take you to other Analytics options. The Analytics view is divided into the following menu options for flow-based reports: • Overview provides Status information and the Network Topology map of your network infrastructure. If using a global or group view, the Device List may also appear as an option. Each of these options are described in more detail in Overview. • All Traffic provides the Groups, Graphs, and Session Logs for all the traffic moving through your network infrastructure. • Web Activities, Blocked, and Threats each provide the Groups, Graphs, and Session Logs for the traffic using web connections. Web Activities, Blocked, and Threats are a subset of All Traffic. ANALYTICS Administration Using Analytics 18 Since every environment is different—with different configuration, different filters and so forth—each administrator may use Analytics somewhat differently. You can get to specific information in different ways, depending on what drill-down methods you use. For each of the traffic options—All Traffic, Web Activities, Blocked and Threats—the same three views of the data are presented. Regardless of the traffic type, navigation within each of these views is similar and described in the following sections: • Groups • Graphs • Session Logs Groups The Groups option under each type of traffic provides detailed data in table form. You can sort, filter, and take action on this data in a number of ways. Using the Groups Tabs On all of the Group options you can use the tabs across the top to narrow the traffic to specific categories. Tab Description Applications Sorts all traffic by applications using the network. When the icon for that application is available, it is also displayed. Web Activities Categorizes the traffic by web category. When available, you can see details by clicking on the category. Users Provides data at it relates to the users connected to the system. You can track user level transactions and activities by filtering on several different options. Sources Lists the IP addresses for the source of the traffic. Destinations Lists the IP addresses for the destination of the traffic. Threats Sorts all the threats by type: intrusion, virus, or spyware. Click on the INTRUSION name to see more details when available. Devices Select the Group by option from the drop-down list to show the device name, interface, or IP address of the devices traffic is being routed through. Click on the link to see more details when available. BWM Select the Group by option from the drop-down list to categorize the bandwidth priority queues. Choose Inbound, Outbound or All. Blocked Shows the threats that have been blocked. ANALYTICS Administration Using Analytics 19 Using Other Filtering and Sorting Options Many of the options under the tabs are used to further filter or sort the data in the table. Option Description You have two ways to filter the data in the table. You can click the Filter icon at the top of the table to select filter options from the drop-down list. Alternatively, you can click the Filter icon embedded in the table that appears when you highlight an item. That item is then added to the filter. You can add multiple items to create more layers of filtering. When the filter is built, click the Refresh button to apply it. Click the Save icon in the gray bar to save the filter for later use or click Clear all Filters icon to remove them all. You may need to refresh the data when filters are cleared. Click on the Search icon and enter the search string the field provided. When you press Enter, the table data is filtered on the search string. NOTE: The characters in the search string are case sensitive. Slide the node left and right to set a pre-defined interval for the table. The intervals range from 60 seconds to 90 days. Select Custom to set a user-defined report interval. A calendar pops up where you can select a date and time range or choose a specific day to display. Click on the Group by drop-down menu to apply more filtering to the table. Different options are available for different tabs. Using the Data Management Icons Several icons appear in the upper right corner above the data table. These icons can be used to manage the appearance of the table, manage the data in the table, or go to other options. Icon Description Click the Export/Download options icon to generate reports from the displayed data: • Generate Flow Report PDF • Download Capture Threat Assessment • Export Grid Data as CSV Click Refresh to refresh the data in the table. ANALYTICS Administration Using Analytics 20 Icon Description Click the Show/Hide icon to customize the columns displayed in the table. In the drop-down list, check the box to select the data you want displayed. Uncheck the box if you want to remove the data from the table. NOTE: Some columns are fixed and cannot be removed from the table. Others are selectable. Click the Options icon for the following: • Page Tips • Go to Schedules (REPORTS |Scheduled Reports > Schedules) • Go to Archives (REPORTS |Scheduled Reports > Archive) Using the Groups Summaries The Groups option provides two summaries at the bottom of the table. Table Summary Flows Summary The Table Summary tells you how many items appear in the table and how many sessions are tied to those items. It also tells the total size of all the packets, the total number of bytes, and the total number of threats. The Flows Summary is active when you open the page or when you refresh the data on the page. It shows you the progress of the flows being scanned and provides other details like how many groups are made and how many flows are being scanned. NOTE: It may take some time to process all the flows or sessions. While the operation is in progress, a Stop button appears in the bar so you can terminate the operation if you want. Using the Table You can drill down for more details and take other actions directly from the Groups table. • Click on the headings in the table to sort the data in ascending or descending order. • Click on the blue text in the table. These are active links and can show additional details about those items. • Add a filter directly from the table by clicking on the Filter icon that appears in the row that you highlight. • Click on the Drill Down icon (the magnifying glass in the table) to see direct links to other types of reports. ANALYTICS Administration Using Analytics 21 Graphs The Graphs option under each type of traffic provides a graphical representation of the traffic. You can sort, filter, view, and take action on this data in a number of different ways. The following is the default graph when you first select this option. The layout style is a Lens chart. Using the Graphs Tabs On any of the Graphs options, you can use the tabs across the top to narrow the traffic to specific categories. Tab Description Applications Sorts traffic graph by applications using the network. Destinations Shows the IP addresses for the destinations of the traffic and how they are all linked. Web Activities Shows which devices are accessing which web services. When available, you can see details by clicking on the category. Threats Shows which systems are trying to access items that are categorized as threats. Blocked Shows the threats that have been blocked and which IP addresses were trying to access them. ANALYTICS Administration Using Analytics 22 Using Graphs Filtering and Sorting Options Many of the options under the tabs can be used to further filter or sort the data in the graph. Option Description Click the Filter icon to see the drop-down menu of filtering options: 1 Select the option and type in the definition. NOTE: The names are case sensitive. 2 Click the Refresh button to apply the new filter. 3 Click Filter again to add another layer of filtering, if desired. The filters are shown in gray bar above the table. 4 Click the Save icon in the gray bar to save the filter for later use or click Clear all Filters icon to remove them all. You may need to refresh the data when filters are cleared. Click on the Search icon and enter the search string the field provided. When you press Enter, the table data is filtered on the search string. NOTE: The characters in the search string are case sensitive. Slide the orange node left and right to set a pre-defined interval for the graph. The intervals range from 60 seconds to 90 days. Select Custom to set a user-defined report interval. A calendar pops up where you can select a date and time range or choose a specific day. Click on the arrowhead to see and select the different kinds of connections that can be displayed on the graph. The default is # of Connections, but other options include Amount of Data Transferred, # of packets Exchanged, and # of Threats. NOTE: The definition for the link type is also shown on the drop-down list. For example, when Amount of Data Transferred is selected the lines represent data transfers greater than or equal to 10 bytes. Click on the Group by drop-down menu to apply more filtering to the graph. Different options are available for different tabs. ANALYTICS Administration Using Analytics 23 Using the Graph Management Icons Several icons appear in the upper right corner above the data table. These icons can be used to manage the appearance of the graph, manage the data in the graph, or go to other options. Icon Description Click the Halo icon to enable/disable the halo effect on the nodes in the graph. Different halo levels can be defined by clicking the Configure Graph icon. Click the Configure Graph icon to configure settings for the graph: Define the Ping Settings, Halo Settings, and Link Settings for your graph and click OK. NOTE: The Halo effect is only shown for few seconds. To see it again, refresh the page. Click the Export/Download options icon to generate reports from the displayed graph: • Generate Flow Report PDF • Download Capture Threat Assessment • Export as Image • Export as PDF Click Refresh to refresh the data in the graph. Click the Options icon for the following : • Page Tips • Go to Schedules (REPORTS |Scheduled Reports > Schedules) • Go to Archives (REPORTS |Scheduled Reports > Archive) ANALYTICS Administration Using Analytics 24 Using the Graphs Summary The Graphs option provides summaries at the bottom of the window. The Flows Summary is active when you open the page or when you refresh the data on the page. It shows you the progress of the flows being scanned and provides other details like how many items are grouped and how many flows are being scanned. NOTE: It may take a long time to process all the flows or sessions. While the operation is in progress, a stop button appears in the bar to allow you to terminate the operation. Using the Graphs Within the main Graphs pane, you have several tools for drill down or other actions: • Graph tools, on the left • Circular menu, which can be placed where you want Graph Tools Use the graph tools to drill down for more detail or take other actions directly on the graphical data. Graph Icons Function The Filter function within the graph works a little differently than the filter in the header of the graph. 1 Select a node or node type in the graph. 2 Click on the Filter icon and a filter is added. 3 Click on Refresh and the graph is updated based on the new filter. 4 Click the x by the filter to clear it and click Refresh to update the data in the graph. The Reset icon centers the graph and resets it to its default size. When you click on the Drag/Select option, it expands to show your choices. The leftmost icon, Drag mode, is the active option, which is also indicated in orange when expanded. When in Drag mode, you can select a node or connection and reposition it within the graph. You can also drag the entire graph by clicking and holding on some white space within the chart and then dragging the chart where you want it. When in Select mode, the rightmost icon, you can also select a node or connection and reposition it within the graph. With the Select mode, you can also draw a square around a node or group of nodes to take action on them. ANALYTICS Administration Using Analytics 25 Graph Icons Function When you click on the Chart Layout option, it expands to show several views for the chart. The options include: Tweak, Structural, Standard, Hierarchical, Radial, or Lens. The Lens chart is the default. The icon highlighted in orange is the current active view. The zoom function allows you to zoom in or zoom out, as needed. Grab the node and slide it up or down the scale. You can also zoom in and out using the wheel on your mouse. You can drill down for more details on the nodes and connections in the chart. • The physical size of the node within the chart can be an indicator of its rank or number of connections. For example, a larger computer node has several connections while a smaller one only shows one or two. • The thickness of the connecting lines indicate which connections are busier. A thicker line indicates more sessions, bytes and packets than the thinner lines. • You can click on any node or connection and get more details about it from the window that pops up. • Once a node or connection is selected, you can right-click on your mouse to see additional options. The following show some of the options: Circular Menu The Graphs view has a circular menu that you can use to perform additional filtering on the data being displayed. If the menu isn’t visible, you may need to expand the window to its fullest and close the DEVICE MANAGER pane. The circular menu initially appears as a single icon on the Graphs view. It appears in all the traffic categories (All Traffic, Web Activities, Blocked and Threats), and defaults to Source IPs as shown below. ANALYTICS Administration Using Analytics 26 When you click on the Source IPs icon, it spins out in a circular fashion to show other menu options. You can click on the blue X in the center to close the circular menu. Choose one of the other options and the graph adjusts to show the new view requested. For example, when you select Interfaces, the graph changes to show the interfaces being used for these connections. The circular menu and the tabs can be used in conjunction to get different combinations of data displayed in the graph. Session Logs The Session logs option under each type of traffic shows a the number of connections in bar chart form. It also provides the detailed log entries in table form. You can filter, search, and take action on this data in a number of different ways. The following figure is a partial screen image of the data displayed in Session logs. ANALYTICS Administration Using Analytics 27 Using Filtering and Sorting Options for Session Logs Many of the options at the top of the table are used to further filter or sort the data in the table. Option Description Click the Filter icon to see the drop-down menu of filtering options: 1 Select the option and type in the definition. NOTE: The names are case sensitive for this filter function. 2 Click the Refresh button to apply the new filter. 3 Click Filter again to add another layer of filtering, if desired. The filters are shown in gray bar above the table. 4 Click the Save icon in the gray bar to save the filter for later use or click Clear all Filters icon to remove them all. You may need to refresh the data when filters are cleared. Click on the Search icon and enter the search string the field provided. When you press Enter, the table data is filtered on the search string. NOTE: The characters in the search string are case sensitive. Slide the node left and right to set a pre-defined interval for the table. The intervals range from 60 seconds to 90 days. Select Custom to set a user-defined report interval. A calendar pops up where you can select a date and time range or choose a specific day. Using the Session Logs Display Options Several icons appear in the upper right corner above the data table. These icons can be used to manage the appearance of the table, manage the data in the table, or go to other options. Icon Description Set the number of rows shown on each page in the grid. Click the drop-down menu and select the option. The options range from 10 to 8000 (Max). Click this icon to enable the Chart and Grid Multi View. The view shows the bar chart for connections and the log entries in the table. This icon is highlighted in black when enabled. Click this icon to enable the Grid Only View. The view only shows the log entries in the table. This icon is highlighted in black when enabled. ANALYTICS Administration Using Analytics 28 Icon Description Click the Export/Download options icon to generate reports from the displayed graph: • Generate Flow Report PDF • Download Capture Threat Assessment • Export Grid Data as CSV Click Refresh to refresh the data in the table. Click the Show/Hide icon to customize that data displayed in the table. In the drop-down list, select the data you want displayed (check the box); uncheck it if you want to hide it. Click the Options icon for the following : • Page Tips • Go to Schedules (REPORTS |Scheduled Reports > Schedules) • Go to Archives (REPORTS |Scheduled Reports > Archive) Using the Session Log Summary The Session logs option provides a summary at the bottom of the window. Session Logs Summary The Session logs summary is active when you open the page or when you refresh the data on the page. It shows you the progress of the flows being scanned and provides other details like how many entries were found and how many flows are being scanned. Using the Session Logs You can drill down for more details and take other actions directly from the Session Logs table. • Mouse over the bars in the chart to see the number of connections for that time period. • Click on the blue text in the table. These are active links and can show additional details about those items. The following is an example from an SSL application. ANALYTICS Administration Using Analytics 29 Click on the Sig ID link for the virus advisory for this object. • Filters can be added directly from the table by clicking on the Filter icon that appears in a specific row and column that you highlighted. Multiple filters can be selected and appear in the gray header area. Click Save to save the filter you defined, or click the Clear icon to clear all filters. Click the x by a specific filter remove it. Be sure to Refresh whenever you add or delete filters. • You can expand an item to get more detailed information. Simply click on the arrowhead next to line item number. Click on it again to hide the data. ANALYTICS Administration Using Analytics 30 4 SonicWall Support Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support. The Support Portal enables you to: • View knowledge base articles and technical documentation • View video tutorials • Access MySonicWall • Learn about SonicWall professional services • Review SonicWall Support services and warranty information • Register for training and certification • Request technical support or customer service To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support. ANALYTICS Administration SonicWall Support 31 About This Document Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. SonicWall® Firewall Management ANALYTICS Administration Guide Updated - November 2019 232-005149-00 Rev A Copyright © 2019 SonicWall Inc. All rights reserved. SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document. For more information, visit https://www.sonicwall.com/legal. End User Product Agreement To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements. Open Source Code SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to: General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035 ANALYTICS Administration SonicWall Support 32