Inaccurate traffic with Sonicwall Interfaces

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
User avatar
manny
Posts: 2
Joined: Tue Jan 14, 2014 5:02 pm

Inaccurate traffic with Sonicwall Interfaces

Post by manny » Tue Jan 14, 2014 5:23 pm

I saw a topic about inaccurate traffic on a >1G, and seems to be something similar, however I wanted to create a new one because is a Little different.

I'm receiving inacurate traffic on the same Sonicwall's interface, in this case X1.

From the Sonicwall's Dashboard I'm getting over 6 Mbps.

From InterMapper I'm getting the same over 6 Mbps traffic.

But from scrutinizer I'm getting less than 2 Mbps!!


This behavior is present in two Sonicwall devices reporting with IPFIX to Scrutinizer.


Any suggest?

JakeB
Posts: 83
Joined: Thu Jan 10, 2013 2:15 pm

Re: Inaccurate traffic with Sonicwall Interfaces

Post by JakeB » Thu Jan 16, 2014 8:06 am

Hello Manny -

What SonicOS version are you running? and would it be possible for you to post the NetFlow configuration from the SonicWALL device?

-Jake

User avatar
manny
Posts: 2
Joined: Tue Jan 14, 2014 5:02 pm

Re: Inaccurate traffic with Sonicwall Interfaces

Post by manny » Tue Nov 25, 2014 12:19 pm

Hello Jake,

This is my Sonicwall Info:


General Device Info

Model: NSA E5500
Firmware Version: SonicOS Enhanced 5.9.0.6-3o--HF147057-d_1o


AppFlow>Flow Reporting>External Collector settings

Send Flows and Real-Time Data To External Collector [*] - CHECK
External Flow Reporting Format - IPFIX with extensions
External Collector's IP address - x.x.x.x
Source IP To Use For Collector On A VPN tunnel - 0.0.0.0 (Sonicwall appliance and Scrutinizer are over the same LAN
External Collector's UDP Port Number - 2055
Send IPFIX/Netflow Templates At Regular Interval - CHECK
Send Static AppFlow At Regular Interval - CHECK
Send Static AppFlow For Following Tables: pplications, Viruses, Spyware, Intrusions, Location Map, Services, Rating Map, Table Map, Column Map
Send Dynamic AppFlow For Following Tables: Connections, Users, URLs, URL ratings, VPNs, Devices, SPAMs, Locations, VOIPs
Include Following Additional Reports via IPFIX: Top 10 Apps, Interface Stats, Core utilization, Memory utilization
Report On Connection OPEN - CHECK
Report On Connection CLOSE - CHECK
Report Connection On Active Timeout - CHECK - Number Of Seconds: 60
Report Connection On Kilo BYTES Exchanged - NOT CHECK
Report Connections On Following Updates: threat detection, application detection, user detection, VPN tunnel detection


Thanks for your help

JakeB
Posts: 83
Joined: Thu Jan 10, 2013 2:15 pm

Re: Inaccurate traffic with Sonicwall Interfaces

Post by JakeB » Mon Dec 22, 2014 8:39 am

Hello -

Do you have any encrypted traffic going over that interface? by default Scrutinizer will exclude this traffic which could be account for the understating. To remove exclusions you can do the following:

1) Navigate to the Admin -> Definitions -> Manage Exporters tab
2) There should be a Blue + sign to the left of your exporters, if you click this and look at ALL devices/ALL Interfaces you should be able to select different protocol exclusions to remove.

Let me know if you have any questions or if you need any help.

Regards,
Jake

emcconnell
Posts: 1
Joined: Thu Feb 16, 2017 3:19 pm

Re: Inaccurate traffic with Sonicwall Interfaces

Post by emcconnell » Thu Feb 16, 2017 3:36 pm

having removed the exclusions settings for ESP from the any-any manage exporters protocol exlcusions, when should ESP traffic traffic start to get measured on the interface that I'm interested in seeing that traffic?

Is a collector service restart needed?

Thanks,

Ed

anna_mcelhany
Posts: 1
Joined: Tue May 03, 2016 3:18 pm

Re: Inaccurate traffic with Sonicwall Interfaces

Post by anna_mcelhany » Mon Mar 13, 2017 8:35 am

Hi Ed,

The collector restart is not needed.

-Anna

Post Reply

Who is online

Users browsing this forum: ReiorkguRob, Theresamor and 2 guests