Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Any tips on setting up Dell Sonicwall Analytics?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
I'm having trouble getting apps/searches that rely on firewall data, to display anything. The dashboard panels show "no results". I think I have all of the pre-reqs. Sonicwall app (configured per the app's instructions) monitoring IPFIX flows from the firewall. Firewall set to sent flow data to Splunk. CIM installed. Network_Traffic dataset accelerated. I have verified that flow data is being indexed in the "sonicwall" index. However, the IPFIX flow statisics dashboard shows "no results", but if I go to the firewall activity dashboard, it does list the firewall. Also, when I use the Splunk Security Essentials app's feature "Data Sources Check" it indicated that Splunk is not getting/finding firewall data.
Any tips or suggestions would be greatly appreciated.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I received a response from SonicWall but it is a disappointing one.
App Visualization license is REQUIRED to send IPFIX data to an external collector.
We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.
Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555
A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated
P:
-keeping case on pending closure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I received a response from SonicWall but it is a disappointing one.
App Visualization license is REQUIRED to send IPFIX data to an external collector.
We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.
Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555
A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated
P:
-keeping case on pending closure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have emailed Dell on this but no response yet.
I found another post which matches what I am experiencing. Read it here. https://answers.splunk.com/answers/512018/why-does-searching-indexsonicwall-only-returning-t.html
The jist of it is that Sonicwall seems to be only sending IPFIX template ids of 555 (tid=555). So it would seem that this is an issue with the device its self. Syslogging seems to work fine but if we don't get this resolved before our next purchase window we will probably replace this SonicWall with a Cisco ASA device. If I get a response from Dell I will add it as an answer.
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)
