Getting Data In

Any tips on setting up Dell Sonicwall Analytics?

jackal713
Path Finder

Hello Splunkers,
I'm having trouble getting apps/searches that rely on firewall data, to display anything. The dashboard panels show "no results". I think I have all of the pre-reqs. Sonicwall app (configured per the app's instructions) monitoring IPFIX flows from the firewall. Firewall set to sent flow data to Splunk. CIM installed. Network_Traffic dataset accelerated. I have verified that flow data is being indexed in the "sonicwall" index. However, the IPFIX flow statisics dashboard shows "no results", but if I go to the firewall activity dashboard, it does list the firewall. Also, when I use the Splunk Security Essentials app's feature "Data Sources Check" it indicated that Splunk is not getting/finding firewall data.

Any tips or suggestions would be greatly appreciated.
Thanks,

0 Karma
1 Solution

jackal713
Path Finder

I received a response from SonicWall but it is a disappointing one.

App Visualization license is REQUIRED to send IPFIX data to an external collector.

We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.

Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555

A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated

P:
-keeping case on pending closure

View solution in original post

0 Karma

jackal713
Path Finder

I received a response from SonicWall but it is a disappointing one.

App Visualization license is REQUIRED to send IPFIX data to an external collector.

We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.

Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555

A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated

P:
-keeping case on pending closure

0 Karma

jackal713
Path Finder

I have emailed Dell on this but no response yet.

I found another post which matches what I am experiencing. Read it here. https://answers.splunk.com/answers/512018/why-does-searching-indexsonicwall-only-returning-t.html

The jist of it is that Sonicwall seems to be only sending IPFIX template ids of 555 (tid=555). So it would seem that this is an issue with the device its self. Syslogging seems to work fine but if we don't get this resolved before our next purchase window we will probably replace this SonicWall with a Cisco ASA device. If I get a response from Dell I will add it as an answer.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...