Getting Data In

Any tips on setting up Dell Sonicwall Analytics?

jackal713
Path Finder

Hello Splunkers,
I'm having trouble getting apps/searches that rely on firewall data, to display anything. The dashboard panels show "no results". I think I have all of the pre-reqs. Sonicwall app (configured per the app's instructions) monitoring IPFIX flows from the firewall. Firewall set to sent flow data to Splunk. CIM installed. Network_Traffic dataset accelerated. I have verified that flow data is being indexed in the "sonicwall" index. However, the IPFIX flow statisics dashboard shows "no results", but if I go to the firewall activity dashboard, it does list the firewall. Also, when I use the Splunk Security Essentials app's feature "Data Sources Check" it indicated that Splunk is not getting/finding firewall data.

Any tips or suggestions would be greatly appreciated.
Thanks,

0 Karma
1 Solution

jackal713
Path Finder

I received a response from SonicWall but it is a disappointing one.

App Visualization license is REQUIRED to send IPFIX data to an external collector.

We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.

Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555

A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated

P:
-keeping case on pending closure

View solution in original post

0 Karma

jackal713
Path Finder

I received a response from SonicWall but it is a disappointing one.

App Visualization license is REQUIRED to send IPFIX data to an external collector.

We purchased this device based on the features. Had we known you need to pay extra to actually use those features we would have bought something else. We will be replacing this Sonicwall with a Cisco device.

Below is the actual response from Sonicwall:
S:
-customer mentioned that app flow data is going to the external collector on just one tid of 555

A:
-checked through the device
-app visualisation was not licensed
-informed customer that he needs to have the app visualisation license for the app flow data to be pushed across or activated

P:
-keeping case on pending closure

0 Karma

jackal713
Path Finder

I have emailed Dell on this but no response yet.

I found another post which matches what I am experiencing. Read it here. https://answers.splunk.com/answers/512018/why-does-searching-indexsonicwall-only-returning-t.html

The jist of it is that Sonicwall seems to be only sending IPFIX template ids of 555 (tid=555). So it would seem that this is an issue with the device its self. Syslogging seems to work fine but if we don't get this resolved before our next purchase window we will probably replace this SonicWall with a Cisco ASA device. If I get a response from Dell I will add it as an answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...