Management Services System Diagnostics · 2021. 8. 11. · Management Services System Diagnostics Administration Viewing Firewall Diagnostic Information 5 interface within the Reply

SonicWall® Management Services System DiagnosticsAdministration

Management Services System Diagnostics Administration

Contents

1

2

Viewing Firewall Diagnostic Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Viewing Network Diagnostic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Refresh / Delete Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Diagnostic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Diagnostic Data Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Single Sign-On Test Authentication Agent Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Tech Support Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Viewing Connections Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Viewing CPU Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Viewing Process Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Using Packet Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Benefits of Packet Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

How Does Packet Monitor Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Configuring Packet Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuring General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configuring the Monitor Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring Display Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring Logging Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring Advanced Monitor Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring Mirror Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Supported Packet Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Using Packet Monitor and Packet Mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

SonicWall Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Contents

1

Viewing Firewall DiagnosticInformation

SonicWall appliances store information about all devices with which they have communicated. When you generate diagnostic information, only one report can be generated at a time and the information is only maintained during the current session. For example, if you run a firewall log report and then log off or generate another report, the firewall log report data is lost until you run the report again.

Configuring Network MonitorThis section describes how to configure the Network Monitor feature, which provides a flexible mechanism for monitoring network path viability. The results and status of this monitoring are displayed on the Network Monitor page, and are also provided to affected client components and logged in the system log.

Each custom NM policy defines a destination Address Object to be probed. This Address Object might be a Host, Group, Range, or FQDN. When the destination Address Object is a Group, Range or FQDN with multiple resolved addresses, Network Monitor probes each probe target and derives the NM Policy state based on the results.

Management Service monitors any remote host status in the local or remote network. Management Service now checks the availability of the traffic between the appliance and the target host in real time, thus ensuring the target host can receive network traffic. Management Service also displays the status of the monitored host on the System |Diagnostics > Network Monitor page.

As shown above, the NM tool summarizes data for each monitored network path. Additional columns of data are not shown above.


Viewing Firewall Diagnostic Information3

To add a network monitor policy:

1 Navigate to the System > Diagnostics > Network Monitor page and click Add. The Add Network Monitor Policy dialog displays.

2 Enter the following information to define the network monitor policy:

• Name - Enter a description of the Network Monitor policy.

• Probe Target - Select the Address Object or Address Group to be the target of the policy. Address Objects might be Hosts, Groups, Ranges, or FQDNs object. Objects within a Group object might be Host, Range, or FQDN Address Objects. You can dynamically create a new address object by selecting Create New Address Object.

• Next Hop Gateway - Manually specifies the next hop that is used from the outbound interface to reach the probe target. This option is only set when the Probe Type is an Explicit Route policy. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target. If a Next Hop Gateway is not specified and an explicit route probe type is selected, the probe assumes that the targets are directly connected to the Outbound Interface's network.

• Local IP Address - This may be selected from drop-down when an explicit-route Probe Type is selected and an Outbound Interface such as tnlGrp, tnlNew or Drop_Tunnellf is selected.

• Outbound Interface - Manually specifies which interface is used to send the probe. This option must be configured for Explicit Route policies. For non-Explicit Route policies, the probe uses the appliance’s route table to determine the egress interface to reach the probe target.

• Probe Type - Select the appropriate type of probe for the network monitor policy:

• Ping (ICMP) - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A Ping echo-request is sent out the egress interface with the source IP address of the egress interface. An echo response must return on the same interface within the specified Reply timeout time limit for the ping to be counted as successful.

• TCP - This probe uses the route table to find the egress interface and next-hop for the defined probe targets. A TCP SYN packet is sent to the probe target with the source IP address of the egress interface. A successful response is counted independently for each probe target when the target responds with either a SYN/ACK or RST through the same



interface within the Reply time out time window. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned.

• Ping (ICMP) - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a Ping to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network.

• TCP - Explicit Route - This probe bypasses the route table and uses the source IP address of the interface specified in the Outbound Interface pull-down menu to send a TCP SYN packet to the targets. If a Next Hop Gateway is not specified, the probe assumes that the targets are directly connected to the Outbound Interface's network. When a SYN/ACK is received, a RST is sent to close the connection. If a RST is received, no response is returned.

• Port - Specifies the destination port of target hosts for TCP probes. A port is not specified for Ping probes.

3 Optionally, you can adjust the following thresholds for the probes:

• Probe hosts every - The number of seconds between each probe. This number cannot be less than the Reply time out field.

• Reply time out - The number of seconds the Network Monitor waits for a response for each individual probe before a missed-probe is counted for the specific probe target. The Reply time out cannot exceed the Probe hosts every field.

• Probe state is set to DOWN after - The number of consecutive missed probes that triggers a host state transition to DOWN.

• Probe state is set to UP after - The number of consecutive successful probes that triggers a host state transition to UP.

• All Hosts Must Respond - Selecting this check box specifies that all of the probe target Host States must be UP before the Policy State can transition to UP. If not checked, the Policy State is set to UP when any of the Host States are UP.

• RST Response Counts As Miss - Selecting this check box specifies that an RST response counts as a missed response.

4 Optionally, you can enter a descriptive comment about the policy in the Comment field.

5 Click Update to submit the Network Monitor policy.



2

Viewing Network Diagnostic Settings

To view network settings:

1 Select the global icon, a group, or a SonicWall appliance.

2 To navigate to diagnostic settings, select Manage |System | Diagnostics > Network.

3 Once Manage is selected, scroll down the center panel and select.

The Network diagnostics settings page displays.

The Networks panel is divided into five sections:

• Refresh / Delete Display

• Diagnostic Data

• Diagnostic Data Request

• Single Sign-On Test Authentication Agent Settings

• Tech Support Report


Viewing Network Diagnostic Settings6

4 The Diagnostic settings appear.



Refresh / Delete Display1 Select the global icon, a group, or a SonicWall appliance.

2 Navigate to Manage |System | Diagnostics > Network.

3 To refresh the diagnostic data, click on the Refresh button under Refresh/Delete Display.

4 To delete the diagnostic data, click on the Delete button under Refresh/Delete Display.

Diagnostic Data1 Select the global icon, a group, or a SonicWall appliance.


3 The Diagnostic Data Request section presents the data requests and is capable of displaying IPv4 and IPv6 data.

Diagnostic Data Request1 Select the global icon, a group, or a SonicWall appliance.


3 Request Log file display from units — Select this option to view the log file for the selected SonicWall appliance(s), and then click on Request New Data.

The log files from the selected appliance will appear in Diagnostic Data section:

4 To test access to RADIUS (Remote Authentication Dial-In User Service) server, click Client Test and then the Radius radio button. Then enter the username and password of a valid user in the User and Password fields. Then select Password Authentication, CHAP (Challenge Handshake Authentication

Protocol) or a Microsoft version of CHAP. Finally click on the Request New Data button.

To test access to a LDAP (Lightweight Directory Access Protocol) server, click Client Test and the LDAP radio button. Then select Password Authentication or CHAP, then click on the Request New Data button. For details on configuration LDAP, refer to Configuring LDAP or AD Authentication in SonicWall Management CONSOLE Administration.

5 To complete a DNS lookup from the SonicWall appliance(s), click on DNS Lookup and then enter a host name or IP address in the Host field and click Request New Data.

6 To find a network path from the SonicWall appliance(s), select Find Network Path and then enter an IP address in the Host field and click on Request New Data.

7 To ping a host from the SonicWall appliance(s), select Ping, and then enter a hostname or IP address in the Host field. This can be an IPv4 or IPv6 address. Click the Interface drop-down list, then select Any or one of the listed interfaces. If you want to select an IPv6 address, click Prefer IPv6 networking.

The Diagnostic Data section will display a summary of a successful or unsuccessful ping.

NOTE: Log file contents may take 30 to 45 seconds to display.

NOTE: CHAP authentication will only work with a Radius server that supports it, and in some cases will require the server to store password reversible. Refer to Configuring RADIS Authentication in SonicWall Management CONSOLE Administration.



8 To complete a Traceroute from the SonicWall appliance(s), select TraceRoute Lookup and then enter a hostname or IP address in the Host field and then click Request New Data.

The response appears in the Diagnostic Data section.

9 To view dynamic routing information, select Fetch Default Route Policies (SonicOS 2.5 Enhanced or later)Then click on Request New Data. The policies will appear in the Diagnostic Data area.

10 To complete a reverse name resolution, click on the radio button for Reverse Name Resolution and enter an IP address in the Reverse Lookup the IP Address field, then click on Request New Data.

Results from the reverse name lookup will appear in the Diagnostic Data section.

11 To complete a real-time black list lookup, click Real-time Black List Lookup, enter an IP address in the IP Address field, an FQDN for the RBL in the RBL Domain field, and DNS server information in the DNS Server field. Finally click on Request New Data.

12 For Path MTU Discovery (Maximum Transmission Unit), click on the radio button and then Request New Data.

13 Check Geo Location and Botnet Server Lookup provides summaries on the blocking of connections to or from a geographic location based on IP address, and to or from Botnet command and control servers. Additional functionality for this feature is available on the Security Services > Geo-IP and Security Services > Botnet Filter page.

14 Enabling MX Lookup and Banner Check allows you to look up a domain or IP address. Your configured DNS servers are displayed in the Log Resolution DNS Server 1/2/3 fields, but are not editable. After you type a domain name, such as google.com into the Lookup Name or IP field and click Go, the output is displayed under Result. The results include the domain name or IP address that you entered, the DNS server from your list that was used, the resolved email server domain name and/or IP address, and the banner received from the domain server or a message that the connection was refused. The contents of the banner depends on the server you are looking up.

Single Sign-On Test Authentication Agent Settings


2 Navigate to diagnostic settings, select Manage |System | Diagnostics > Network.

3 In the section, Single Sign-On: Test Authentication Agent Settings, select an agent defined in the Users |Settings panel and click on Check Agent Connectivity. To test user SSO access, enter the Workstation IP Address and click on Check user. For details on configuring Single Sign-On, navigate to Manage | User > Settings.

Tech Support Report1 Select the global icon, a group, or a SonicWall appliance.

2 Navigate to diagnostic settings, select Manage |System | Diagnostics > Network.

3 To generate a Tech Support Report, select any of the following report options, and the click on: Fetch Report, E-mail Tech Support Report, or Send by FTP.

• Sensitive Keys—Saves shared secrets, encryption, and authentication keys to the report.

• ARP Cache—Saves a table relating IP addresses to the corresponding MAC or physical addresses.

NOTE: In the above dialog, “Any” will allow the system to choose among all interfaces including those not on this list. Otherwise this is WAN-specific.



• DHCP Bindings—Saves entries from the SonicWall security appliance DHCP server.

• IKE Info—Saves current information about active IKE configurations.

• Wireless Diagnostics—A SonicPoint can collect critical runtime data and save it into persistent storage in the global SonicPoint Peer List (see Access Points > SoniPoints). If the SonicPoint experiences a failure, the diagnostic enhancement feature allows the firewall managing appliance to retrieve the log data when the SonicPoint reboots. Then, this log data is incorporated into the Tech Support Report (TSR).

• List of current users—lists all currently logged in active local and remote users. Selected by default.

• Inactive users—lists the users with inactive sessions. Selected by default.

• IPv6 NDP—This option is not selected by default.

• IPv6 DHCP—This option is not selected by default.

• Debug information in report—specifies whether the downloaded TSR is to contain debug information. Selected by default.

The TSR is organized in an easy-to-read format. You control whether to include debug information as a category, enclosed by the #Debug Information_START and #Debug Information_END tags, at the end of the report. Debug information contains miscellaneous information that is not used by the average support engineer, but can be useful in certain circumstances.

• Geo-IP/Botnet Cache—saves the currently cached Geo-IP and Botnet information. This option is not selected by default.

• IP Stack Info—This option is not selected by default.

• DNS Proxy Cache—This option is not selected by default. It enables the reporting of DNS proxy data stored on the appliance.

4 Click Fetch Report. A report is generated with the options you selected.

5 Click Email Tech Support Report. A report is generated with the options you selected and sent to Tech Support.

6 To send the TSR, select Send by FTP. This feature allows you to send configuration settings (prefs) and a tech support report (TSR) to a specified FTP server. You can configure a schedule for periodic backup of this information to the FTP server. An additional page opens.

• Select Send Settings by FTP to send prefs.

• Enter the required information for the FTP server.

• Click Set Schedule to define a start schedule.

7 Click Apply.

8 Configure the following report options:

• Vendor Name Resolution—This option is not selected by default. This allows resolution of naming of non-SonicWall appliances.

• Automatic secure crash analysis reporting —This option is selected by default. It provides messages and reporting associated with appliance-level software crashes.

• Enable periodic secure backup of diagnostic report to support

• Time interval — Defaults to 1440 minutes (24 hours)

• Include raw flow table data entries when sending diagnostics report —This option is selected by default.

NOTE: For reporting maximum user information, select both List of current users and Detail of users check-boxes.



3

Viewing Connections Monitor

The Connections Monitor displays real-time, configurable views of all connections to, and through, a SonicWall security appliance.

To view connections monitor data:


2 Navigate to the System > Diagnostics > Connections Monitor page.

3 Select the filter values to sort by.

You can filter the results to display only connections matching certain criteria. You can filter by Source IP, Destination IP, Destination Port, Protocol, Flow Type, Source Interface, and Destination Interface. Enter your filter criteria in the Active Connections Monitor Settings table.

The fields you enter values into are combined into a search string with a logical AND. For example, if you enter values for Source IP and Destination IP, the search string looks for connections matching:

Source IP AND Destination IP

Check the Group Filters box next to any two or more criteria to combine them with a logical OR. For example, if you enter values for Source IP, Destination IP, and Protocol, and check Group Filter next to Source IP and Destination IP, the search string looks for connections matching:

(Source IP OR Destination IP) AND Protocol


Viewing Connections Monitor11

4 Click Fetch Active Connections Monitor to apply the filter immediately to the Active Connections Monitor table. The scheduler displays.

5 Expand Schedule by clicking the plus icon.

6 Select Immediate or specify a future date and time.

7 Click Accept. The updated Connections Monitor page displays (see following page).

The following data was generated by specifying the source IP address (10.202.3.82) and ANDing it with all the other filter settings left empty or set to all. So all connections sourced by this address are listed.


Viewing Connections Monitor12

4

Viewing CPU Monitor

For managed SonicWall firewall appliances running SonicOS, the CPU Monitor displays real-time CPU utilization in second, minute, hour, and day intervals.

To view CPU utilization data:


2 Navigate to System | Diagnostics > CPUMonitor.

3 To refresh the CPU diagnostic display, click Refresh Diagnostic Data display.

4 To delete the CPU diagnostic display, click Delete Diagnostic Data display.

5 To modify the time period for the CPU data, select one of the following periods from the Chart for pull-down menu:

• CPU History for the last 60 seconds—Displays CPU history for the last minute.

• CPU History for the last 24 hours—Displays CPU history for the last day.

• CPU History for the last 30 days—Displays CPU history for the last 30 days.


Viewing CPU Monitor 13

6 Click Fetch CPU Information to display CPU information from the SonicWall appliance. The scheduler displays.

7 Click on At to schedule the report.


9 Click Accept.


Viewing CPU Monitor 14

5

Viewing Process Monitor

For managed SonicWall firewall appliances running SonicOS, the Process Monitor displays individual system processes, their CPU utilization, and their system time.

To view diagnostic data:


2 Navigate to System |Diagnostics > Process Monitor. The Process Monitor page displays.

3 To refresh the process diagnostic display, click Refresh Diagnostic Data display.

4 To delete the process diagnostic display, click Delete Diagnostic Data display.

5 Click Fetch Process Information to display Process Monitor information. The scheduler displays.


Viewing Process Monitor15

6 Expand Schedule by clicking on At.


8 Click Accept.

Process data will display as shown below.


Viewing Process Monitor16

6

Using Packet Monitor

The Packet Monitor is a mechanism that allows you to monitor individual data packets that traverse your SonicWall firewall appliance. Packets can be either monitored or mirrored. The monitored packets contain both data and addressing information. Addressing information from the packet header includes the following:

• Interface identification

• MAC addresses

• Ethernet type

• Internet Protocol (IP) type

• Source and destination IP addresses

• Port numbers

• L2TP payload details

• PPP negotiations details

You can configure the packet monitor feature in the enhanced management interface. The management interface provides a way to configure the monitor criteria, display settings, mirror settings, and file export settings, and displays the captured packets.

Current configurations are displayed on this page, hover over the information symbols to view the details.

Benefits of Packet MonitorThe GMS packet monitor feature provides the functionality and flexibility that you need to examine network traffic without the use of external utilities, such as Wireshark (formerly known as Ethereal). Packet monitor includes the following features:

• Control mechanism with improved granularity for custom filtering (Monitor Filter)

• Display filter settings independent from monitor filter settings

• Packet status indicates if the packet was dropped, forwarded, generated, or consumed by the firewall


Using Packet Monitor17

• Three output displays in the management interface:

• List of packets

• Decoded output of selected packet

• Hexadecimal dump of selected packet

• Export capabilities include text or HTML format with hex dump of packets, plus CAP file formats, pcap and pcapNG

• Automatic export to FTP server when the buffer is full

• Bidirectional packet monitor based on IP address and port

• Configurable wrap-around of packet monitor buffer when full

How Does Packet Monitor Work?As an administrator, you can configure the general settings, monitor filter, display filter, advanced filter settings, and FTP settings of the packet monitor tool. As network packets enter the packet monitor subsystem, the monitor filter settings are applied and the resulting packets are written to the capture buffer. The display filter settings are applied as you view the buffer contents in the management interface. You can log the capture buffer to view in the management interface, or you can configure automatic transfer to the FTP server when the buffer is full.

Default settings are provided so that you can start using packet monitor without configuring it first. The basic functionality listed in Packets: Basic functionality.

Refer to Configuring Packet Monitor for a high-level view of the packet monitor subsystem that shows the different filters and how they are applied.

Packet monitor subsystem showing filters

Packets: Basic Functionality

Start: Click Start Capture to begin capturing all packets except those used for communication between the firewall and the management interface on your console system.

Stop: Click Stop Capture to stop the packet capture.



Configuring Packet MonitorYou can access the packet monitor tool on the System | Diagnostics > Packet Monitor page of the management interface. There are six main areas of configuration for packet monitor, one of which is specifically for packet mirror. The following sections describe the configuration options, and provide procedures for accessing and configuring the filter settings, log settings, and mirror settings:

• Configuring General Settings

• Configuring the Monitor Filter

• Configuring Display Filter Settings

• Configuring Logging Settings

• Configuring Advanced Monitor Filter Settings

• Configuring Mirror Settings

• Using Packet Monitor and Packet Mirror

Configuring General SettingsThis section describes how to configure packet monitor general settings, including the number of bytes to capture per packet and the buffer wrap option. You can specify the number of bytes using either decimal or hexadecimal, with a minimum value of 64. The buffer wrap option enables the packet capture to continue even when the buffer becomes full, by overwriting the buffer from the beginning.

To configure the general settings:

1 Navigate to the System | Diagnostics > Packet Monitor page.

2 Click Configure.

3 In the Packet Monitor Configuration window, click the Settings view.

4 Under General Settings in the Number of Bytes To Capture (per packet) box, type the number of bytes to capture from each packet. The minimum value is 64 and the maximum value is 65535.

5 To continue capturing packets after the buffer fills up, select Wrap Capture Buffer Once Full. Selecting this option will cause packet capture to start writing captured packets at the beginning of the buffer



again after the buffer fills. This option has no effect if FTP server logging is enabled on the Logging tab, because the buffer is automatically wrapped when FTP is enabled.

6 Under Exclude Filter, select Exclude encrypted Management Service traffic to prevent capturing or mirroring of encrypted management or syslog traffic to or from SonicWall Management Service. This setting only affects encrypted traffic within a configured primary or secondary Management Service tunnel. Management Service management traffic is not excluded if it is sent through a separate tunnel.

7 Use the Exclude Management Traffic settings to prevent capturing or mirroring of management traffic to the appliance. Select the check box for each type of traffic (HTTP/HTTPS, SNMP, or SSH) to exclude. If management traffic is sent through a tunnel, the packets are not excluded.

8 Use the Exclude Syslog Traffic to settings to prevent capturing or mirroring of syslog traffic to the logging servers. Select the check box for each type of server (Syslog Servers or Management Service Server) to exclude. If syslog traffic is sent through a tunnel, the packets are not excluded.

9 Use the Exclude Internal Traffic for settings to prevent capturing or mirroring of internal traffic between the SonicWall appliance and its High Availability partner or a connected SonicPoint. Select the check box for each type of traffic (HA, SonicPoint, BCP, Inter-Blade, or Back-Plane) to exclude.

10 To save your settings and exit the configuration window, click OK.

Configuring the Monitor FilterAll filters set on this page are applied to both packet capture and packet mirroring.

To configure Monitor Filter settings:

1 Navigate to the System | Diagnostics > Packet Monitor page .

2 Click Configure.

3 In the Packet Monitor Configuration window, click the Monitor Filter view.

4 Choose to Enable filter based on the firewall/app rule if you are using firewall rules to capture specific traffic.

NOTE: Before the Enable filter based on the firewall rule option is selected, be certain you have selected one or more access rules on which to monitor packet traffic. This configuration is done from the Firewall > Access Rules page.



5 Specify how Packet Monitor will filter packets using these options:

• Interface Name(s) - You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces screen in the management interface for the available interface names. You can use a negative value to configure all interfaces except the one(s) specified; for example: !X0, or !LAN.

• Ether Type(s) - You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. This option is not case-sensitive. For example, to capture all supported types, you could enter: ARP, IP, PPPOE. You can use one or more negative values to capture all Ethernet types except those specified; for example: !ARP, !PPPoE. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See Supported Packet Types.

• IP Type(s) - You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. This option is not case-sensitive. You can use one or more negative values to capture all IP types except those specified; for example: !TCP, !UDP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types.

• Source IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets from all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.

• Source Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets from all but the specified ports; for example: !80, !8080.

• Destination IP Address(es) - You can specify up to ten IP addresses separated by commas; for example: 10.1.1.1, 192.2.2.2. You can use one or more negative values to capture packets destined for all but the specified addresses; for example: !10.3.3.3, !10.4.4.4.

• Destination Port(s) - You can specify up to ten TCP or UDP port numbers separated by commas; for example: 20, 21, 22, 25. You can use one or more negative values to capture packets destined for all but the specified ports; for example: !80, !8080.

• Enable Bidirectional Address and Port Matching - When this option is selected, IP addresses and ports specified in the Source or Destination fields on this page are matched against both the source and destination fields in each packet.

• Forwarded packets only - Select this option to monitor any packets that are forwarded by the firewall.

• Consumed packets only - Select this option to monitor all packets that are consumed by internal sources within the firewall.

• Dropped packets only - Select this option to monitor all packets that are dropped at the perimeter.


NOTE: If a field is left blank, no filtering is done on that field. Packets are captured or mirrored without regard to the value contained in that field of their headers.



Configuring Display Filter SettingsThis section describes how to configure packet monitor display filter settings. The values that you provide here are compared to corresponding fields in the captured packets, and only those packets that match are displayed. These settings apply only to the display of captured packets on the management interface, and do not affect packet mirroring.

If a field is left blank, no filtering is done on that field. Packets are displayed without regard to the value contained in that field of their headers.

To configure Packet Monitor display filter settings:


2 Click Configure.

3 In the Packet Monitor Configuration window, click the Display Filter view.

4 In the Interface Name(s) box, type the SonicWall appliance interfaces for which to display packets, or use the negative format (!X0) to display packets captured from all interfaces except those specified. You can specify up to ten interfaces separated by commas. Refer to the Network > Interfaces screen in the management interface for the available interface names.

5 In the Ether Type(s) box, enter the Ethernet types for which you want to display packets, or use the negative format (!ARP) to display packets of all Ethernet types except those specified. You can specify up to ten Ethernet types separated by commas. Currently, the following Ethernet types are supported: ARP, IP, PPPoE-SES, and PPPoE-DIS. The latter two can be specified by PPPoE alone. You can also use hexadecimal values to represent the Ethernet types, or mix hex values with the standard representations; for example: ARP, 0x800, IP. Normally you would only use hex values for Ethernet types that are not supported by acronym in SonicOS Enhanced. See Supported Packet Types.

6 In the IP Type(s) box, enter the IP packet types for which you want to display packets, or use the negative format (!UDP) to display packets of all IP types except those specified. You can specify up to ten IP types separated by commas. The following IP types are supported: TCP, UDP, ICMP, GRE, IGMP, AH, ESP. You can also use hexadecimal values to represent the IP types, or mix hex values with the standard representations; for example: TCP, 0x1, 0x6. See Supported Packet Types. To display all IP types, leave blank.

7 In the Source IP Address(es) box, type the IP addresses from which you want to display packets, or use the negative format (!10.1.2.3) to display packets captured from all source addresses except those specified.



8 In the Source Port(s) box, type the port numbers from which you want to display packets, or use the negative format (!25) to display packets captured from all source ports except those specified.

9 In the Destination IP Address(es) box, type the IP addresses for which you want to display packets, or use the negative format (!10.1.2.3) to display packets with all destination addresses except those specified.

10 In the Destination Port(s) box, type the port numbers for which you want to display packets, or use the negative format (!80) to display packets with all destination ports except those specified.

11 To match the values in the source and destination fields against either the source or destination information in each captured packet, select Enable Bidirectional Address and Port Matching.

12 To display captured packets that the SonicWall appliance forwarded, select Forwarded.

13 To display captured packets that the SonicWall appliance generated, select Generated.

14 To display captured packets that the SonicWall appliance consumed, select Consumed.

15 To display captured packets that the SonicWall appliance dropped, select Dropped.


Configuring Logging SettingsThis section describes how to configure Packet Monitor logging settings. These settings provide a way to configure automatic logging of the capture buffer to an external FTP server. When the buffer fills up, the packets are transferred to the FTP server. The capture continues without interruption.

If you configure automatic FTP logging, this supersedes the setting for wrapping the buffer when full. With automatic FTP logging, the capture buffer is effectively wrapped when full, but you also retain all the data rather than overwriting it each time the buffer wraps.

To configure logging settings:


2 Click Configure.

3 In the Packet Monitor Configuration window, click the Logging view.



4 In the FTP Server IP Address box, type the IP address of the FTP server.

5 In the Login ID box, type the login name that the SonicWall appliance should use to connect to the FTP server.

6 In the Password box, type the password that the SonicWall appliance should use to connect to the FTP server.

7 In the Directory Path box, type the directory location for the transferred files. The files are written to this location relative to the default FTP root directory. For libcap format, files are named “packet-log--<>.cap”, where the <> contains a run number and date including hour, month, day, and year. For example, packet-log--3-22-08292006.cap.For HTML format, file names are in the form “packet-log_h-<>.html”. For example, an HTML file name is: packet-log_h-3-22-08292006.html.

8 To enable automatic transfer of the capture file to the FTP server when the buffer is full, select Log To FTP Server Automatically. Files are transferred in both libcap and HTML format.

9 To enable transfer of the file in HTML format as well as libcap format, select Log HTML File Along With .cap File (FTP).

10 To test the connection to the FTP server and transfer the capture buffer contents to it, click Log Now. In this case the file name contains an ‘F’. For example, packet-log-F-3-22-08292006.cap or packet-log_h-F-3-22-08292006.html.


Configuring Advanced Monitor Filter SettingsThis section describes how to configure monitoring for packets generated by the SonicWall appliance and for intermediate traffic.


2 Click Configure.

3 In the Packet Monitor Configuration window, click the Advanced Monitor Filter view.

4 To monitor packets generated by the SonicWall appliance, select Monitor Firewall Generated Packets.Even when other monitor filters do not match, this option ensures that packets generated by the SonicWall appliance are captured. This includes packets generated by HTTP(S), L2TP, DHCP servers, PPP,

NOTE: Make sure that the FTP server IP address is reachable by the SonicWall appliance. An IP address that is reachable only through a VPN tunnel is not supported.



PPPOE, and routing protocols. Captured packets are marked with ‘s’ in the incoming interface area when they are from the system stack. Otherwise, the incoming interface is not specified.

5 To monitor intermediate packets generated by the SonicWall appliance, select Monitor Intermediate Packets. Selecting this check box enables, but does not select, the subsequent check boxes for monitoring specific types of intermediate traffic. Select the check box for any of the following options to monitor that type of intermediate traffic:

• Monitor intermediate multicast traffic – Capture or mirror replicated multicast traffic.

• Monitor intermediate IP helper traffic – Capture or mirror replicated IP Helper packets.

• Monitor intermediate reassembled traffic – Capture or mirror reassembled IP packets.

• Monitor intermediate fragmented traffic – Capture or mirror packets fragmented by the firewall.

• Monitor intermediate remote mirrored traffic – Capture or mirror remote mirrored packets after de-encapsulation.

• Monitor intermediate IPsec traffic – Capture or mirror IPSec packets after encryption and decryption.

• Monitor intermediate SSL decrypted traffic – Capture or mirror decrypted SSL packets. Certain IP and TCP header fields might not be accurate in the monitored packets, including IP and TCP checksums and TCP port numbers (remapped to port 80). DPI-SSL must be enabled to decrypt the packets.

• Monitor intermediate decrypted LDAP over TLS packets – Capture or mirror decrypted LDAPS packets. The packets are marked with “(ldp)” in the ingress/egress interface fields and has dummy Ethernet, IP, and TCP headers with some inaccurate fields. The LDAP server is set to 389. Passwords in captured LDAP bind requests are obfuscated.

• Monitor intermediate decrypted Single Sign On agent messages – Capture or mirror decrypted messages to or from the SSO Agent. The packets are marked with “(sso)” in the ingress/egress interface fields and has dummy Ethernet, IP, and TCP headers with some inaccurate fields.


Configuring Mirror SettingsThis section describes how to configure Packet Monitor mirror settings. Mirror settings provide a way to send packets to a different physical port of the same firewall or to send packets to, or receive them from, a remote SonicWall firewall.

To configure mirror settings:


2 Click Configure.

NOTE: Monitor filters are still applied to all selected intermediate traffic types.



3 In the Packet Monitor Configuration window, click the Mirror view.

4 Under Mirror Settings, type the desired maximum mirror rate into the Maximum mirror rate (in kilobits per second) field. If this rate is exceeded during mirroring, the excess packets will not be mirrored and will be counted as skipped packets. This rate applies to both local and remote mirroring. The default and minimum value is 100kbps, and the maximum is 1Gbps.

5 Select Mirror only IP packets to prevent mirroring of other Ether type packets, such as ARP or PPPoE. If selected, this option overrides any non-IP Ether types selected on the Monitor Filter tab.

6 Under Local Mirror Settings, select the destination interface for locally mirrored packets in the Mirror filtered packets to Interface (NSA platforms only) drop-down list.

7 Under Remote Mirror Settings (Sender), in the Mirror filtered packets to remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall to which mirrored packets are sent.

8 In the Encrypt remote mirrored packets via IPSec (preshared key-IKE) field, type the pre-shared key to be used to encrypt traffic when sending mirrored packets to the remote SonicWall. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWall. This pre-shared key is used by IKE to negotiate the IPSec keys.

9 Under Remote Mirror Settings (Receiver), in the Receive mirrored packets from remote SonicWall firewall (IP Address) field, type the IP address of the remote SonicWall from which mirrored packets are received.

10 In the Decrypt remote mirrored packets via IPSec (preshared key-IKE) field, type the pre-shared key to be used to decrypt traffic when receiving mirrored packets from the remote SonicWall. Configuring this field enables an IPSec transport mode tunnel between this appliance and the remote SonicWall. This pre-shared key is used by IKE to negotiate the IPSec keys.

NOTE: The remote SonicWall must be configured to receive the mirrored packets.

NOTE: The Encrypt remote mirrored packets through IPSec (preshared key-IKE) option is inactive in SonicOS Enhanced 5.6.

NOTE: The remote SonicWall must be configured to send the mirrored packets.

NOTE: The Decrypt remote mirrored packets through IPSec (preshared key-IKE) option is inactive in SonicOS 5.6.



11 To mirror received packets to another interface on the local SonicWall, select the interface from the Send received remote mirrored packets to Interface (NSA platforms only) drop-down list.

12 To save received packets in the local capture buffer, select Send received remote mirrored packets to capture buffer. This option is independent of sending received packets to another interface, and both can be enabled.


Supported Packet TypesWhen specifying the Ethernet or IP packet types that you want to monitor or display, you can use either the standard acronym for the type, if supported, or the corresponding hexadecimal representation. To determine the hex value for a protocol, refer to the RFC for the number assigned to it by IANA. The protocol acronyms that GMS currently supports are shown in Supported Packet Types.

Using Packet Monitor and Packet MirrorIn addition to Configure, the Packet Monitor page provides several buttons for general control of the packet monitor feature and display.

• Monitor All – Resets current monitor filter settings and advanced page settings so that traffic on all local interfaces is monitored. A confirmation dialog box displays when you click this button.

Supported Packet Types

Supported Types Protocol Acronyms

Supported Ethernet Types ARP

IP

PPPoE-DIS NOTE: To specify both PPPoE-DIS and PPPoE-SES, you can simply use PPPoE.PPPoE-SES

Supported IP Types TCP

UDP

ICMP

IGMP

GRE

AH

ESP



• Monitor Default – Resets current monitor filter settings and advanced page settings to factory default settings. A confirmation dialog box displays when you click this button.

• Clear – Clears the packet monitor queue and the displayed statistics for the capture buffer, mirroring, and FTP logging. A confirmation dialog box displays when you click this button.

The other buttons and displays on this page are described in the following sections:

• Starting and Stopping Packet Capture

• Starting and Stopping Packet Mirror

Starting and Stopping Packet CaptureYou can start a packet capture that uses default settings without configuring specific criteria for packet capture, display, FTP export, and other settings. If you start a default packet capture, the SonicWall appliance captures all packets except those for internal communication, and stops when the buffer is full or when you click Stop Capture.

1 (optional) Click Clear to set the statistics back to zero.

2 Under Packet Monitor, click Start Capture.

3 To stop the packet capture, click Stop Capture.

Starting and Stopping Packet MirrorYou can start packet mirroring that uses your configured mirror settings by clicking Start Mirror. It is not necessary to first configure specific criteria for display, logging, FTP export, and other settings. Packet mirroring stops when you click Stop Mirror.

1 Under Packet Monitor, click Start Mirror to start mirroring packets according to your configured settings.

2 To stop mirroring packets, click Stop Mirror.



7

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation

• View video tutorials

• Access MySonicWall

• Learn about SonicWall professional services

• Review SonicWall Support services and warranty information

• Register for training and certification

• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.


SonicWall Support30

https://www.sonicwall.com/support

https://www.sonicwall.com/support/contact-support

About This Document

Management Services System Diagnostics AdministrationUpdated - November 2018232-004552-00 Rev A

Copyright © 2018 SonicWall Inc. All rights reserved.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners

The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of SonicWall products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update the information contained in this document.

For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement

To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/en-us/legal/license-agreements. Select the language based on your geographic location to see the EUPA that applies to your region.

Open Source Code

SonicWall is able to provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to:

General Public License Source Code Request SonicWall Inc. Attn: Jennifer Anderson1033 McCarthy BlvdMilpitas, CA 95035

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.


SonicWall Support31

https://www.sonicwall.com/legal

https://www.sonicwall.com/en-us/legal/license-agreements

Documents

Management Services System Diagnostics · 2021. 8. 11. · Management Services System Diagnostics Administration Viewing Firewall Diagnostic Information 5 interface within the Reply