Dell 11.5.2 User Manual
SonicOS
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Management and Reporting
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
Contents
Scrutinizer Product Overview ........................................................................................................................................ 1
System Requirements ................................................................................................................................................. 10
New Features in Scrutinizer 11.5.2 ............................................................................................................................. 11
Resolved Issues .......................................................................................................................................................... 11
How to Upgrade to the Licensed Version .................................................................................................................... 13
FAQ ............................................................................................................................................................................. 14
Related Technical Documentation .............................................................................................................................. 19
Scrutinizer Product Overview
Dell SonicWALL Scrutinizer is a network traffic monitoring, analysis and reporting tool. Scrutinizer is a mature and
feature rich flow analytic platform.
Scrutinizer is used to monitor the overall health of the network, troubleshoot irregular network traffic patterns and
optimize network performance. The Scrutinizer application is run on a Windows server and accessible through a
web-based Graphical User Interface (GUI). IT administrators use Dell SonicWALL Scrutinizer to collect, monitor,
and analyze data on user and application usage across the network. Scrutini zer pr ovides administrators with great
insight into how the network is being used through the use of highly customized granular reporting. Administrators
can be alerted based upon a set threshold or on a pre-determined schedule.
Scrutinizer supports a wide variety of flow protocols allowing compatibility with virtually every collector available in
the market today. In addition to Dell SonicWALL’s pioneering IPFIX implementation in SonicOS 5.8+, Scrutinizer
also supports Cisco’s Flexible NetFlo w. Customers utilizing Scrutinizer receive even greater value for their
investment as the software can be utilized to monitor an ever increasing number of switches and routers, due to
support for numerous additional industry standards such as NetFlow v5, NetFlow v9, sFlow and J-Flow. Additi o na l
supported hardware vendors include Enterasys, Foundry, Juniper, Riverbed, VMware, Citrix, ADTRAN, Nortel and
many others.
Supporting a broad range of network devices, flow protocols, and application types, Scrutinizer is flexible enough to
be utilized on virtually any network. Administrators are able to leverage reports to reach a level of visibility
previously not possible. The network mapping feature allows administrators visibility into almost every link on the
network greatly enhancing troubleshooting efforts. Scrutinizer’s powerful analytics engine provides users with indepth traffic analysis which was previously only available through packet-based instrumentation. Advanced
analysis algorithms and premier industry usage of IPFIX and NBAR
Scrutinizer’s impressive set of application level reporting and alerting capabilities.
Scrutinizer is a free tool for download by any IT professional. Three of the main limitations of the free product are
that it:
• Only stores a maximum of 24 hours of data
• Does not include most Dell SonicWALL specific reports
• Can only support up to five devices
For the first 30 days after installation, the free Scrutinizer product includes the Flow Analytics Module. To make use
of the features available in the Flow Analytics Module beyond the first 30 days, you have to purchase and activate a
Flow Analytics Module license.
based technologies are at the core of
There are three optional add-on modules for Scrutinizer which are sold separately: the Flow Analytics Module, the
Multi-Tenancy Module, and the Advanced Reporting Module.
P/N 232-002504-00 Rev A
2
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
Scrutinizer Base Product
The base Scrutinizer product includes many great features such as:
Administration
• Customizable Dashboards
• Group Based User Permissions
• Unique Dashboards per login
With Scrutinizer’s suite of built-in administrative tools, customizing specific user logins and dashboards is a breeze.
Administrators can create specific permissions based upon a particular user identity or create group based user
permissions for entire departments. The Dashboard can be customized on a per-user basis to provide the
information that is most relevant to each user.
Alerting
• Support for on-demand email reporting
• Ability to batch schedule and email reports to administrators
Scrutinizer was built with ease of use in mind. With Scrutinizer’s alerting features administrators have “set it and
forget it” flexibility when it comes to reporting. Reports can be run based upon a specific schedule or triggered when
event thresholds are exceeded. Once configured, reports can be automatically batched and emailed to
administrator in several formats.
Flexible Reporting
• In the Free version, data can be archived for up to 24 hours. Data can be saved longer if a commercial
version is purchased.
• Extensive Flexible NetFlow template support
• Granularly defined reports down to the second which can include / exclude data filters
• Create and save templates to easily reuse for future reporting
• Create application group reports based upon specific ports or subnets
• Display data by number of bits, bytes, packets or as a percentage of total traffic
• Per interface, host, protocol, application, or conversation reporting
• Trend data in, out, or bi-directionally
Granular, flexible reporting is the heart of the Scrutinizer product. Administrators have endless possibilities for
generating reports based upon general or very specific criteria. Want to know which users are consuming the most
bandwidth? Would you like that done per bit, byte or packet? What about which protocols are being most heavily
utilized on a particular subnet?
Security
• Easily configure DNS caching time limits
• See all traffic ‘Host to Host’ or ‘Subnet to Subnet’
• Easily filter and display traffic based upon TCP flags
• Track flow sequence numbers to trend traffic patterns
• Quickly identify MITM servers on the network (DNS, DHCP, SMB, etc.)
P/N 232-002504-00 Rev A
3
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
With all of these great features it’s no wonder Scrutinizer is invaluable when it comes to security. Administrators can
toggle between various reports to easily identify traffic flowing from host to host or subnet to subnet. Tracking flow
sequence numbers and trending traffic patterns has never been easier. Further, Scrutinizer can quickly identify
rogue servers placed on the network attempting a Man-in-the-Middle attack against such services as DNS, DHCP,
SMB, and more.
Supported Protocols & Other Technical Specifications
• Granularly define reports down to specific interfaces across multiple routers, switches, or firewalls
• Easily integrate 3
• Integrates with LDAP servers
• Support for SNMPv1, SNMPv2c, and SNMPv3
• Support for all industry standard flow analytics (IPFIX, NetFlow v5, NetFlow v9, FnF, sFlow, J-Flow)
• Configurable to over 1000 interfaces and several hundred exporters
• Create filters based upon next routing hop
• Filter on any exported field such as VLAN id, L2 Address, L3 Address, and latency
• Immediate cost savings by not requiring the purchase of an expensive Microsoft Database server
• Capable of handling up to 20,000 (40,000 with the Virtual Appliance) flows per second on an unlimited
number of UDP ports
From a technological stan d-point Scrutinizer leaves s imilar priced flow analyzer produc ts in the dust. Scrutinizer’s
robust and superior feature s such as LDAP integration and support for every indu stry standard flow protoc ol in the
market today provide enormous value. When configured appropriately the Scrutinizer engine can receive up to
20,000 (40,000 with the Virtual Appliance) flows per second on over 1,000 different interfaces. Customizable
dashboard ‘mas hups’ allow f or 3
only application needed to know exactly what’s on the network.
rd
party application and URLs into dashboards
rd
party appl ications a nd URLs to b e impor ted direc tly into Sc rutinizer m aking it the
Troubleshooting
• Easily identify link failures
• Easily identify specific link traffic statistics
• Easily identify QoS across the network by analyzing jitter & latency
• Easily find out where the ‘slowness’ on the network is occurring
• Plan for network growth
Administrators can us e Scrutinizer to monitor the volume of traffic on their net work and analyze how it flu ctuates
over time. In fact, Scrutinizer’s ‘net work volume gadget’ f eature can be uti lized to see the num ber of unique hosts
and well known applications being accessed. This report shows trending information on the number of hosts
accessing the net work providi ng the IT administr ator with ins ight int o increases over tim e. Addit ionally, repor ts can
be limited by time range (such as 9am to 5pm) to monitor network traffic volume during peak business hours.
Scrutinizer can also be used to identify bottlenecks on the network. For example, when streaming video or VoIP is
deployed on the network, automatic alerts could be configured in Scrutinizer to email the IT administrator notifying
him of packet-loss, delays in packets arrival, or packets arriving out of order. This provides an IT admin the ability to
proactively know of call quality degradation even before users complain of an issue.
P/N 232-002504-00 Rev A
4
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
Visibility
• Trend analysis reports on archived data
• Easily see the top 5 interface across all routers, switches & firewalls
• Integrated Google Maps viewing allows for visual representations of distributed network
• Flexible viewing options allow data to be seen from different angles (pie, bar, matrix, line)
Various viewing optio ns wit hin Scr utinizer, such as the matrix view pro vide a n inn ovati ve tool f or better visua li zation
of traffic flows. Based on criteria established when the report is generated, ad ministrators can toggle to different
views to see a graphica l m ap of wher e traffic is flowing. T he ‘Ma trix ’ e nab les a d ministrators to easi l y visualize which
systems a particular host has been accessing.
Flow Analytics Module
The Flow Analytics Module brings traffic flow diagnostics to the next level by adding historical reporting for an
unrestricted period of time, advanced alarming with the ability to set thresholds, role-based adm inistrati on, an d indepth traffic analysis algorithms to the Scrutinizer software. It can easily identify top applications, conversations,
flows, protocols, domains, countries, and subnets on the network, as well as watch for and alert on suspicious or
potentially hazardous network behavior patterns thereby providing administrators with greater network security
awareness.
In addition to the base-level features Scrutinizer with the add-on Flow Analytics module provides several additional
advanced features, such as:
• Flexible Repo rt in g
o Dell SonicWALL specific templates for reporting
o Special traffic analysis reports such as Flow Volume & NBAR Support
o MPLS reporting by subnet
o Microsoft Exchange log trend analysis
o Puts information at administrators fingertips
Easily identify the top applications being utilized on the network
Easily identify the top country of origin for traffic flowing across the network
Easily identify the top domains being accessed
Easily identify the top subnets being utilized on the network
With the addition of the Flow Analytics module Scrutinizer becomes an even more powerful reporting engine
offering even greater flexibility and granularity. In addition to all the reporting functions provided in the base edit ion,
Scrutinizer with Flow Analytics adds advanced reporting options such as flow volume, MPLS by subnet, Microsoft
Exchange log trending and NBAR support. Administrators have with a wealth of information right at their fingertips.
IT administrators can create custom reports by applying filters to granularly define the specific information desired.
Once created, custom reports can be saved for later use. Custom Reports allow the user to configure detailed
reports by filtering on fields such as: IP Addresses, ranges and subnets; Port numbers and ranges; Defined
applications including ranges of protocols and groups of protocols; Multiple interfaces from different routers and
switches; Any exported field available via NetFlow or IPFIX; Dynamic QoS monitoring; Detailed security / forensic
information.
The Flow Analytics Module adds several additional flow based traffic analysis report types. Examples include but
are not limited to: Granular IPFIX based application visualization reports for Dell SonicWALL products; Flexible
NetFlow NBAR
applications used; Flow reports with ToS field; Host flow reports to show hosts sending or receiving the most flows;
Host volume reports to show the volume of unique hosts per second; Pair volume reports to show the volume of
unique to/from address pairs per second.
based application reports (requires IOS v15 on Cisco routers); Conversations to/from host pairs and
P/N 232-002504-00 Rev A
5
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
• ‘Set It & Forget It’ Alerting
o Easily create alerts to notify administrators of unfinished flows or nefarious activities
o Alerts can trigger email notifications, SNMP traps, syslog messages, and script execution (facilitating
event remediation)
o Alarms can be configured to alert administrators based upon specific interface utilization
o Administrators can be alerted based on any pre-defined report
o Reports can be scheduled, then em ailed to administrators
o Administrators can proactively monitor QoS of RTSP traffic
The Flow Analytics add-on to Scrutinizer provides administrators with greater automation control making routine
advanced reporting a snap. Alerts can be configured based upon everything from unfinished flows to specific
interface utilization. Further, administrators can configure QoS thresholds to proactively be alerted of RTSP latency
and jitter before end users even reports a problem.
Using saved Scrutinizer reports, the Flow Analytics Module can monitor and send out syslogs when traffic patterns
violate specified thresholds. For example, the Flow Analytics Module can be used to monitor an application for a
certain ToS
The enhanced security functionality alone makes Scrutinizer with Flow Analytics an invaluable tool in an
administrator’s arsenal. Know exactly what is happening on the network- where traf f ic originated, wher e it is goi ng
and what type of traffic it is. Is someone planning an attack by scanning the corporate network? Did one of the
servers get infected with malware and launch a DDoS attack? Scrutinizer can automatically detect these activities
and alert administrators immediately upon detection.
At the heart of Scrutinizer’s attack detection capabilities are a behavioral analysis engine and a periodically updated
known threats database. IT administrators can use Scrutinizer to identify and alert on threats such as DDoS
attacks, port scanning, attacks from infected hosts behind the firewall. In turn this allows the administrator to
remediate threats by making configuration changes, by disabling ports, and modifying ACLs, on routers, switches
and firewalls. Scrutinizer uses configurable algorithms to analyze flow data from the entire network infrastructure,
or from a pre-configured sub-selection of devices and exporter tables to automatically send syslog messages when
trouble arises. Using Scrutinizer IT staff can identify: RST/ACK worms , zero-day worms, SYN Floods, DoS, DDoS
attacks, NULL, FIN, XMAS scans, port scanning, P2P file sharing, Excessive ICMP unreachable, Excessive
Multicast traffic, Prohibited traffic being tunneled through allowed protocols (DPI on TCP port 80), Known
compromised internet hosts, illegal IP addresses, Polic y violations and inter na l misuse, Poorly configured or rogue
devices, Unauthorized application deployments
within a class A subnet.
The Flow Analytics Module can utilize the local DNS to resolve IP addresses in real-time. This allows Scrutinizer to
group traffic into domains without having to define ranges of IP addresses which could otherwise quickly become a
nightmare to manage. With this feature, Scrutinizer can be configured to monitor traffic to or from specific domains
and alert an administrator when preconfigured thresholds are met or exceeded.
The history of repeat offenders can be easily identified through the use of a Unique Index (UI) to manage traffic
counts. In addition, the Flow Analytics Module helps locate machines involved with DDoS attacks or infected with
viruses/worms.
The Flow Expert Window provides insight to immediate network problems as they occur to identify and resolve DoS
attacks, bottlenecks, network scans, improperly terminated connections and more. Traditionally, the functionality
provided by this "Expert Window" feature has only found in packet analyzers.
• Supported protocols & other technical specifications
o Support for L7 application awareness by using NBAR or IPFIX
o Automatic DNS resolution
P/N 232-002504-00 Rev A
6
Dell SonicWALL Scrutinizer 11.5.2 Release Notes
Release Notes
Advanced Troubleshooting
The Flow Analytics Module enables advanced troubleshooting techniques, such as:
• Begin capacity planning for growing networks
• Easily identify the volume of flows per host
• Easily identify the volume of traffic flowing between a pair of hosts
• Easily identify the volume of unique hosts per second traversing the network
• Peer into VoIP traffic when using IPFIX to see granular metrics such as codec & caller ID
Tired of looking at a list of meaningless IP addresses? Wouldn’t it be great if the flow-analyzer could perform
reverse DNS lookups on those addresses in real time? Want to know what specific Web 2.0 applications are being
accessed on the network? Scrutinizer with the Flow Analytics module can do all that. Administrators running
Flexible NetFlow with NBAR or IPFIX with extensions can easily identify applications such as YouTube, Facebook,
eBay and more instead of just seeing ’TCP port 80’ on the report.
IT administrators can use Scrutinizer to analyze Voice over IP (VoIP) traffic and determine: the amount of voice
traffic into and out of the network over time; what users are involved with the most VoIP traffic; the caller ID of
destination and source; QoS statistics such as Latency/Jitter and packet loss of each call; what audio codec is
being utilized; and whether the router is modifying DSCP values.
By using multiple servers to act as distributed flow data collectors, Scrutinizer can be deployed as a distributed
solution accessible through a single central web based interface allowing for easy scalability to support enterprise
level networks.
Dozens of distributed collectors can be deployed and, depending on the volume of flow data being received by each
collector, a single deployment of Scrutinizer can potentially support hundreds of firewalls, routers and switches.
Network topology maps come to life in Scrutinizer as links change in color and thickness with variations in network
utilization. Clicking on a link in a network topology map brings up useful traffic statistics such as top talkers and top
conversations within the last minute.
IT administrators can use Scrutinizer to plot network appliances such as firewalls, routers, and switches on a
Google map embedded in the Scrutinizer application. Using this geographic map as a starting point into all network
analysis provides traffic details collected and organized for easy visual i zation in S c rutini zer.
Multi-Tenancy Module
The Dell SonicWALL Multi-Tenancy Module (only available as an add-on for Dell SonicWALL Scrutinizer with the
Flow Analytics Module,) adds several features that are especially useful for Managed Service Providers (MSPs) and
Internet Service Providers (ISPs).
As a service provider or IT organization, delivering information about the performance of the infrastructure and
services you are providing to the end-user is critical. With Scrutinizer MTM, you have the secure flexibility needed to
deliver a controlled, secure and segregated reporting experience per customer or user.
• Allows permissions to be configured per router / switch / interface, etc. per login account.
• Style Sheets are easily modified with several defaults to change the colors and fonts to match the Service
Providers marketing efforts. Most logos can be changed as well.
• Definable default landing page when customer logs in.
• Unique language support per login account.
• Allows integration of 3rd party applications and URLs into mashups.
Mashups for easy accessibility
Utilizing simple web technology, Scrutinizer allows anyone to easily assemble a URL into a mashup or third party
application to directly import and display important information regarding the activity of a specific host or application
on your network into the Scrutinizer dashboard.
P/N 232-002504-00 Rev A
Loading...