Page 1
Scrutinizer
SonicWALL Scrutinizer 9.0.1 Release Notes
SonicWALL Scrutinizer 9.0.1 Release Notes
Contents
System Requirements..............................................................................................................................................1
Enhancements in SonicWALL Scrutinizer 9.0.1 ........................................................................................................1
Key Features in SonicWALL Scrutinizer 9.0 .............................................................................................................2
Scrutiniz er Pr od uc t Ov er vi ew ...................................................................................................................................6
Known Issues ........................................................................................................................................................15
Resolved Issues ....................................................................................................................................................16
How to Upgrade to the Licensed Version ...............................................................................................................19
FAQ.......................................................................................................................................................................19
Related Technical Documentation..........................................................................................................................24
System Requirements
Scrutiniz er 9.0.1 i s supported on s ys tems with the following:
Minimum System Requirements (for tri al installations)
• 4G B RAM
• 50 GB IDE or SATA Hard Disk
• Dual C or e 2GHz+ Process or
• Windows Vista / 2008 / 7 Operating System
Reco mm ended S ys t e m Req uire men t s (for production environments)
• 8G B RAM
• 1+ TB 15k SCSI in a RAID 0 or 10 configuration Hard Disk
• Quad Core 2GHz+ Proces sor
• Windows 2008 Se r ver
Enhancements in SonicWALL Scrutinizer 9.0.1
Scrutinizer version 9.0.1 introduces the following new enhancements:
• Denika Threshol d Policy
• NBAR Applic ation L atency Reports
• Open Source Method Back Up
• Cus tom Templ ate ID Ad ded in th e Available R eports List
• Chinese Loc alization
• Bu siness Hours Repor ts
• Device IP Callouts
• Command Line Reset
P/N 232-000861-00 Rev A
Page 2
2
SonicWALL Scrutinizer 9.0.1 Release Notes
Key Features in SonicWALL Scrutinizer 9.0
The following enhancements are new in the SonicWALL Scrutinizer 9.0 release:
• Enhanced Notifications and Facilitation of Automatic Remediation: In versi on 8 .6 and earlier versions,
Scrutinizer only sent syslogs. Ver sion 9 adds the ability t o send notifications and escalate is sues. If the first
person notified doesn’t clear the alarm within a g iven time period, a second person, third per son, and so on can
be n otified via email, pager, and other opt i ons lis ted below.
Notifications can be sent when alarms are triggered based upon spec ific SonicWALL firewall security related
events.
New notification options include:
1. Email not i fi cations about network act ivit y c an be sent to administ r ators using mob ile and other devices.
2. SNMP Traps can be trig gered all owing for greater integr ation wi th exist ing notification op tions.
3. Syslog Messag es allow for great er remediation when integrated with thir d party SIEM produ cts such as
ArcSight.
4. Scri pt execu tion all ows for automat ic remediation eliminating the need for manual intervention.
Scrutiniz er now facilitates automatic remediation based on specific even ts: Previous versions of Scrutinizer, as
do most other third party flow analytic applic ations, only pr ovide messages to the user when ala r ms are
triggered. By adding SNMP Traps & Script Executi on, Scrutin izer now has the pot ential to remediate events.
For example, SonicW ALL IPS s ees an attack occurring on the LAN, an alarm in Scrutinizer i s trigg er ed which in
turn sends an SNMP Trap to the Cisco switch to shut down the interfaced being used in the attack.
• Advanced SonicWALL VPN Reporting with granular drilldown capabilities including:
Reports are av ailable for bot h site-to-sit e VPN connections and remote user IPSec VP N connect ions, i. e. Glob al
VPN Client connections
User Details include user name, authenticati on meth od, and d om ai n for detailed re porting on specific users.
Reporting data can be cross referenced with the frien dly VPN name, the r emote sys tem’s IP address and th e
local system’s IP address.
New SonicWALL Scrutinizer VPN Report Type
P/N 232-000861-00 Rev A
Page 3
3
SonicWALL Scrutinizer 9.0.1 Release Notes
• Enhanced SonicWALL VoIP Reporting including:
o Son i cWALL VoIP conversation s reports have been optimized .
o Son i cWALL VoIP call fi l tering now allows for part ial text matching.
Enhanced SonicWALL VoIP Conversation Report
SonicWALL VoIP Call Filt er No w Supp or t s Part ial Text Ma t ches
P/N 232-000861-00 Rev A
Page 4
4
SonicWALL Scrutinizer 9.0.1 Release Notes
• Enhanced Cisco Reporting in support of recently introduced Cis co tech nologies:
Smart Logging and Telem etry (S LT) is a single mechanism of logging and telem etry of traffic that i s associated
to a specific event on a switch ( for example, an event tr i ggered by an ACL-permit ted or ACL-denied packet).
SL T is a threat detection tech nology an d is intended to be used as foll ows. An admi n will configure one or more
Access Control Lists (ACL) on the switch. If an end system violates an ACL, some of the packet s will be
captured and sent off in a NetFlow datag r am with the n am e of the ACL that was violated . Scrutinizer version 9
can collect and rep or t on these NetFlow m essages.
Cisco TrustSec (CTS) is an umbrella ter m for security improvements to Cisco network devices based on the
capability t o strongly identify users, hos ts and network devices within a network. Each CTS Group is a secure
network establishing a domain of trusted network devices. Every device in the Security Group Access (SGA)
domain is authenti cated by its peer device. Communication on the li nks bet ween devices in the SGA domain is
secured with a comb in ation of en cryption, m essage integrit y checks, and data-path repl ay protect ion
mechanisms. NetF l ow reportin g allows administrators to monitor the traffic from, and between, th e different
CTS groups.
Perfo r mance Routing (PfR) compl em ents traditional rout i ng technologies by using the in telligence of a Cisco
IOS infrastructure to improve appli cation performance and availability. PfR enhan ces r outing in order to selec t
the best path based on user defin ed policy. The PfR polic y can minimize c ost efficiently by distr ibuting traffic
load and/or selecting the optimum performing path for app l ications. PfR NetFlow reports provide details on
active and passive tr affic. Active t r affic is where t he router makes r outines connections and exports the
perfo r mance r esults, e.g. out of polic y, in NetF low. P assive traffic can also be monitored and m easured for
performa nc e and me trics are exp or ted in NetFlow.
MediaN et Per formance M onitoring reports on top interfaces with the most ji tter/l atency.
All these features require the Cisc o Advanc ed Reporting Module.
New Host Destination Report
P/N 232-000861-00 Rev A
Page 5
5
SonicWALL Scrutinizer 9.0.1 Release Notes
• Advanced Citrix Reporting with granular drill down capabilities including:
o URLs providi ng reporting i nsight into web servers and databases being accessed
o App l ications provid ing reporting insig ht int o applicat ions b ei ng accelerated via NetScal er
o Latency providing reporting insight into the health and del ay as seen by NetScaler
Note: C itrix NetScaler m akes applicati ons and cloud-based s er vices run five times bett er by offloading
app l ication and database ser vers, accelerat i ng ap plication and service performance, and integratin g security.
All these features require the new Citr ix Ad vanced Reporting Modul e.
• Device Overview Da shboards provide details on the host status and outstanding alarms
Gad gets can be imported including the real-time view of application usage scr een in SonicOS
o
Service Level Report list availabil ity and latency trends on all devices polled
o
• Sc rutiniz er Cross Ch eck provides integration with third party monitoring and flow analytic tools such as
WhatsUp G ol d, Orion, SNMPc, Uptime Devices and Nimsoft . This n ew module’s capabilities include:
o Cross C heck cr eates cen tral inventory of all n etwork d evices managed by other analytic tools displ aying
several attributes including device name, IP address, and status.
o Flowalyzer P oller continually ass esses the stat us of devices iden tified by Cross Check and provides
upd ates to Scrutinizer via IPFIX m essages.
o Cross C heck references the status of devices as k nown by Scruti nizer with other third party management
products to monitor if flow dat a is arriving properly and whether devices are being polled correctly
o Fault index measur ements indicate device status across n umerous m anagement system s using
configurable severity levels. Syslog notifications can be sent out if predefined threshold levels are met.
o Clickable inventor y allows users with di r ect links to integrated third party applicati ons providi ng easy access
to devices th at are managed via these other applicati ons.
o Inventory groupin gs can be created allowing for easy monitoring of network segments regardless of
whether the appliances are managed by Scrutinizer or a third party application.
o Cross C heck was cr eated direct ly in response to large MSP and en terprise customer demands for th ird
part y integr ation.
All these feat ures require the Cross Check Module.
Improved SonicWALL report searching capabilities--It is now possible to sear ch on portions of a URL rather
•
than the exact U RL
P/N 232-000861-00 Rev A
Page 6
6
SonicWALL Scrutinizer 9.0.1 Release Notes
Scrutinizer Product Overview
SonicWALL Scrutinizer is a network traffic monitoring, analysis and reporting tool. Scrutinizer i s a mature and
feature rich flow analytic platform.
Scrutiniz er is used to monit or the overal l health of the network, troublesh oot irregular network traffic patterns and
optimize network per formance. The Scrutinizer applicati on is run on a Wind ows server and acc essibl e throug h a
web-b ased Graphical User Interface (GUI). IT admini strators use S onicWALL Scrutin i zer to coll ect, monit or , and
analyze data on user and app l ication usage across the network. Scrutinizer provides administrators with great
ins i ght int o how the network is being used through the use of highly customized granular reporting. Administrators
can be alerted based upon a set threshold or on a pre-determined schedul e.
Scrutiniz er supports a wide var i ety of flow prot ocols al l owing compatibil i ty with virt ually every coll ector available in
the m ar ket today. In addition to SonicWALL’ s pioneering IPF IX implementati on in SonicOS 5.8 + , Scrutinizer als o
supports Cisco’s Flexible NetFlow. Customers utilizing Scrutinizer receive even greater value for their in vestment as
the software can be utilized to moni tor an ever increasing number of swit ches and router s, due to supp or t for
numerous additional industry standards such as NetFlow v5, NetFlow v9, sFlow and J-Flow. A dditional supported
hardware vendors include Enterasys, Foundry, Juniper, Riverbed, VMware, Citrix, ADTRAN, Nortel and many
others.
Sup porting a broad r ange of n etwork devices, flow protocols, and applicat ion types, Scrutinizer is flexible enough to
be u tilized on virtual ly any network. Adm in istrator s are able t o leverage repor ts to reac h a level of visibility
previously not poss ible. Th e network mappi ng feature allows administrators visibility into almost every link on the
network greatly enhancing troubleshooting efforts. Scrutinizer’s powerful analytics engine provides users with indepth traffic analysis which was previously only available throu gh packet-based instrumentation. Advanced
analysis algorith ms and pr emier industr y usage of IPFIX and NBAR
Scrutinizer’s impressive set of application level rep or ting and aler ting capabilities.
Scrutiniz er is a free tool for download by any IT p r ofessional. Three of the main limitations of th e free product ar e
that it:
• only stores a maximu m of 24 hour s of data
• does not include most Soni cWALL specific reports
• can only support up to five devices
For the first 30 days after installation, the free Scrutin izer product includes the Flow Analytics Module. To mak e use
of the features available in the Flow Analytics Module beyond the first 30 days, you have to purchase and activate a
Flow Analytics Module licens e.
There ar e five op tional add-on modules for Scrutinizer which are sold sep ar ately: the Flow Analytics Modul e, the
Service Provi der Module, the Cisco Advanced Reporting Module, the Citrix Advanced Reporting Module, and the
Cross Check Module.
based technologies are at the core of
P/N 232-000861-00 Rev A
Page 7
7
SonicWALL Scrutinizer 9.0.1 Release Notes
Scrutinizer Base Product
The bas e Scrutiniz er produc t includ es many great features su ch as:
Administration
• Cus tomiz able Dashboards
• Grou p Based User Permissions
• Unique Dashboard s per login
With Scrut inizer’ s suite of built-in administr ative tools, cu stomi zing specific us er logins and dashboards is a breeze.
Administrators can create specific permissions based upon a particular user id entity or create gr oup b ased user
permissions for ent i r e depart ments. The Dashboard can be customiz ed on a per-user basis to provide the
information that i s most relevant to each user upfron t.
Alerting
• Sup port for on -deman d email reporting
• Ab i lity to b atch schedule an d email reports t o admini strators
Scrutinizer was built with ease of use in mind. With S crutin i zer’s alerting features adm inistrators have ‘set it an d
forget it’ flexibility when it comes to reporting. Reports can be run based upon a specific schedule or triggered when
event thresholds are exceeded . Once configured, reports can be automat i cally batched and emailed to
administrator in s everal formats.
Flexible Reporting
• In the Free version, data can be archived for up to 24 hour s. Data can be saved l onger if a commer cial versi on
is purchased.
• Extensive Flexible NetFlow template support
• Gran ularly defined r eports down to the second which can include / exclude data filters
• Create and save temp lates to easily reu se for future rep or ting
• Create appl i cation group reports based upon speci fi c ports or subnets
• Display data by number of bits, bytes, packet s or as a percentage of total t r affic
• Per interface, host, protoc ol, applicati on, or conversati on reporting
• Trend data i n, out, or bi-directionally
Gran ular, flexible reportin g is the heart of the Scrutinizer product. Adm inistrators have endless p ossibilities for
gen er ating reports based upon general or very sp ecific criteria. Want to kn ow which users are consuming the m ost
bandwidth? Would you like that d one per bit, byte or p acket? W hat about which protocols ar e being most heavily
utilized on a particular subnet?
Security
• Easily configure DNS caching time limits
• See all traffic ‘Host to Host’ or ‘Subnet to Subnet’
• Easily filter and dis play traffic based upon TCP flags
• Track fl ow seq uence numbers to trend traffic patterns
• Quickly identify MITM servers on the n et work (DNS, DHCP , SMB, etc)
With all of these great features it’s no wonder Scrutinizer is invaluable when it comes to secu r ity. Administrators can
toggle between variou s reports to easily iden tify traffic flowing from h ost to host or subnet to subn et. Tracking flow
sequence numbers and trend ing traffic patterns has never been easier. Further, Scrutini zer can quickly identi fy
rogue servers placed on th e network attempting a Man-in-the-Middle attack ag ainst such services as DNS, DHCP,
SMB, and more.
P/N 232-000861-00 Rev A
Page 8
8
SonicWALL Scrutinizer 9.0.1 Release Notes
Supported Protocols & Other Technical Specifications
• Gran ularly define reports d own to specific in terfaces across mul tiple routers, s witches, or fire walls
• Easily integrate 3
rd
party application and URLs into dashboards
• Integrat es with L DA P servers
• Sup port for S N M Pv1, SNMPv2c, and SNMPv3
• Sup port for all i ndu stry standard flow analyti cs (IP FIX, NetFlow v5, NetFlow v9, FnF, sFlow, J-Flow)
• Configurable to over 1000 interfaces an d several hundred exporters
• Create filte r s based upon next routing hop
• Filter on any exported field such as VLAN id, L2 Address, L3 Address, and latency
• Immediate cost savings by not requ iring the purch ase of an expensive Microsoft Database serve r
• Capable of handling up to 20,000 flows per second on an unlimited number of UDP ports
From a tech nolog ical st an d-point Scrutinizer leaves similar priced flow analyzer products in the dust. Scrutinizer’s
robust and superior features such as LDAP integration and support for every industry standard flow protocol in the
market today provide enormous value. When configured appropriately the Scrutinizer engine can receive up to
20,000 flows per second on over 1,000 different interfaces. Cust omiz able d ashb oard ‘m ash ups’ allow for 3
rd
party
applications and URLs to be imported directly into Scrutinizer making it the only application needed to know exactly
what’s on th e network.
Troubleshooting
• Easily identify link failures
• Easily identify specific link traffic statistics
• Easily identify QoS across the net work by anal yz i ng jitter & latency
• Easily find out where the ‘slowness’ on the network is occ urrin g
• Plan for networ k growth
Adm in istr ators can u se S cr ut in iz er t o m oni tor t h e volu m e of tr af fic on their network and analyze how it is fluctuates
over ti me. I n fact , Sc rutin izer’s ‘net work volu me g adget ’ featu re can b e ut ilized to see th e numb er of un iqu e host s
and well known applications being accessed. This report shows trending information on the number of hosts
access in g the n et work p ro vidi ng th e IT ad m in istrat or wi th in s igh t in to i nc reases over t im e. Ad di ti onal ly, rep ort s c an
be limited by time range (such as 9am to 5pm) to m onitor network traffic volume d ur i ng peak business hours.
Scrutinizer can also be u sed to identify bottlenecks on the network. For example, w hen streaming video or V oIP is
dep l oyed on the network, automatic alerts could be configured in S crutin izer to email the IT ad mini strator notifying
him of packet-loss, delays in packets arri val, or packets ar r iving out of order. This provides an IT admin the abili ty to
proactively know of call quality degradation even b efore user s complain of an issu e.
Visibility
• Trend analysis reports on archived data
• Easily see the top 5 interface across all router s, switches & fir ewalls
• Integrat ed Google Maps viewing allows for visual represent ations of distributed network
• Flexible viewing options allow data to be seen from different angles (pie, bar, m atrix, line)
Various viewing options within Scrutinizer, such as the matrix view provide an innovative tool for better visualization
of tra ffic fl ows. Bas ed on cri teria establis hed when th e report is g enerat ed, ad minist rators can toggl e to diffe rent
vie ws to see a graphi cal map of wher e traffi c is flowing. The ‘Matrix’ enabl es administrators to e asily visualize which
systems a particular host has been accessing.
P/N 232-000861-00 Rev A
Page 9
9
SonicWALL Scrutinizer 9.0.1 Release Notes
Flow Analytics Module
The Flow Analytics Module brings traffic flow diagnostics to the next level by adding historical reporting for an
unrestricted per iod of time, advanced alarming with th e abilit y t o set thresholds, role-based administration, and indep th traffic analysis algori thm s to the Scr utiniz er software. It can easily identi fy top applications, conversations,
flows, protocols, domains, countries, and sub nets on the network, as well as watch for and al er t on suspicious or
potentiall y hazardous net wo r k behavior pat terns thereby providing admi nistr ators with greater network sec urity
awareness.
In addition to the base-level f eatures Scrutiniz er with the add-on Fl ow A nalytics module provides several additional
advanc ed features, such as:
• Flexible Reporting
o Son i cWALL specific t emplates for reporting
o Sp ecial traf fi c anal ysis reports such as Fl ow V ol ume & NBAR Supp or t
o MPLS reporting by subnet
o Micros oft Exchange log trend analysis
o Pu ts inform ation at administrators fingertips
Easily identify th e top applications being utilized on the network
Easily identify the top country of origin for traffic flowing across the network
Easily identify the top domains being accessed
Easily identify th e top subnets being util ized on the network
With the addition of the Flow Analytics module Scrutinizer becomes an even more powerful reporting engine
offering even greater flexibility and granularity. In addition to all the reporting functions provided in the base edition,
Scrutinizer with Flow Analytics adds advanced reporting options such as flow volume, MPLS by subnet, Microsoft
Exch ange log trendi ng and NBAR support. Admi nistr ators have with a wealth of information right at their fingertips.
IT adminis trators can create custom reports by applying filters to granularly define the specific information desired .
Once created, custom report s can be saved for lat er use. Custom Report s allow the user to configure detai l ed
reports by filtering on fields such as: IP Addresses, ran ges and subnets; P or t numbers and ranges; Defined
applications including ranges of protocols and groups of prot ocols; Multiple interfaces from different r outers and
switches; Any exported field av ailable via NetFlow or IPFIX; Dynamic QoS monitoring ; D etailed s ecurit y / forens ic
information
The Flow Analytics Module add s several additional fl ow based traffic analysis repor t types. Examples includ e but
are not limited to: Granular I PFIX based application visualization reports f or Sonic WALL p r oducts ; F lexible NetFlo w
based application r eports (r equires IOS v15 on Cisco r outers); Conversations to/from host pairs an d
NBAR
app l ications used; Flow reports with ToS field; Host flow reports to show hosts send i ng or receiving the most flows;
Host volume reports t o show the volume of u nique host s per secon d; Pair volume rep or ts to show the volume of
un i que to/from address pairs per second
• ‘Set It & Forget It’ Alerting
o Easily create alerts to noti fy admi nistr ators of unfinished flows or nefari ous act ivities
o Alerts can trigger email notificati ons, SNMP t r aps, syslog mess ages, and s cript exec ution (facilitating event
remediation)
o Alarms can be config ured to alert adm inistrators based upon speci fic inter face util i zation
o Administrators can be alerted based on an y pre-defined report
o Reports can be scheduled, then emailed to administrators
o Administrators can proact ively monitor QoS of RTSP traffic
The Flow Analytics add-on to Scrutinizer provides adminis trators with greater automation control making routine
advanced reporting a snap. Alerts can be configured based upon everything from unfinished flows to specific
interface u tilization. Further, administrators can configure QoS thr eshold s to proact i vely be al er ted of R TS P laten cy
and j itter before end users even r eports a problem.
P/N 232-000861-00 Rev A
Page 10
10
SonicWALL Scrutinizer 9.0.1 Release Notes
Using saved Scrutinizer reports, the Flow Analytics M odule c an monitor and send out syslogs when tr affic patterns
violat e specified thresh ol ds. For example, the Flow A nalytics Modul e can be used to monitor an applic ation for a
certain ToS
within a class A subnet.
• Enhanced Security Awareness
o Administrators can create a list of banned applic ations to be alerted upon traffic identi fi cation
o Detect malicious traffic such as DD oS attac ks, worm traffic and more
o Detect num er ous typ es of network scans such as SYN, XMAS & FIN
o Detect roug e IP addr esses that lie outside of p r edefined subnets
The enhanced secur i ty functionali ty alone m akes Scrutinizer with Flow Analyti cs an invaluabl e tool in an
administrator’s arsenal. Know exac tly what is hap pening on the network- where traffic or i ginated, where it is goin g
and wh at type of tr affic i t is. Is someon e planning an attack by scanning the corporate network? D id one of t he
servers get infected with malware and l aunch a D DoS att ack? Scrutinizer can automatically detect th ese activit ies
and al er t administrators immediat el y upon detect ion.
At the heart of Scrutinizer ’s attack detection capabilities are a b ehavioral analysis engine and a period i cally u pdated
known threats database. I T adminis trators can use S crutin i zer to id entify and alert on threats such as DDoS
attacks, port scanning, attacks from infec ted h osts beh i nd the firewall. In turn this allo ws the administrator to
remediate threats by making configuration changes, such by disabling ports, and modifying ACLs, on routers,
switches and firewalls. Scrut in izer uses configurab l e algorithms t o analyze flow data from the entire network
infrastructure, or from a pre-configured sub selection of devices and exporter tables to automatically send syslog
messages when trouble arises. Using Scrutinizer IT staff can identify: RST/ACK worms, zero-day worms, SYN
Floods, DoS, DDoS attacks, NULL, FIN, XMAS scans, port scanning, P2P file sharing, Excessive ICM P
un r eachabl e, Excess i ve Multic ast traffic, P r ohibited traffic being tun neled th r ough allowed protoc ols (DPI on TCP
port 80), Kn own comp r omised internet hosts, i l legal IP addresses, Policy violations and int er nal mi suse, Poorly
configured or roug e devices, Unauthorized application deployments
The Flow Analytics Module can utilize the loc al DNS to resolve IP addresses in real-time. This allows Scrutin iz er to
group traffic into domains without having to define ranges of IP addresses which could otherwise quickly become a
nightmare to manage. With this featu r e, Scrutiniz er can be configured to monitor traffic to or from specific domains
and al er t an administrator when preconfigu r ed thresholds ar e met or exceeded.
The history of repeat offenders can be easily identified t hrough the use of a Un i que Index (U I) to m anage t r affic
counts. In addi tion, the Flow Analytics Module helps l ocate machin es involved wi th DDoS attacks or infected with
viruses/worms.
The Flow Expert Wind ow provides insight to immediate network p r oblems as they oc cur to i dentify and resol ve DoS
attacks, bottlenecks, network scans, improperly terminated connections and more. Traditionally, the funct ionalit y
provided by this "Exp er t Window" feature has onl y f ound in pack et analyzers .
• Sup ported pr otocols & other technic al speci fications
o Sup port for L 7 application awareness by using NBA R or I PFIX
o Automatic DNS resolution
Tired of l ooking at a list of meaning l ess IP add r esses? Wouldn’t it be g r eat if the flow-analyzer could perform
reverse DNS lookups on those addres ses in real time? Want to kn ow what speci fi c Web 2.0 applications are being
accessed on the network? Scrutin i zer with the Flow Analytics module can do all that. Admini strators runni ng
Flexible NetF l ow with N BAR or IPFIX with extensions c an easily identify applications such as YouTub e, Facebook,
eBay and more instead of just seeing ’TCP port 80’ on the report.
P/N 232-000861-00 Rev A
Page 11
11
SonicWALL Scrutinizer 9.0.1 Release Notes
Advanced Troubleshooting
• Beg i n capacity planning for growing networks
• Easily identify th e volume of fl ows per host
• Easily identify the volume of traffic flowing between a pair of hosts
• Easily identify the volume of unique h osts per second travers i ng the net work
• Peer into VoIP traffic wh en usi ng IPFIX to see granular metric s such as c odec & caller ID
IT adminis trators can use S crutin izer to an alyze Voice over IP (VoIP) traffic and determine: the amount of voice
traffic into and out of t he net work over ti me; what users are involved with the most VoIP traffic; the caller ID of
destination and s ource; QoS statistics such as Lat ency/Jitter an d packet l oss of each call; what audio codec is
being utilized; and whet her the router is modifyin g DSCP values.
By us ing mul tiple server s to act as distribut ed flow data collectors, S cruti nizer can be deployed as a distributed
solu tion accessib le through a single central web based in terface allowing for easy scalability to support enterprise
level networks .
Dozen s of dist r ibuted collectors can be dep loyed and , depending on the volume of flow data b ei ng rec eived b y each
collector, a single deployment of Scrutini zer can potentially suppo r t hu ndr e ds of firewalls, router s and switches.
Network topology maps come to life in Scrutinizer as links change in color and thickness with variations i n network
utilization. Clicki ng on a link in a network topology map brings up useful traffic statistics such as top talkers and top
conversations withi n th e l ast minute.
IT adminis trators can use S crutin izer to p lot network applian ces such as firew al ls, routers , and switches on a
Google map em bedded i n the Scrutiniz er application. Using this geog r aphic map as a starting point into al l network
analysis provides traffic details collected an d organized for eas y visualization in Scrutinizer
Service Provider Module
The Sc r utin izer Service Provider Mod ule adds several ad ditional features wh ich are especially usefu l for Managed
Servic e Providers (MSP s ) and Internet Service Providers (ISP s). The following are some im portant featur es
included in the Se r vic e Provider Mo dul e :
• Ability to easily mod ify style sheets, i.e. to change the logos, colors and fonts , to match the Servic e Provid er s
mark eting and branding effort s. To further facilitate this, several default st yle sheets have been inc luded with
the product.
• Ab i lity to configur e permi ssions per r outer, switch, or int er face for eac h Scrutinizer login account.
• Ability to customize a default landing page for end customers that require ac cess to Scrutinizer.
• Ability to int egrate with third part y applications, URLs, and mashups.
• Customizable billing solutions based on actual network usage for invoicing purposes. Ability to export reports to
.CS V format for easy importing to a database or MS Excel.
Third Party Product Integration
The Sc r utin izer dashboard function includes a URL mashup feature to provide third party application vendors and
professional services organizations a comprehensive yet easy met hod to acc ess information within the Sc r utiniz er
database.
Mashups, representing a combination of information from several different applications into a single easi ly
accessible dashb oar d, is a new cl ass of short-term or disposable applications which can be created quickly and
easily. Utili zing simple web technology, Scrutinizer allows anyone to easily assemble a U R L into such a mashup or
third pa r t y appl i c a ti o n to directly import and displ ay important information regarding the activity of a specific host or
application on you r network.
Scrutinizer integrates with several third party and open source applications.
P/N 232-000861-00 Rev A
Page 12
12
SonicWALL Scrutinizer 9.0.1 Release Notes
Enablement of Traffic and Usage Based Billing
Some customers req uest to be billed for their I ntern et connec tion not based on a theoret i cal maximum throughp ut of
their connection but rather on actual usage. To accommod ate this custom er demand, service pr oviders have to be
able to determine ac tual b andwidth usage in or der to b ill each customer accu r ately and fair ly.
The Scrutinizer Service Provider Modul e allows service provider s to expo r t flow data bas ed on an y flow (NetFlow,
IPFIX, sF l ow, etcetera) field or combination of flow fields including rate per second, packets, total b it s, IP
add r esses, ToS ( DSCP) , or BGP autonom ous syst em number. This dat a can then be used to invoice en d
customers based on actual network usage rath er than simply WAN connec tion speed.
The Service Provider M odule routinely export s a custom CSV file with all the required details. For example, it
allows billing based on a flat r ate versus a bu r st rate as well as total amount transferred per mon th. With the data
export, invoi cing possibiliti es are myriad. Invoices can include, but are not limited to:
• A fixed amoun t for any us age withi n the base rate (X M B)
• A h ig her charg e for usage between the base rate an d “burst” max (X + Y MB)
More traditional bill i ng is al so possible, for example, where the end cust om er pays based on the 95% percentile
technique.
Using the intuitive configuration interface, any saved report in Scrutin izer can become the basis for an export. To
ensure the highest accurac y, data is gathered from the raw flow data tab les. The Service P r ovider Modul e also
includes the following capabilities:
• Any NetFlow field or range within a field is sa ved as part of the filter within a rep or t.
• Both inbound and outbound flow analytics are availabl e.
• The entire contents of any repor t type can be emailed or exp or ted in CSV format.
• Archives of all exports can be saved for fu ture referenc e.
• Exports occur on a periodic basis.
• Rolling the data into larger i ntervals i s possi ble.
• Exports are emailed or saved in a direc tory with a custom name, wh ich inc l udes a tim e stamp.
• Scheduled r outines:
o Prepare the data for further pr ocessing
o Can writ e the data to another server
Customer Portal
IT adminis trators can choose to provide end users are with secure logi n access to the flow data generated by their
network devices . End users c an also u se the customer port al to troubleshoot bandwidth usage and identi fy /
analyze odd traffic patterns. Addition al ly, automatic H TML report s can be schedul ed for each end customer.
Furthermore, service providers can use the portal as a message board to communicate with their cust omers as well
as in tegrate other ap plications into the MyView interface.
P/N 232-000861-00 Rev A
Page 13
13
SonicWALL Scrutinizer 9.0.1 Release Notes
Cisco Advanced Reporting Module
The Scrutinizer Cisco Advanced R eporting Modu l e is a value ad ded performance monit or ing and reporting solution
for Cisco Smart Logging and Telemetry, Cisco TrustS ec (CTS), C i sco Performan ce Routi ng (PfR), and Cisco
Medianet
issues related to choppy vid eo or delayed voice streams by using Scrutinizer to analyze the approp r i ate flow.
Scrutinizer can be configured to analyze and al er t on exc essive amounts of one or a combination of the following
parameters:
• Round Trip Time (Latency)
• Jitter
• Pack et Loss
• Bits, Bytes and Packets
• MAC Ad dresses , IP Addresses
• VLANs
• Domains
• Applications
• Interface
. Sc r utiniz er delivers d etailed reports on all traffic related to voice and vid eo. IT staff can troubleshoot QoS
Citrix Advanced Reporting Module
The SonicWALL Scrutinizer Citrix Advanced Reporting Module adds the granular drill-down capabilities for:
• URLs providi ng reporting i nsight into web servers and datab ases being access ed
• App l ications provid ing reporting insig ht int o applicat ions b ei ng accelerated via NetScaler
• Latency providing r eporting insi ght int o the health and delay as seen by NetScal er
Note: Cit rix NetScaler makes ap plicat ions an d cloud -based ser vices run five times better by offloading application
and database servers, accelerating appli cation and service perfor mance, and in tegrating security.
Cross Check Module
The SonicWALL Scrutinizer Cross Check Module provides integration with third party monitoring and flow analytic
tools such as What sUp Gold, Orion, S NMPc, Upt ime Devices and Nimsoft. Th is module’s capabilities in clude:
• Cross C heck cr eates cen tral inventory of all n etwork d evices managed by other analytic tools displaying several
attributes including d evice name, IP address, an d status.
• Flowalyzer P oller continu ally asses ses th e status of devices i dentified by Cross Chec k and pr ovides updates to
Scrutiniz er via IPFI X messages.
• Cross C heck references the status of devices as k nown by Scruti nizer with other third party management
products to monitor if flow data is arriving properly and whether devices are being polled correctly
• Fault index measur ements indicate device status across n umerous m anagement system s using configurable
severity levels. Syslog notifications can be sent out if predefined threshold levels are met.
• Clickable inventor y allows users with di r ect lin ks to integrated third party app lications providing easy acc ess to
devices that ar e managed via these other applications.
• Inventory groupin gs can be created allowing for easy monitoring of network seg ments regardless of whether the
app l iances are managed by Scr utiniz er or a third party application.
• Cross C heck was cr eated direct ly in response to large MSP and en terprise customer demands for th ird par ty
integration.
All these features require the Cross Check Module.
P/N 232-000861-00 Rev A
Page 14
14
SonicWALL Scrutinizer 9.0.1 Release Notes
Flowalyzer NetFlow & sFlow Tester
Separate fr om Sc r utiniz er and its add-on modules, SonicWALL also off er s a free tool called F lowalyzer Net Flow &
sFlow Tester.
Flowalyzer is a free NetFlow and sFlow Tool Kit for testing and configu r ing hardware or soft w are to send and
receive NetFlow / sFlow data.
Flowalyzer can help IT profess i onals tr oubles hoot h ar dware from vendors lik e Cisco and Enterasys, as well as
NetFlow collector software, ensuring that whichever flow technology they use is configured properly on both ends.
Flowalyzer NetFlow & sFlow Listener
• Determine which flow sending devices are sending the highest volume.
• Listen for NetFlow on multiple ports.
• Display packet count, version of NetFlow and UDP port flows are coming in on.
• Display the I P address and D NS name.
Flowalyzer NetFlow Generator
• Gener ate NetFlow data to determine if the destination col l ector is accept i ng flows.
• Sen d NetFl ow v5, NetFlow v9, and IPFIX.
• Determine if the des tinat ion collector is dropp in g NetFl ow data by comparing the flows sent t o what is rec eived
on the other end.
Flowalyzer NetFlow & sFlow Configurator
• Configure Cisco Routers or Enterasys switches for exporting NetFlow data
• Uses SNMP t o m ake OID sets
• Supports SNMP v1, v2c, and v3
Flowalyzer NetFlow & sFlow Communicator
• Run a ping or t r aceroute to any host.
• Ping via ICMP, UDP or TCP protocols .
• Communic ation res ponses are readab l e in a clear response display.
Flo wal yz er SNMP Tren der
• Gener ate tren d graphs for any SNM P-enabl ed device.
• Cus tom OID support allows any SNMP variab le to be t r ended in real-time.
• Cus tom upd ate period allows graphs to update as often as every sec ond.
• Supports SNMP v1, v2c and v3.
• Save multiple sets of R ead/W r i te SNMP credentials.
• No limit to the number of simu ltaneous graphs.
P/N 232-000861-00 Rev A
Page 15
15
SonicWALL Scrutinizer 9.0.1 Release Notes
Known Issues
Symptom
Condition / Workaround
MFSN r eport for some sFlow devices will occ ur
sFlow exporter
Fix coming in a futu r e r el ease.
Flow A nalytics can cause the server to p age
Disable the following algorithms:
• Nefarious activity
When initially evaluating SonicWALL Scrutiniz er
If installing Scrutinizer on a machine that is
the data and display all that it is recei ving.
The interface of SonicWALL Scrutinizer is very
The performance of Scrutin i zer is dependent on
Scrutinizer directory
Multiple CPUs mis lab eled in V itals Summary
Fix coming in a futu r e r el ease.
Loading a single report in Scrutinizer consumes
roughly 90MB-95MB of mem or y.
Solution being considered. Possibly add r essed in
future release. Cur r ently functioning as designed.
Issues displaying SonicWALL Scrutinizer in
Internet Exp lorer v6 is no lon ger sup ported .
recommended.
Bad formatting in r eport t ype when no data is
available.
Fix coming in a futu r e r el ease.
Pie Charts err or with " Graphing Error: No data
for sel ected period" when results are z ero.
Fix coming in a futu r e r el ease.
This section contains a list of known issues in the Scrutinizer 9.0.1 release.
even though no flows are being lost. This can
hap pen if multiple s ubagents exist on a sing l e
memory to disk and sl ow down the user
interface. Generally, occurs on underpowered
machines.
the interface is slo w an d many interfaces don’ t
immediately appear.
slu ggish and / or th e collector may fail and need
to be r estarted.
Internet Explorer v6
• Top Countries
• Internet Th r eats Moni tor
• DDOS Violations
already receiving flows from > 50 devices,
Scrutinizer will need an extra 5 minutes to crunch
processing power of the machine it is installed on.
NOTES:
• VMware i s often not a good platform
• SAN storage can be slow
• Turn Anti-virus off or exclude the
Please use Intern et Explorer v7 or ne wer. The
latest version of any browser is highly
P/N 232-000861-00 Rev A
Page 16
16
SonicWALL Scrutinizer 9.0.1 Release Notes
Resolved Iss ues
Symptom
Condition
Log al ot creates empty and extra tables that ar e
not used.
Occurs when using the Logalot feature.
“scrut_util” does n ot verify proper permissi on.
Occurs when running “scrut_util” from the
command lin e interface.
Log al ot Report Manager button does not work in
the Admin tab.
Occurs when navigating to the Admin tab and
clicking the Logalot Repor t Man ag er button.
Users cannot run Exceeded Crosscheck Fault
Index as a report.
Occurs when trying to run Exceeded Crosscheck
Fault Index as a r eport.
Removin g a report policy does not properly
Occurs when removing a report policy. The
report policy is deleted.
SNMPv3 cred entials cannot be set as the
defaul t credentials.
Occ urs when configu r ing admi nistr ator’s
credentials.
An er r or displays in the comman d line interface.
Occurs when running “scrut_util interface.
Confusion with the naming convention of
Occurs when viewing or configuring Custom
now called Flow Reports.
Threats Overview and FA, list alarms user
shouldn't access.
Occurs when viewing the Alarms list in Threats
Overview and FA.
There ar e some usability issues with t he top
interface g adget.
Occurs when searching for add r esses in the top
interface g adget.
The Reset Hits button does not reset all counts.
Occurs when navigating to the Polic y Ma n ager
page and clicking the Reset Hits button.
Column and sorti ng issues in the Bulletin Board.
Occurs when navigating to the Bulletin Board.
Some upgrad es would cause the i nstaller to
become unres ponsive before a file copies.
Occurs when installing an upgrade for the
Scrutinizer feature.
Some issu es ex c l udi n g Violators in the Alarms >
Occurs when navigating to the Alarms tab,
excluding Violators.
Some minor grammar and format ting issues are
interface.
Occ urs when viewing the Scrutinizer m anagement
Some users m ay have removed Listening Port
4739.
Occurs when removing Listening Port 4739. The
FlowAlyzer needs this port to function properly.
Users sometimes get 0 results after Flow View
is d eployed.
Occurs when l aunchin g Flow View for some
alarms.
The date selector may vanish.
Occurs after running a multiple Logalot graph
report
Log al ot deb ug settings do not properly hide
after the Debug menu i s disabled.
Occurs when disabling the Debug menu.
This s ection contains a list of resolved issues in th e 9.0.1 r el ease.
remov e scheduled r eports.
Cus tom Reports.
Advanced Filtering page.
scheduled r eports should be r emoved when the
update_plixerini_mysqlroot” in the command line
Reports. To av oid con fusion, Custom Reports are
clicking the Advanced Filters but ton, and then
displayed in the Scrutinizer management
P/N 232-000861-00 Rev A
interface.
Page 17
17
SonicWALL Scrutinizer 9.0.1 Release Notes
Symptom
Condition
Users can use decimal places when ordering
policies.
Occurs when or dering policies .
The installer displays an error message
informing the user that it cannot overwrite
“scrut_util.exe.”
Occurs when using the Scrutinizer installer.
The Sc r utin izer system may restar t prematurel y
Occ urs when performing a Sc r utiniz er updat e. In
prevent restart prematurel y.
The link to online help is br o ken in the
Occurs when clicking the Online Help in the
The link to the Alarms tab is not acces sible from
Occ urs when clicking the Alarms tab i n the top
The Enter key does not perform a sear ch, only
Occurs when navigating to the Alarms > Policy
key.
An er r or displays in the comman d line interface.
Occurs when running “scrut_util update_httpd_port” in the comm and line in terface.
The “statusAverage” ser ver preference is no
The “statusAverage” server pre ference i s
Some buttons do not have mouse over
Occurs when navigating through the Scrutinizer
over buttons to view a des cript ion.
Alarm reports for th e Flowal yzer device display
no results.
Occurs when configuring an alarm report on the
Flowalyz er device.
Sou r ce and Destinati on Country Filter does not
work.
Occ urs when there are no destination count r i es.
Crosscheck and Service Level Reports are
dis played incorrectly.
Occurs when SPM users are viewing the
Crosscheck and Service Level reports.
Email notifications are not sent ou t.
Occ urs when Email not ifications are s ent out for
Rate B ased tri ggers.
Launc hing das hbo a r ds can be slow.
Occurs when launching certain dashboards.
Device syslogs are bei ng sent down from
Flowalyzer.
Occurs when Flowalyzer sends down device
syslogs.
No search results are list ed for “Limited SPM
Users.”
Occ urs when using th e Top Interface Gadget to
search for “Limited SPM Us er s.”
A Packet s column is incorrectly displayed in
Outbound.
Occurs when viewing the Top Interfaces report .
Jitt er r eports are incorrectly showing available
for some Medianet exporters.
Occurs when viewing the Jitter rep or ts.
An incorrect status is showing up in Tree menu.
Occurs when viewing the Tree menu.
durin g an u pgr ade.
Dashboard tab.
the top network transport gadget.
the Search button works.
longer relev ant.
descriptions.
9.0.1, services will be disabled during upgrades to
Dashboard tab.
network transport g adget.
Manager page, en tering s ear ch criteria in the
Search text-field, and then pressing the Enter
removed in 9.0.1.
management interface and moving the mouse
P/N 232-000861-00 Rev A
Page 18
18
SonicWALL Scrutinizer 9.0.1 Release Notes
Symptom
Condition
The Watcher is becoming unresponsive at 1
AM.
Occurs when using SNMP in conjunction with the
Watcher.
Flow Direction is exported with only ingress
flows.
Occurs when exporting the Flow Directions
feature.
Violation reports are inaccurate.
Occ urs when the FIN algorithm does not report
violat ions with the correct accurac y.
FA Top Hosts Gadget is not render properly
wi th le s s than 10 hosts.
Occurs when using the FA Top Hosts Gadget with
less than 10 hosts.
An inadequate message app ear s in server
preferences, related to listening ports issues.
Occurs when viewing the server preferences.
The Alarm tab exp er i ences delays.
Occurs when interrupting the column sorting
process.
Device Detail s report egress for “sFlow”
interfaces.
Occurs when navigating to Device Details and
viewing the Egress for “sFlow” interfaces.
The Status tab const antly refreshes.
Occurs when navigating to the Status tab.
Some of the Country definitions are missing.
Occurs when viewing the Po li c y Man ager >
Definitions page.
The Top Conversations gadget does not resolve
add r esses via DNS.
Occurs when viewing the Top Con versations
gadget.
Outbound interface r eports do not show
outbound results on the last 5 min reports.
Occurs when reports are run for the outbound
interfaces.
The Crosscheck summary does not ver if y the
subnet mask properly for custom net works
Occurs when viewing the Crosscheck summary.
Some vitals may have g aps.
Occurs when running the Vital function.
SonicWALL Spyware rep or t filt er s do not work
properly.
Occurs when running a SonicWALL Spyware
report.
The Top Countries gadget links do not work
properly.
Occurs when using the Top Countries gadget.
The Sec urity > Us er Group s manageable
gadgets are not in alph abetical order.
Occurs when viewing the Security > User
The NULL Scan Violations in Flow View may
cause an error.
Occ urs when using Nul l Scan Violations.
The us er may see a timeout message related to
server preferences.
Occurs when saving from server preferen ces.
Service Provi der user s might have unwanted
access to Service Lev el reports.
Occ urs when accessi ng the Ser vice Level report s.
Some FA Configuration graphs are missing
his torical t r ends.
Occurs when viewing the FA Configuration
graphs.
P/N 232-000861-00 Rev A
Groups page.
Page 19
19
SonicWALL Scrutinizer 9.0.1 Release Notes
How to Upgrade to the Licensed Version
Click the Sc rutinizer link on the www.mysonicwall.com homepage to automatically register a Scr utinizer product with
its own serial numb er . The user is then directed to the S er vices Management pag e for the newly registered
Scrutinizer product. Upon registration, Soni cWALL Scrutinizer will be available from the Downl oads section in
mySonicWALL.
The free trial version of Scrutini zer can be install ed imm ediately an d does not requ ire a license key; just double click
the exec utabl e and follow the installation process.
The new Scrutinizer product will be listed in the My Products section on mySonicWALL. Clic k on the Scrutinizer
product to bring up the Services Management p age for that part i cular product.
Add i tional software modu les and support licenses can be activated on the Services Management page either b y
clicking on the Buy Now b utton or by either entering the approp r iate keys p urchased from a SonicW ALL reseller or
distributor.
Upon activati on of any additional lic enses, an email with in struct i ons on how to download a license file will be s ent
to the email addres s associated with the myS onicWAL L accoun t. The license fil e will be ava i lable in the My
Downl oads section of the Downl oad Center of MySonicWALL.
Once a licen se file is obtai ned, bring up the Soni cWALL Sc r u ti ni zer w e b inte r face , i.e. the Scrutinizer application
itself, and click on the Admin tab. In the left navigati on bar, click Settings > Licensing. Paste the lic ense key in to
the appropriate b ox. Click t he Save button.
.
FAQ
What is NetFlo w?
Cisco® NetFl ow t echnology is an embedded feat ure within Cisco IOS routers and high end switches (e.g. 6500
series) . NetFlow data records consist of informati on about sour ce and dest i nation address es, along with the
prot ocols and ports used in the end-to-end con vers ation. Scr utinizer uses this informati on to gener ate grap hs
and r eports on traffic patterns and bandwidth utilization. More in formation can be found here.
What is sFlow?
Unli ke NetFlow which aggr egates mul tiple c onversation streams in to a single packet, sFlow is a packet sample
of traffic. Although it offer s 100% of the p acket, wh en used st r i ctly for IP accounting, it is unr eliable.
What are the different versions of NetFlow available?
Versi on 1 is the original format supported in the ini tial NetFlow releases, wh ile version 5 i s the standard and
most comm on N etFlow version d eployed. Version 5 is an enhancem ent that adds Border Gateway Protoc ol
(BG P) auton omous system information and flow sequence numbers. Version 6 i s similar to version 7. This
version is not used in the new IOS releases. Version 7 is an enhancement that exclusively supports NetFlow
with Cisco Catalyst 5000, 6500 and 7600 series switches. V er sion 8 is an enhan cement that adds router-based
agg r egation schemes. It was introduced to reduce resource usage, and inc ludes a choi ce of eleven aggregation
schemes. Ver sion 9 is an enhan cement to support different technologies such as Multicast, Internet Protocol
Security (IPSec), and Mu l ti Protocol Label Switchi ng (MPLS). Versions 2, 3 and 4 either were not rel eased.
Scrutinizer currently supports:
• NetFl ow versi ons 1,5,6,7 and 9
• sFlow version 2, 4 and 5
• Flexible NetFlow, IPFIX, JFlow and NetStream.
P/N 232-000861-00 Rev A
Page 20
20
SonicWALL Scrutinizer 9.0.1 Release Notes
How is NetFlow differen t from traffic analyze rs like MRTG?
MRTG and other such equivalent tools provide informati on th at is largely limited to SNMP statistics. NetFlow is
more geared toward applicat i on-level d etails such as hosts, protoc ols, and convers ations, which are an in herent
par t of IP traffi c.
Is Cisco the only vendor supporting NetFlow?
NetFl ow technology was inven ted by Ci sco, an d Cisco IOS devices offer Net Flow compatibility. There may be
other vendors offering NetFl ow sup port on t heir devic es. Sc r utiniz er has been tested on over a dozen different
vendors.
Is a trial version of Scrutinizer available for evaluation?
Yes. A free version of Scrutinizer can be d own l oaded and you can get an evaluatio n license to tr y t he full
version.
What are the differences between the free and commercial version?
The commerci al version of Scrutin i zer NetFl ow & sFlow Analyzer includ es the F l ow Analyt ics add-on module,
which adds historic al data ret ention and network behavior analysis.
What are the system requirements?
Scrutinizer's system requirements are detailed here: System R equirem ents
How do I find out if my Cisco equipment supports NetFlow?
Review the NetFlow Services Sol utions Guide to find out if you h ave a NetFlow compatible Cisc o r outer or
switch.
What if I need features that Scrutinizer does not support?
We unders tand that our soft ware needs to be flexible. If you want a feature added, we may b e able to work with
you.
Does it support other Languages?
Scrutinizer currently supports the following languages; Chinese (Simplified an d Traditional), E nglish, French,
German, J apanese, Korean, Portuguese, Russian, and Spanish.
How will enabling NetFlow affect the performance of the router/switch?
For detailed information on exactly how enabling NetFlow will affec t the performance of your C isco router or
switch, review the NetFlow Per formance An alysis whit epaper [ PDF]:
http://www.cisco.com/en/US/technologies/tk543/tk812/technologies_white_paper0900aecd802a0eb9.html
How long do I have to wait before the graphs are populated?
Less than 5 minutes. Make sur e you have th e NetFlo w configured correctly on the router or sw itch.
Why are some interfaces labeled as IfIndex2, IfIndex3 or just 1, 2, 3, etc.?
.
This happens if the interfaces did not respond to the SNMP requests sent by Scrutinizer. Bring up the SNMP
vie w that lists all the inter fac es and click the Update button. Please review S N M P Device View in the Scrutinizer
manual.
Also, thi s will occur if flow opt ion templat es to identify the interfaces have not been received.
P/N 232-000861-00 Rev A
Page 21
21
SonicWALL Scrutinizer 9.0.1 Release Notes
How do I enter IP to name resolutions so that Scrutinizer doesn't have to use the DNS to resolve IPs?
Edit this file: C:\WINDOWS\system32\drivers\etc\hosts an d enter the IP to name transl ations.
Overall utilization on the interface appears to be understated. Why would this be?
1. Make sure NetFlow is enabled on al l physi cal int er faces o f the device. Do not be concerned with th e vir tual
interfaces, as th ey wi ll auto-appear once NetFlow is en abled on the physical interface.
2. If the hardware c an't keep up with send ing the NetFlow packets, it will drop NetFlows before the y even
leave the device. To check to see if thi s is the problem, login to the Cis co device.
Command t o typ e: Rout er _name>sh ip flow expor t
At the bottom of the exp or t, look for something like "294503 export pac kets were dropp ed due t o IPC rate
lim i ting". If this counter is incrementin g, the hardware cannot keep up with the export demands.
3. The command below breaks up long-lived flows into 1-mi nute segments. You can choose any number of
minutes between 1 and 60; if you leave the default of 30 minutes you will get spikes in your utilization
reports. Command to type: ip flow-cache timeout active 1
4. The command below ensures that flows th at have finished are expor ted in a tim el y manner. The default is
15 seconds; you can choose any value betwe en 10 and 600. Note however that if y ou choose a value that
is longer than 250 sec onds Sc r utinizer may repor t traffic levels that appear low.
Command to type: ip flow-cache timeo ut inac t ive 15
NetFl ow only exports IP traffic (i.e. no IPX, etc.) and no layer 2 broadcasts are exported by this version of
NetFlow.
How do I setup my router to forward NetFlows to two destinations?
Type the "ip fl ow -export destination" command twice:
• router-name# ip flow-export destination 10.1.1.8 2055
• router-name# ip flow-export destination 10.1.1.9 2055
Why are my graphs reporting over 100% utilization?
1. The interface s peed is not correct. Scrutinizer uses the speed spec ified in the SNMP O ID. Login to the
rout er or switch and fix the problem or in Scrut i nizer go to Device Details and manually type in the correct
speed.
2. The active timeout has not b een set to 1 minut e on the rou ter. Login to the router or swit ch and fix the
problem.
3. Non-d edicated burstable bandwidt h, where the ISP allows you to use over the allocated bandwidth.
4. Both ingres s and egr ess NetFl ow collection have been enabled on the interface. This c an work properly if
the direction bit is set in the egress flows. Scrutinizer works ideal when only ingress NetFlow collection is
configured on all interfaces. Onl y egress on al l interfaces is al so possible.
5. Do you have any en crypted tunnels on the interface?
• ◦47 - GRE, General Routing Encapsul ation.
• ◦50 - ESP, Encapsulating Security Payload.
• ◦94 - IP-within-IP Encapsulation Prot ocol.
• ◦97 - EtherIP.
• ◦98 - Encaps ulation Header.
• ◦99 - Any private encryp tion schem e.
This c an caus e traffic to be counted twice on an i nterface. In Scrutinizer, go to Admin Tab > Definitions >
Manage Export er s. Click on the round icon with the '-'. When you mouse over the ic on, the ALT will di splay
"View t he curr ent p r otocol exclusions of this device." C lick on this and make sure the above protocols are
being excluded.
P/N 232-000861-00 Rev A
Page 22
22
SonicWALL Scrutinizer 9.0.1 Release Notes
6. Full Flow Cache: All flows are st ored in the flo w cache on the router before export. Once the cache is full , it
stops adding entries into the cache until it expires t hem. When events such as a DDOS or a " social event"
occur, the router' s cache becomes full. The c ache can be increased; however, it will use more memory and
coul d have a negative im pact on the router. A loss of flows will cause Scrutini zer to understate utiliz ation.
How do I find out if any updates are available for Scrutinizer?
In your local S cruti nizer install , click the Status tab. I f updates ar e available, you will see a spinning blue icon in
the upper right han d corner. If you have a proxy server, t his spinning icon will always ap pear. Click on i t to find
out the latest version.
Users can also use the -v paramet er for any \scrutinizer\cgi-bin\*.cgi or \scrutinizer\bin\*.exe file to get the
curr ent version and build for that executab l e.
Example: scrut_util -v
Compare th i s to the Scrutinizer Upd ate Hist or y.
I have forgotten my Scrutinizer password. How do I find out what it is?
In your local S cruti nizer install , type the fol l owing commands in a c om mand prompt, from the [homedir]\bin\
directory:
scrut_util.exe -reset_admin_password [USERNAME]
The USERNAME is the name of the Scrutinizer user account to modify. When the command is executed, it will
prompt for the new password, and then to re-enter it.
Note: These commands mu st be run from the Scrutin i zer server.
How do I setup SSL with Scrutinizer?
An in staller with SS L support is availab le for eli gible parties . Please contac t us for the SSL install er .
How do I use a different drive for storing data?
Note: Th e fol lowin g procedures will not work for remote drives based on Wind ows shares.
1. Stop the plixer_mysql service.
2. Copy the [homedir]\Scrutinizer\mysql\data directory to the new driv e.
3. Edit the [homedir]\Scrutinizer\mysql\my.ini file, changi ng the dr ive letter for the
datadir=x:[homedir]/SCRUTINIZER/mysql/data/ entry.
4. Start the plixer_mysql service.
For m or e i nformation on using a different drive for stored data or storing dat a to a remot e datab ase with
Scrutinizer version 7 or higher, review this guide.
Why do not all of the colors print correctly when I try to print an emailed report?
This can be caused by an option found in some browsers and email clients.
In Internet Explorer:
1. Open the "Tools" menu.
2. Click " Inter ne t Op tio ns.
3. Click the "Advanced" tab.
4. Scroll down to the "Pri nting" section.
5. Check "Print background colors and images.
6. Click "OK."
This c hang e will carry over to Outlook and Outloook Exp r ess.
P/N 232-000861-00 Rev A
Page 23
23
SonicWALL Scrutinizer 9.0.1 Release Notes
Can Scrutinizer run in VMWare?
Yes, but as with any virt ualized environment, you may exp erience sharp declines in p er formance when you r
server's resources are divided between many sessions.
How do I exclude Scrutinizer in Symantec AntiVirus?
1. From within Symantec, expand the "Configure" option from the tree menu and s elect "File System."
2. Click the "Exclus ions" button.
3. Click the "Files/ Folders" button.
4. Find the Scrutinizer directory and check the box next to it.
5. Click "OK" to finish .
How do I setup integration between Scrutinizer and WhatsUp Gold?
Visit the WhatsUp Gold Integration page for instructions on setting up WhatsUp Gold v12/v14 and Scrutinizer t o
work t ogether .
Why are my IPs not resolving, even though I have configured my DNS properly in Windows?
In certain situati ons, Scr utiniz er may not be able to properly r esolve IP addresses. Th is usually hap pens wh en
ther e ar e multiple DNS servers with disparate records. To deal with this, Scrutinizer allo ws you to s pecify your
DNS servers in a file rather than get the setti ngs from the Windows Registry. The steps are outlin ed below:
1. Create a file in the \scrutinizer\html directory called dns.conf.
2. Open this file with a text editor like Notepad.
3. Create a list of DNS servers in t he file in the format below.
• nameserver 1 92.16 8.1.1
• nameserver 1 66.18 6.184.2
• nameserver 224.39.1.171
Now that you h ave c r eated this fi l e, you sh ould now be able to go into the Scrutinizer web interface and do
looku ps properly.
I'd like to change the MySQL "scrutinizer" user password from the default to something more secure. Is
there anything else I need to do other than set the password in MySQL?
Update MySQL Root password via CLI using scrut_util.exe located in the [HOMEDIR]\Scrutinizer\bin\
directory. There is a two-step process, resetting the pas sword then updat i ng the plixer.ini file.
Options:
-reset_mysql_password
Changes the MySQL root acc ount password.
-update_plixerini_mysqlroot
Use this command to up date the plixer.ini database r oot user password. Scrutinizer and t he database root
password must be in sync.
Usag e Exampl e:
C:\Program Files (x86)\Scrutinizer\bin>scrut_util.exe -reset_mysql_password
Changing Password for MySQL Root Password. Press <ENTER> to abort.
Note: On Windows 2008 and Windows 7, you m ust run this command from the Adminis trator Dos Prompt
New Password:
Verify Password:
Attempting to login with new password ... PASS!
Pass word Upd ated for MySQL Root ... DONE!
P/N 232-000861-00 Rev A
Page 24
24
SonicWALL Scrutinizer 9.0.1 Release Notes
Where can I find the Scrutinizer manual?
A copy of the Sc r utinizer manu al is included with your product. Just click any of the “?” icons.
How do I know how much hard drive space I will need?
Use the NetFl ow Bandwid th an d H ar d Drive Con sumption Cal culator to deter mine how much h ar d drive space
your Net Flow data will consu me.
Related Technical Documentation
SonicWALL Scrutinizer reference documentation is available at the SonicWALL Techn ical Documentation Online
Library: http://www.sonicwall.com/us/support/6632.html
More information on NetFlow Services is available on the SonicWALL Web site.
____________________
Last updated: 4/25/2012
P/N 232-000861-00 Rev A
Loading...