SonicWALL 232-000861-00 User Manual
Scrutinizer
SonicWALL Scrutinizer 9.0.1 Release Notes
SonicWALL Scrutinizer 9.0.1 Release Notes
Contents
System Requirements..............................................................................................................................................1
Enhancements in SonicWALL Scrutinizer 9.0.1 ........................................................................................................1
Key Features in SonicWALL Scrutinizer 9.0 .............................................................................................................2
Scrutiniz er Pr od uc t Ov er vi ew ...................................................................................................................................6
Known Issues ........................................................................................................................................................15
Resolved Issues ....................................................................................................................................................16
How to Upgrade to the Licensed Version ...............................................................................................................19
FAQ.......................................................................................................................................................................19
Related Technical Documentation..........................................................................................................................24
System Requirements
Scrutiniz er 9.0.1 i s supported on s ys tems with the following:
Minimum System Requirements (for tri al installations)
• 4G B RAM
• 50 GB IDE or SATA Hard Disk
• Dual C or e 2GHz+ Process or
• Windows Vista / 2008 / 7 Operating System
Reco mm ended S ys t e m Req uire men t s (for production environments)
• 8G B RAM
• 1+ TB 15k SCSI in a RAID 0 or 10 configuration Hard Disk
• Quad Core 2GHz+ Proces sor
• Windows 2008 Se r ver
Enhancements in SonicWALL Scrutinizer 9.0.1
Scrutinizer version 9.0.1 introduces the following new enhancements:
• Denika Threshol d Policy
• NBAR Applic ation L atency Reports
• Open Source Method Back Up
• Cus tom Templ ate ID Ad ded in th e Available R eports List
• Chinese Loc alization
• Bu siness Hours Repor ts
• Device IP Callouts
• Command Line Reset
P/N 232-000861-00 Rev A
2
SonicWALL Scrutinizer 9.0.1 Release Notes
Key Features in SonicWALL Scrutinizer 9.0
The following enhancements are new in the SonicWALL Scrutinizer 9.0 release:
• Enhanced Notifications and Facilitation of Automatic Remediation: In versi on 8 .6 and earlier versions,
Scrutinizer only sent syslogs. Ver sion 9 adds the ability t o send notifications and escalate is sues. If the first
person notified doesn’t clear the alarm within a g iven time period, a second person, third per son, and so on can
be n otified via email, pager, and other opt i ons lis ted below.
Notifications can be sent when alarms are triggered based upon spec ific SonicWALL firewall security related
events.
New notification options include:
1. Email not i fi cations about network act ivit y c an be sent to administ r ators using mob ile and other devices.
2. SNMP Traps can be trig gered all owing for greater integr ation wi th exist ing notification op tions.
3. Syslog Messag es allow for great er remediation when integrated with thir d party SIEM produ cts such as
ArcSight.
4. Scri pt execu tion all ows for automat ic remediation eliminating the need for manual intervention.
Scrutiniz er now facilitates automatic remediation based on specific even ts: Previous versions of Scrutinizer, as
do most other third party flow analytic applic ations, only pr ovide messages to the user when ala r ms are
triggered. By adding SNMP Traps & Script Executi on, Scrutin izer now has the pot ential to remediate events.
For example, SonicW ALL IPS s ees an attack occurring on the LAN, an alarm in Scrutinizer i s trigg er ed which in
turn sends an SNMP Trap to the Cisco switch to shut down the interfaced being used in the attack.
• Advanced SonicWALL VPN Reporting with granular drilldown capabilities including:
Reports are av ailable for bot h site-to-sit e VPN connections and remote user IPSec VP N connect ions, i. e. Glob al
VPN Client connections
User Details include user name, authenticati on meth od, and d om ai n for detailed re porting on specific users.
Reporting data can be cross referenced with the frien dly VPN name, the r emote sys tem’s IP address and th e
local system’s IP address.
New SonicWALL Scrutinizer VPN Report Type
P/N 232-000861-00 Rev A
3
SonicWALL Scrutinizer 9.0.1 Release Notes
• Enhanced SonicWALL VoIP Reporting including:
o Son i cWALL VoIP conversation s reports have been optimized .
o Son i cWALL VoIP call fi l tering now allows for part ial text matching.
Enhanced SonicWALL VoIP Conversation Report
SonicWALL VoIP Call Filt er No w Supp or t s Part ial Text Ma t ches
P/N 232-000861-00 Rev A
4
SonicWALL Scrutinizer 9.0.1 Release Notes
• Enhanced Cisco Reporting in support of recently introduced Cis co tech nologies:
Smart Logging and Telem etry (S LT) is a single mechanism of logging and telem etry of traffic that i s associated
to a specific event on a switch ( for example, an event tr i ggered by an ACL-permit ted or ACL-denied packet).
SL T is a threat detection tech nology an d is intended to be used as foll ows. An admi n will configure one or more
Access Control Lists (ACL) on the switch. If an end system violates an ACL, some of the packet s will be
captured and sent off in a NetFlow datag r am with the n am e of the ACL that was violated . Scrutinizer version 9
can collect and rep or t on these NetFlow m essages.
Cisco TrustSec (CTS) is an umbrella ter m for security improvements to Cisco network devices based on the
capability t o strongly identify users, hos ts and network devices within a network. Each CTS Group is a secure
network establishing a domain of trusted network devices. Every device in the Security Group Access (SGA)
domain is authenti cated by its peer device. Communication on the li nks bet ween devices in the SGA domain is
secured with a comb in ation of en cryption, m essage integrit y checks, and data-path repl ay protect ion
mechanisms. NetF l ow reportin g allows administrators to monitor the traffic from, and between, th e different
CTS groups.
Perfo r mance Routing (PfR) compl em ents traditional rout i ng technologies by using the in telligence of a Cisco
IOS infrastructure to improve appli cation performance and availability. PfR enhan ces r outing in order to selec t
the best path based on user defin ed policy. The PfR polic y can minimize c ost efficiently by distr ibuting traffic
load and/or selecting the optimum performing path for app l ications. PfR NetFlow reports provide details on
active and passive tr affic. Active t r affic is where t he router makes r outines connections and exports the
perfo r mance r esults, e.g. out of polic y, in NetF low. P assive traffic can also be monitored and m easured for
performa nc e and me trics are exp or ted in NetFlow.
MediaN et Per formance M onitoring reports on top interfaces with the most ji tter/l atency.
All these features require the Cisc o Advanc ed Reporting Module.
New Host Destination Report
P/N 232-000861-00 Rev A
5
SonicWALL Scrutinizer 9.0.1 Release Notes
• Advanced Citrix Reporting with granular drill down capabilities including:
o URLs providi ng reporting i nsight into web servers and databases being accessed
o App l ications provid ing reporting insig ht int o applicat ions b ei ng accelerated via NetScal er
o Latency providing reporting insight into the health and del ay as seen by NetScaler
Note: C itrix NetScaler m akes applicati ons and cloud-based s er vices run five times bett er by offloading
app l ication and database ser vers, accelerat i ng ap plication and service performance, and integratin g security.
All these features require the new Citr ix Ad vanced Reporting Modul e.
• Device Overview Da shboards provide details on the host status and outstanding alarms
Gad gets can be imported including the real-time view of application usage scr een in SonicOS
o
Service Level Report list availabil ity and latency trends on all devices polled
o
• Sc rutiniz er Cross Ch eck provides integration with third party monitoring and flow analytic tools such as
WhatsUp G ol d, Orion, SNMPc, Uptime Devices and Nimsoft . This n ew module’s capabilities include:
o Cross C heck cr eates cen tral inventory of all n etwork d evices managed by other analytic tools displ aying
several attributes including device name, IP address, and status.
o Flowalyzer P oller continually ass esses the stat us of devices iden tified by Cross Check and provides
upd ates to Scrutinizer via IPFIX m essages.
o Cross C heck references the status of devices as k nown by Scruti nizer with other third party management
products to monitor if flow dat a is arriving properly and whether devices are being polled correctly
o Fault index measur ements indicate device status across n umerous m anagement system s using
configurable severity levels. Syslog notifications can be sent out if predefined threshold levels are met.
o Clickable inventor y allows users with di r ect links to integrated third party applicati ons providi ng easy access
to devices th at are managed via these other applicati ons.
o Inventory groupin gs can be created allowing for easy monitoring of network segments regardless of
whether the appliances are managed by Scrutinizer or a third party application.
o Cross C heck was cr eated direct ly in response to large MSP and en terprise customer demands for th ird
part y integr ation.
All these feat ures require the Cross Check Module.
Improved SonicWALL report searching capabilities--It is now possible to sear ch on portions of a URL rather
•
than the exact U RL
P/N 232-000861-00 Rev A
6
SonicWALL Scrutinizer 9.0.1 Release Notes
Scrutinizer Product Overview
SonicWALL Scrutinizer is a network traffic monitoring, analysis and reporting tool. Scrutinizer i s a mature and
feature rich flow analytic platform.
Scrutiniz er is used to monit or the overal l health of the network, troublesh oot irregular network traffic patterns and
optimize network per formance. The Scrutinizer applicati on is run on a Wind ows server and acc essibl e throug h a
web-b ased Graphical User Interface (GUI). IT admini strators use S onicWALL Scrutin i zer to coll ect, monit or , and
analyze data on user and app l ication usage across the network. Scrutinizer provides administrators with great
ins i ght int o how the network is being used through the use of highly customized granular reporting. Administrators
can be alerted based upon a set threshold or on a pre-determined schedul e.
Scrutiniz er supports a wide var i ety of flow prot ocols al l owing compatibil i ty with virt ually every coll ector available in
the m ar ket today. In addition to SonicWALL’ s pioneering IPF IX implementati on in SonicOS 5.8 + , Scrutinizer als o
supports Cisco’s Flexible NetFlow. Customers utilizing Scrutinizer receive even greater value for their in vestment as
the software can be utilized to moni tor an ever increasing number of swit ches and router s, due to supp or t for
numerous additional industry standards such as NetFlow v5, NetFlow v9, sFlow and J-Flow. A dditional supported
hardware vendors include Enterasys, Foundry, Juniper, Riverbed, VMware, Citrix, ADTRAN, Nortel and many
others.
Sup porting a broad r ange of n etwork devices, flow protocols, and applicat ion types, Scrutinizer is flexible enough to
be u tilized on virtual ly any network. Adm in istrator s are able t o leverage repor ts to reac h a level of visibility
previously not poss ible. Th e network mappi ng feature allows administrators visibility into almost every link on the
network greatly enhancing troubleshooting efforts. Scrutinizer’s powerful analytics engine provides users with indepth traffic analysis which was previously only available throu gh packet-based instrumentation. Advanced
analysis algorith ms and pr emier industr y usage of IPFIX and NBAR
Scrutinizer’s impressive set of application level rep or ting and aler ting capabilities.
Scrutiniz er is a free tool for download by any IT p r ofessional. Three of the main limitations of th e free product ar e
that it:
• only stores a maximu m of 24 hour s of data
• does not include most Soni cWALL specific reports
• can only support up to five devices
For the first 30 days after installation, the free Scrutin izer product includes the Flow Analytics Module. To mak e use
of the features available in the Flow Analytics Module beyond the first 30 days, you have to purchase and activate a
Flow Analytics Module licens e.
There ar e five op tional add-on modules for Scrutinizer which are sold sep ar ately: the Flow Analytics Modul e, the
Service Provi der Module, the Cisco Advanced Reporting Module, the Citrix Advanced Reporting Module, and the
Cross Check Module.
based technologies are at the core of
P/N 232-000861-00 Rev A
7
SonicWALL Scrutinizer 9.0.1 Release Notes
Scrutinizer Base Product
The bas e Scrutiniz er produc t includ es many great features su ch as:
Administration
• Cus tomiz able Dashboards
• Grou p Based User Permissions
• Unique Dashboard s per login
With Scrut inizer’ s suite of built-in administr ative tools, cu stomi zing specific us er logins and dashboards is a breeze.
Administrators can create specific permissions based upon a particular user id entity or create gr oup b ased user
permissions for ent i r e depart ments. The Dashboard can be customiz ed on a per-user basis to provide the
information that i s most relevant to each user upfron t.
Alerting
• Sup port for on -deman d email reporting
• Ab i lity to b atch schedule an d email reports t o admini strators
Scrutinizer was built with ease of use in mind. With S crutin i zer’s alerting features adm inistrators have ‘set it an d
forget it’ flexibility when it comes to reporting. Reports can be run based upon a specific schedule or triggered when
event thresholds are exceeded . Once configured, reports can be automat i cally batched and emailed to
administrator in s everal formats.
Flexible Reporting
• In the Free version, data can be archived for up to 24 hour s. Data can be saved l onger if a commer cial versi on
is purchased.
• Extensive Flexible NetFlow template support
• Gran ularly defined r eports down to the second which can include / exclude data filters
• Create and save temp lates to easily reu se for future rep or ting
• Create appl i cation group reports based upon speci fi c ports or subnets
• Display data by number of bits, bytes, packet s or as a percentage of total t r affic
• Per interface, host, protoc ol, applicati on, or conversati on reporting
• Trend data i n, out, or bi-directionally
Gran ular, flexible reportin g is the heart of the Scrutinizer product. Adm inistrators have endless p ossibilities for
gen er ating reports based upon general or very sp ecific criteria. Want to kn ow which users are consuming the m ost
bandwidth? Would you like that d one per bit, byte or p acket? W hat about which protocols ar e being most heavily
utilized on a particular subnet?
Security
• Easily configure DNS caching time limits
• See all traffic ‘Host to Host’ or ‘Subnet to Subnet’
• Easily filter and dis play traffic based upon TCP flags
• Track fl ow seq uence numbers to trend traffic patterns
• Quickly identify MITM servers on the n et work (DNS, DHCP , SMB, etc)
With all of these great features it’s no wonder Scrutinizer is invaluable when it comes to secu r ity. Administrators can
toggle between variou s reports to easily iden tify traffic flowing from h ost to host or subnet to subn et. Tracking flow
sequence numbers and trend ing traffic patterns has never been easier. Further, Scrutini zer can quickly identi fy
rogue servers placed on th e network attempting a Man-in-the-Middle attack ag ainst such services as DNS, DHCP,
SMB, and more.
P/N 232-000861-00 Rev A
8
SonicWALL Scrutinizer 9.0.1 Release Notes
Supported Protocols & Other Technical Specifications
• Gran ularly define reports d own to specific in terfaces across mul tiple routers, s witches, or fire walls
• Easily integrate 3
rd
party application and URLs into dashboards
• Integrat es with L DA P servers
• Sup port for S N M Pv1, SNMPv2c, and SNMPv3
• Sup port for all i ndu stry standard flow analyti cs (IP FIX, NetFlow v5, NetFlow v9, FnF, sFlow, J-Flow)
• Configurable to over 1000 interfaces an d several hundred exporters
• Create filte r s based upon next routing hop
• Filter on any exported field such as VLAN id, L2 Address, L3 Address, and latency
• Immediate cost savings by not requ iring the purch ase of an expensive Microsoft Database serve r
• Capable of handling up to 20,000 flows per second on an unlimited number of UDP ports
From a tech nolog ical st an d-point Scrutinizer leaves similar priced flow analyzer products in the dust. Scrutinizer’s
robust and superior features such as LDAP integration and support for every industry standard flow protocol in the
market today provide enormous value. When configured appropriately the Scrutinizer engine can receive up to
20,000 flows per second on over 1,000 different interfaces. Cust omiz able d ashb oard ‘m ash ups’ allow for 3
rd
party
applications and URLs to be imported directly into Scrutinizer making it the only application needed to know exactly
what’s on th e network.
Troubleshooting
• Easily identify link failures
• Easily identify specific link traffic statistics
• Easily identify QoS across the net work by anal yz i ng jitter & latency
• Easily find out where the ‘slowness’ on the network is occ urrin g
• Plan for networ k growth
Adm in istr ators can u se S cr ut in iz er t o m oni tor t h e volu m e of tr af fic on their network and analyze how it is fluctuates
over ti me. I n fact , Sc rutin izer’s ‘net work volu me g adget ’ featu re can b e ut ilized to see th e numb er of un iqu e host s
and well known applications being accessed. This report shows trending information on the number of hosts
access in g the n et work p ro vidi ng th e IT ad m in istrat or wi th in s igh t in to i nc reases over t im e. Ad di ti onal ly, rep ort s c an
be limited by time range (such as 9am to 5pm) to m onitor network traffic volume d ur i ng peak business hours.
Scrutinizer can also be u sed to identify bottlenecks on the network. For example, w hen streaming video or V oIP is
dep l oyed on the network, automatic alerts could be configured in S crutin izer to email the IT ad mini strator notifying
him of packet-loss, delays in packets arri val, or packets ar r iving out of order. This provides an IT admin the abili ty to
proactively know of call quality degradation even b efore user s complain of an issu e.
Visibility
• Trend analysis reports on archived data
• Easily see the top 5 interface across all router s, switches & fir ewalls
• Integrat ed Google Maps viewing allows for visual represent ations of distributed network
• Flexible viewing options allow data to be seen from different angles (pie, bar, m atrix, line)
Various viewing options within Scrutinizer, such as the matrix view provide an innovative tool for better visualization
of tra ffic fl ows. Bas ed on cri teria establis hed when th e report is g enerat ed, ad minist rators can toggl e to diffe rent
vie ws to see a graphi cal map of wher e traffi c is flowing. The ‘Matrix’ enabl es administrators to e asily visualize which
systems a particular host has been accessing.
P/N 232-000861-00 Rev A
Loading...