Skip to main content
Version: Next

Application Enrichment — SonicWall

note

Enriched fields produced by this configuration are applied and available in the Network Conversations Module output.

SonicWall firewalls export application names, categories, and user data using IPFIX with extensions, SonicWall's proprietary extension of the IPFIX standard that includes DPI-derived application context beyond what standard NetFlow v9 or IPFIX carry. This allows NFO to report on named layer-7 applications, including traffic identified through SSL deep packet inspection.

How It Works

SonicWall's App Flow engine inspects traffic and classifies sessions by application name and category. When configured to export to an external collector using IPFIX with extensions, the firewall sends both standard flow records and a set of static option tables, including an Applications Map that correlates App IDs to human-readable names and categories. NFO correlates these tables to enrich each flow record with the resolved application name.

Important: Application enrichment requires IPFIX with extensions as the export type. Standard NetFlow v9 or plain IPFIX exports do not include the application tables needed for name resolution.

Prerequisites

  • SonicOS: 5.8 or later
  • App Control: Licensed and enabled globally and per-zone
  • Supported platforms: TZ210 and higher (Gen5), all Gen6 and Gen7 units
  • Network connectivity: Firewall must reach the NFO IP on the configured UDP port (default: 9996)

Quick Configuration (GUI)

Navigate to Log > Flow Reporting (SonicOS 6.x) or Device > AppFlow > Flow Reporting (SonicOS 7.x):

  1. Check Enable flow reporting
  2. Check Send AppFlow and Real-Time Data to External Collector
  3. Set External Flow Reporting Type to IPFIX with extensions
  4. Enter the External Collector IP (your NFO server IP)
  5. Set the External Collector Port to 9996
  6. Under Include Following Additional Reports via IPFIX, ensure Applications Map is selected
  7. Click Generate ALL Templates to push templates to NFO immediately
  8. Check Send Static AppFlow at Regular Intervals and click Generate Static Flows

Enable App Control per zone:

Navigate to Network > Zones, click Configure on each relevant zone, and check Enable App Control Service.

Enable flow reporting per access rule:

For each relevant firewall access rule, open the rule, go to the Advanced tab, and check Enable Flow Reporting.

Reference Documentation