If you manage a firewall — specially a UTM firewall that does all manner of things including tracking “content” and “applications – then chances are you are going to be asked by Management to provide reports and information about the “how’s” and “who’s” of bandwidth use. It’s a fact of modern corporate life irrespective of the size of the corporation. In fact, you could argue that smaller organizations are even more concerned about bandwidth usage than their larger cousins because the dollars used to pay for the bandwidth are that much dearer.
Any firewall worth its salt can channel syslog output to a syslog server and, of course, you can use any number of tools to sift through that output. Problem is it can be hideously tedious to work out how to sift out the required data and then present it in a format that humans (and Management, for that matter …) can read. Dell Sonicwall has a great tool that fulfills this need.
Sonicwall Analyzer is a licensed product from Dell Sonicwall, available as a Windows application for installation on a Windows server or as a self-contained VMware VM appliance. Analyzer allows you to capture the syslog output from your Sonicwall appliance (includes firewalls as well as SSL VPN appliances) and then slice, dice and and serve it up in a nice graphical format. No, it is not “sexy” but yes, it is very useful.
I’ve installed the Analyzer VM at a few sites, including our own office, and the process is relatively painless. Once the VM is installed and started the system asks a few basic configuration questions and the appliance is ready to go. You need to make a change on your Sonicwall device to point syslog output to the Analyzer appliance and then you need to wait a few hours for Analyzer to digest the data that is captured from the Sonicwall. From that point forward you can search through a number of categories and then slice, dice and report on your chosen dataset.
Many organizations use Analyzer to show how bandwidth is used and then adjust rules accordingly. It is a great tool to help ferret out those hidden, high-bandwidth bandits. It also has a bit of a “Big Brother” function in that it allows an admin to profile a user’s Internet use (requires some extra plumbing with Sonicwall SSO in the back end). Some organizations that are loathe to enforce content or application filtering at the firewall can use this function to report use patterns for their users.
As I said, nothing sexy but worth its weight in gold if you are the firewall admin that has been tasked by management to analyze bandwidth use. If you have Dell Sonicwall firewalls (and other Sonicwall devices such as SRA’s) it’s well worth the time investment to look into Analyzer.
Hi,
Have you figured out how to use the syslog filter? I can’t seem to filter out URL’s. I am using dstname contains xxx.com Should I use a wildcard like *.xxx.com or should I be using dst contains xxx.com
Thanks!
L
Hi,
Sorry to be slow responding. I’d have to go back and check as it has been awhile since I played with it. right now I can’t say the best way to do it.
Robert
How does the pricing work on it? I see the license prices here http://www.sonicwall.com/us/en/products/Analyzer.html#tab=purchase. Are these yearly subscription prices, or just one-time prices? If I want to manage 2 devices on the list, I just add up the 2 prices? Thanks.
Hi, Keith:
You have to purchase appropriate license(s) to cover each firewall that you want to plug into Analyzer. So, as an example, if you had a TZ215 and an NSA220 you would have to purchase one 01-SSC-3378 and one 01-SSC-3379. If you had TWO TZ215’s and one NSA220 you would need TWO 01-SSC-3378 and one 01-SSC-3379. The licenses are one time purchases, there is no yearly support on these (same procedure that Sonicwall uses for SSL VPN licenses, they are a one-time purchase).
Hope this helps!
Robert