Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

AppFlow Report combines IP address data into "Remaining IPs"

MariuszMariusz Enthusiast ✭✭
in Firewall Management and Analytics

When I go into AppFlow Reports and I choose "View: Since Last Reset", it is naming IP addresses as “Remaining IPs” instead of listing the actual IP's address. If I choose "View: all" and choose "Limit Unlimited" there are only 12500 IP's.
AppFlow Report collects only 12500 IP addresses max. After that number all the rest are combined into "Remaining IPs". Does this have anything to do with the fact that data writing to the M.2 Storage Device is enabled?

TZ370, SonicOS 7.1.3-7015

Category: Firewall Management and Analytics
Reply

Best Answers

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 12 Answer ✓

    I guess there is a limit based on the performance of the Appliance, not using the Storage Device for that. For TZ 470 it's the same 12500, TZ 670 / NSa 2700 it seems to be 25000 and a NSa 4700 can keep 50000 IPs.

    On-box analytics was never the strong suit of SNWL Firewall. 

    Update: the TSR holds some information about the limits, e.g. for a TZ 670

IP/User AppFlow Report Settings
-------------------------------
 gEnableIpReport      =1
 gEnableUserReport    =1
 gMaxNumOfIpRecords   =25000
 gMaxNumOfUserRecords =10000
 gMaxHashIpBuckets    =4096
 gMaxHashUserBuckets  =2048
 gIpHashMask          =4095
 gUserHashMask        =2047

 currIpReportRecords  =18071
 currUserReportRecords=1

    —Michael@BWC

  • CORRECT ANSWER
    MariuszMariusz Enthusiast ✭✭
    edited March 12 Answer ✓

    This is not good news for me. The information given in /Device/Settings/Storage/Secondary" indicates that the space for collecting AppFlow Reports is 964.00 KB/3.20 GB - used/available - i.e. practically all free. I see no reason why not to store data on SSD in files similar to System Logs, where I currently see a lot of files and in each 12500 number of logs. This is exactly what the additional SSD M.2 Storage Device is for. They should change this in the new Firmware version.

    What is the CLI command to display this information?
    How can I reset (delete current) data collection in AppFlow Report?

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    You can click on "Clear IP Report" on the internal settings page to reset the list. Not really straight forward, but actually I never needed it before :)

    —Michael@BWC

Answers

  • MariuszMariusz Enthusiast ✭✭

    How to reset AppFlow Report collection?
    Currently, further collection does not make sense - everything is saved to "Remaining IPs"

  • MariuszMariusz Enthusiast ✭✭

    @BWC Please write whether after "Clear IP Report" system logs will be saved (will be safe) or will they be deleted as well. I would not like to lose them.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Mariusz you're listed as a Partner, just give it a shot on your Lab Appliance, don't take this word from some stranger on the Interweb.

    But it really does only delete the IP Report, I tested it earlier this morning and the log is unharmed. It's in the Flow Reporting section, so I wasn't that cautious about the system logs.

    —Michael@BWC

Sign In or Register to comment.