SonicWall On-Premises Analytics

1 SonicWall On-Premises AnalyticsHyper-V Deployment Guide SonicWall On-Premises Analytics for Hyper-V Deployment GuideContents12 Before Beginning .. 3 Supported Firewalls .. 4 Additional Firewall Requirements .. 4 Installation File / Supported Platforms .. 4 Hyper-V Hardware Compatibility .. 4 Hyper-V Requirements .. 5 IPFIX-Based Licensing Model .. 5 IPFIX-Based Capacity Planning .. 5 Scaling Up .. 7 Integration with Capture Security Center .. 7 Backup and Recovery Information .. 8 Importing Firewall Configurations .. 8 Creating a MySonicWall Account .. 8 Installing On-Premises Analytics on Hyper-V .. 10 Preparing the Windows Server System .. 10 Obtaining the Installation Image.

2 10 Installing On-Premises Analytics .. 12 Configuring On-Premises Analytics on Hyper-V .. 20 Adding Firewalls to On-Premises Analytics .. 34 Licensing and Registering Your On-Premises Analytics Instance .. 39 Registering the On-Premises Analytics Instance .. 39 Deregistering Your On-Premises Analytics Instance .. 41 Activating Firewall Licensing for Syslog-Based On-Premises Analytics .. 41 Upgrading On-Premises Analytics .. 44 Upgrading Analytics .. 44 Upgrading Analytics till HF2 Version .. 49 Using the Management Console .. 50 Connecting to the Console .. 50 Management Console Operations .. 52 Using SafeMode on the Management Console .. 60 Enabling SafeMode .. 60 Disabling SafeMode.

3 61 Configuring the Network Interfaces in SafeMode .. 62 Configuring Interface Settings .. 62 Disabling an Interface .. 63 Installing a Software Upgrade in SafeMode .. 64 Downloading Logs in SafeMode .. 65 SonicWall Support .. 67 About This Document .. 68 Contents SonicWall On-Premises Analytics for Hyper-V Deployment GuideBefore Beginning13 Before BeginningThis SonicWall On-Premises Analytics for Hyper-V Deployment Guide describes how to install and manage SonicWall s Analytics package on Microsoft s Hyper-V. On-Premises Analytics collects data from firewalls, analyzes it, and presents it as actionable intelligence. For an overview of product features, refer to the SonicWall On-Premises Analytics Getting Started this chapter to answer basic questions about installing and managing On-Premises Analytics in an Hyper-V 2, Installing On-Premises Analytics on Hyper-V, details how to install using Microsoft s 3, Licensing and Registering Your On-Premises Analytics Instance, tells how to access serial numbers and authorization codes and how to use 4, Upgrading On-Premises Analytics , tells how to load a new revision or software patch of On-Premises Analytics for Hyper-V.

4 You can update On-Premises Analytics using the console till version HF2 but need to perform a fresh installation of Analytics to upgrade to version upgrade to Analytics , you need to have a minimum version of Analytics HF2 configured on your system. See Upgrading Analytics on page 44 to learn more about the latest upgrade 5, Using the Management Console goes over steps using the Management Console to configure the software and diagnose within this introductory chapter are described below:To p i c s : Supported Firewalls Additional Firewall Requirements Installation File / Supported Platforms Hyper-V Hardware Compatibility Hyper-V Requirements IPFIX-Based Licensing Model IPFIX-Based Capacity Planning Scaling Up Integration with Capture Security Center Backup and Recovery Information Importing Firewall Configurations Creating a MySonicWall AccountIMPORTANT: While upgrading Analytics , you need to enter a Secret Key to mount a new hard disk.

5 The key is the same that is used in the previous version of Analytics and should be remembered before starting the upgrade procedure. SonicWall On-Premises Analytics for Hyper-V Deployment GuideBefore Beginning4 Supported FirewallsOn- premises Analytics can collect data from the following firewalls:Additional Firewall RequirementsAdditional requirements include the following: Each firewall must be licensed with the Comprehensive/Advanced Gateway Security Suite (CGSS/AGSS). Firewalls supported by an On-Premises Analytics instance must be in a single Group or Tenancy. The firewalls added to On-Premises Analytics should not have Reporting and Analytics enabled in CSC. Each firewall must have HTTPS management enabled.

6 Firewalls added to CSC using Zero Touch are NOT supported for On-Premises File / Supported PlatformsThe image files for installation are available on MySonicWall. See Obtaining the Installation Image on page 10 for Hardware CompatibilitySonicWall On-Premises Analytics is supported on x86-64 platforms supporting Hyper-V or higher with sufficient resources. The following section, Hyper-V Requirements, outlines minimal core, interface, memory, and storage FirewallsSOHO WTZ SeriesNSv 10 100 Mid-Range FirewallsNSA 2500 6600 NSa 2650 6650 NSv 200 400 High-End FirewallsSuperMassive 9000 Series12K SeriesNSa 9250 9650 NSv 800 1600 IMPORTANT: If a firewall is behind a NAT device, then the HTTPS management port must be opened for the cloud services to communicate with the firewall.

7 Release VersionSupported Hypervisor or higher 11. Windows Server 2012 and 2016 editions. SonicWall On-Premises Analytics for Hyper-V Deployment GuideBefore Beginning5 Hyper-V RequirementsStandard minimal hardware settings with Hyper-V for an On-Premises Analytics instance include: 4 CPUs ( GHz processor) 8 GB main memory for IPFIX reporting; 16 GB main memory for Syslog reporting GB disk size (preferably SSDs) 2 virtual NICs (vSwitches)At the lowest license level, an additional external mount of 500 GB of storage is required for logs Licensing ModelOn- premises Analytics licensing levels are based on how much data from firewalls is logged. So, specific licenses support collection of firewall data in increments of 2, 5, 15, 30, and 100 GB per day.

8 If an On-Premises Analytics instance exceeds its daily limit in a 24 hour period, the excessive logs will simply be dropped and data will again be logged starting with the next day. The following table summarizes currently available licensing following section, IPFIX-Based Capacity Planning, provides capacity planning guidelines and walks through an Capacity PlanningThe following table links Hyper-V hardware requirements to license levels and flows/logs per second or per day. In the following three tables, hardware requirements for specific license levels are linked to specific numbers of different models of : Syslog-based Analytics storage limits are independent of license level and dependent on assigned resources.

9 Storage (based on licenses)Flows/logs per second or dayStorage Limit11. This is the maximum amount of analyzed data that can be stored, not the maximum amount of external memory supported by the VM. 2 GB/ day2 GB/day 300 logs/sec and 20 million logs/day500 GB5 GB/day5 GB/day 750 logs/sec and 50 million logs/day1 TB15 GB/day15 GB/day 2250 logs/sec and 150 million logs/day5 TB30 GB/day30 GB/day 4500 logs/sec and 300 million logs/day10 TB100 GB/day100 GB/day 15000 logs/sec and 1 billion InstallationsStorage(based on licenses) Flows/logs per second or day4 Core, 8 GB -default2 GB/ day2 GB/day 300 logs/sec and 20 million logs/day8 Core, 16 GB5 GB/day5 GB/day 750 logs/sec and 50 million logs/day16 Core, 32 GB15 GB/day15 GB/day 2250 logs/sec and 150 million logs/day32 Core, 64 GB30 GB/day30 GB/day 4500 logs/sec and 300 million logs/day64 Core, 64 GB100 GB/day100 GB/day 15000 logs/sec and 1 billion logs/day SonicWall On-Premises Analytics for Hyper-V Deployment GuideBefore Beginning6 The following table shows recommended guidelines for main memory to support different numbers of.

10 This example considers license levels required to collect and analyze IPFIX data from five TZ series firewalls and one NSa 9450 at the table linking VM hardware configurations to entry-level firewall numbers, we see that a 4 CPU, 8 GB VM should handle up to ten of these TZ series firewalls. Likewise, we see that a 8core, 16GB can handle IPFIX flows from a single high-capacity firewall such as the NSa Hardware ConfigurationTZs / SOHOs / NSv low capacity (number of firewalls)4 Core, 8 GB - default1011. Includes all TZ and SOHO models along with NSv models 10 to 100. 8 Core, 16 GB4016 Core, 32 GB8032 Core, 64 GB16064 Core, 64 GB350VM Hardware ConfigurationNSa / NSv medium capacity (number of firewalls)4 Core, 8 GB - default111.