10 Replies Latest reply on Feb 17, 2010 9:32 PM by chris.lapoint

    V 3.6 and new Application Definition Capabilities

    pyro13g

      Now that this is in here, can we get the order of operations that determine how traffic is counted?  Counted in all possible categories.

       

      Scenario:

      I need to have port 8080 to certain IP's counted as Internet Proxy, but not HTTP Alternate.  The rest of the 8080 still counted in HTTP Alternate

       

      Could enhancement be added to make a rule bi-directional.

       

      Ughh, can someone move this to the NTA forum?

        • Re: V 3.6 and new Application Definition Capabilities
          Andy McBride

          Is this what you are trying to do? If so it's in NetFlow Settings -> Manage Applications and Service Ports.

            • Re: V 3.6 and new Application Definition Capabilities
              pyro13g

              I currently have to track Internet Proxy with 2 rules.  One for traffic sourced by the proxies and one for traffic destined to them.

              Would like to have that specific TCP 8080 traffic not counted in Alternate HTTP bucket.  Pretty much to have the traffic counted only in the application definition that is the best match.  Or least know the behavior to work around it as best I can.

                • Re: V 3.6 and new Application Definition Capabilities
                  Andy McBride

                  Does it look like the posted sample will work for you?

                    • Re: V 3.6 and new Application Definition Capabilities
                      pyro13g

                      If 8080 was soley Proxy it would. The proxy servers are all in an IP Address Group.

                      So I have two rules:

                       

                      To Proxy  :  Any -> Internet Proxy Address Group:8080

                      From Proxy  :  Internet Proxy Address Group:8080 -> Any

                       

                      Looks like there is some "best match" rules to how traffic is counted.  Alternate HTTP has fallen out of top 25 after being at 7 since I added the two rules.

                        • Re: V 3.6 and new Application Definition Capabilities
                          brian_crypto

                          Application Defintion needs to be expanded in some key ways:

                          Currently, if you want all traffic TO and FROM a particular server classified as an application you must create TWO application definitions.   So the application definition should allow combining at least two source/dest combinations and aggregate them as a single app.

                          Currently, if you want to use non contiguous IPs within a single application definition you cannot.  You must enter a range.   For example, say I want to create an application that allows me to differentiate all external (public IP) port 80 from all internal (private IP) port 80.   Today, I need to do this with at least three entries, one for each differnet RFC1918 address space.

                          What happens when a flow matches multiple rules?   Does it match all rules or stop at first.  If the former, I probably wouldn't want that ... if the latter, we need the ability to order the entries.

                          At least one product that I have that does a pretty good job at defining application flows in a way that is quite similar to what you would want to do here is the Juniper WXC family of WAN Accelerators.   They do this to define applications for quality of service, but is also used for Netlfow-like reporting capabilities.  Worth a look.

                            • Re: V 3.6 and new Application Definition Capabilities
                              pyro13g

                              I don't feel Brian's reply is an answer.  It repeats what I've mentioned/requested and adds his own perspective for improvement.

                              Thread probably needs summarized and moved to Feature Requests.

                              • Re: V 3.6 and new Application Definition Capabilities
                                chris.lapoint


                                Currently, if you want all traffic TO and FROM a particular server classified as an application you must create TWO application definitions.   So the application definition should allow combining at least two source/dest combinations and aggregate them as a single app.

                                Currently, if you want to use non contiguous IPs within a single application definition you cannot.  You must enter a range.   For example, say I want to create an application that allows me to differentiate all external (public IP) port 80 from all internal (private IP) port 80.   Today, I need to do this with at least three entries, one for each differnet RFC1918 address space.

                                 



                                Good idea.  I've added an item to track this.

                                 

                                What happens when a flow matches multiple rules?   Does it match all rules or stop at first.  If the former, I probably wouldn't want that ... if the latter, we need the ability to order the entries.


                                It matches all rules.   This is why you can't have two application mapping definitions that overlap or are non-unique.

                                  • Re: V 3.6 and new Application Definition Capabilities
                                    pyro13g

                                    Need an IP based application classification.  More and more vendors want all ports open for their applications.  Or, it ends up the default when someone brings up a system or services.  Going back and changing in a large environment is rarely a priority to fix.  It only makes monitoring more difficult and won't become a priority until it bites a VP in the backside.

                                    You can't create the rules to cover all ports for combinations of IP address groups.  At least I can't and neither could a SW Tech. via Remote Control of our installation.