5 Replies Latest reply on Jul 29, 2010 7:25 AM by artie_effim

    Is a new application subtractive?

    artie_effim

      In the case that I'm adding an application to measure http/https between an IP group of servers, so I added a new application on ports 80&443 and specified both dest and src as the new IP group.  In this case, do these counts get subtracted from the general http/https application?

        • Re: Is a new application subtractive?

          Hi artie_effim,

          No, the application definition will include all the data for which it is defined, even though there is an overlap/inclusion between applications definitions. Unluckily there is currently no option how to define more complicated application definition using exclusion, union and other set operators.

            • Re: Is a new application subtractive?
              artie_effim

              so, just to make sure, a netflow data object that matches 2 applications will count against both applications.  NTA does not stop after the first match, but rather continues though all applications.

                • Re: Is a new application subtractive?

                  Actually we just store one flow into our data, but then when querying for specified application (because of request from web UI), we try to match this stored NetFlow data with the definition of this application (and both mentioned application definitions can match the same row in our data).

                  To specify this a little more – this applies to 3.6, in 3.7 we are introducing a new feature speeding up the queries (it is called in memory aggregation), and when it s turned on, then really one of the application can subtract data from the other .

                  Just to be on a sure side, let me double check this in our lab environment once I will return tomorrow in work (it’s already evening in my time zone), so I can confirm my statement.

                  Regards
                  Jan

              • Re: Is a new application subtractive?

                Hi artie_effim,

                My apology for confusion, we actually store already mapped id of application, so one incoming flow will always belong to one application. So your definition of applications IS SUBSTRACTIVE.

                Actually we do not allow overlapping/inclusive application definitions with one exception and that is that one of the source/destination ip groups (or both) of the more general application definition is “any”. Then the traffic will be matched according to “best match” (means to the specialized application – e.g. your “new http” if it can be matched, otherwise to the general one – ordinary http in our case).

                Regards
                Jan