cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

CAS considerations for NetFlow Monitoring

gary_spencer
Inactive

Hi Everyone,

I know that we have a document detailing NetFlow considerations for the AMD (here).

Do we have a similar guide for NetFlow considerations on the CAS? Or does anybody have considerations/recommendations themselves?

Thanks!

1 REPLY 1

matthew_eisengr
Inactive

Gary,

I'd be curious to find this as well. What I have noticed in my own and other's health checks is that enabling Netflow can severely increase the amount of software services you have, especially if you are running it with Port Finder enabled.

The only advice I could give based on this is to increase the amount of packets that need to be seen using Port Finder from 0 to 1024 (or higher) before it will create a software service for it. See the screenshot below taken from the AMD's global config on the RUM Console.

This should help minimise any noise (heartbeats, ephemeral ports) because it will need to see at least 1024 packets in 24hrs before it will consider it important enough to create a software service.

Another thing you could look into is at the auto-discovery port section and creating some for the upper level port ranges that are normally reserved for ephemeral ports. My theory is that by grouping the ephemeral ranges, it will only create one software service. This also makes it easier to filter out in your reports.