You can use filter rules to filter the incoming data packets and traffic them to specific PCA instances. Rules can be defined to filter based on the host name, netmask, and port range of incoming traffic.
To address this issue, you can:
- Reduce the number of filter rules by using subnet masks. For example, if you are using individual filter rules for each port in a range of ports, you can use a subnet mask to create a single filter rule for all ports in the range.
- Create multiple instances of the PCA application.
Filter rules for a host
Host-based filter rules can be used to traffic wanted or ignored traffic according to the host that is sending the traffic.
- To specify trafficking that is based on ports, use a port range filter.
- To specify a filter rule for a host, complete the following steps.
- Enter the IP address of the host.
- If this value is left blank, all host IPs are captured based on the specified port number. However, the netmask size setting cannot be used without a valid host value.
- To add a host, click the Add More.
- If host traffic is coming from a specific netmask, enter the value here.
- If the Port1 and Port2 check box are unspecified, all traffic from the host/netmask is filtered based on the rule. For a host-based rule, do not specify specific ports.
- From the Add to drop down, select the PCA instance to which to apply the rule.
- Select the type of filter rule:
Desired
- Specified traffic is directed to the selected instance.Ignored
- Specified traffic is ignored and dropped from further processing.
- Click Add.
The filter rule is added to the specified instance and is immediately applied to incoming traffic.
Filter rules for a port range
A port range filter rule can be used to direct required traffic across a specific set of ports to a PCA instance.
The following methods for specifying port range filters are supported:
- Automatic: The preferred method for specifying port range filters is to populate the ports automatically. It creates the correct port range filter rule for each instance for you. Populating ports assumes that all required instances are already created.
- After auto-populating port ranges, you can edit them if needed.
- Manual: If you are manually entering port ranges (not auto-populated), only one IP address entry is allowed for VIP (Virtual IP) filtering. Any additional IP addresses added to the port ranges are ignored.
- The workaround is to use a subnet mask with a single IP address.
- The following steps enable manual specification of a port range filter rule for the specified instance.
- If you must edit existing rules, click Edit Filters in the Interface tab.
Port range filter rules can filter on a required VIP address, which allows filtering out other unwanted traffic with the VIP address traffic. If the capture traffic only contains required traffic, then an IP address is not needed here.
Manually adding or specifying a filter rule for a range of ports
- If needed, under the Filter Rules enter the IP address of the VIP in the
Host
field. - For the type of filter rule, select
Port Range
, which sends the specified traffic to the selected instance. - Use the same IP address for each port range filter rule.
If multiple IP addresses are needed and are grouped into a subnet, then a subnet mask can be applied to the base IP address. For example, an entry of
66.211.169.0/24
matches the first 24 bits of the IP address (the first three octets) and allows wildcard matching on any value in the fourth octet, which is specified as0
. Any port range that is specified for this virtual IP matches across all 254 IP addresses of the VIP. - If VIP traffic is coming from a specific netmask, enter the mask value here.
- Enter the start port value in the
Start Port
field and the end port value in theEnd Port
field. - From the Instance drop-down, select the PCA instance to which to apply the rule.
- Click Create Filter.
- The filter rule is added to the specified instance and is immediately applied to incoming traffic.
After you save changes in the Interface tab, a manual restart of the PCA is required.
Editing existing port range filter rules
- If needed, in the Edit Filters screen, click the Port Range check box.
- Enter the IP address of the VIP under the
Address
field. - Use and apply the same IP address for each port range filter rule.
- Change any of the filter rule fields as needed.
- To apply your changes, click Save Changes.
After you save changes in the Interface tab, a manual restart of the PCA is required. The configuration changes are applied to incoming traffic.
Ignored traffic filter rules
You can specify filter rules for ignoring traffic. These rules are applied to across all instances of the PCA.
- Specify the rule in the Filter Rules box.
- Enter the host the traffic from which you want to ignore. To ignore all traffic from a specific port value, leave this value blank.
- Specify the port to ignore, if required. To ignore all traffic from the host, leave netmask and port values empty.
- Click the Ignored check box.
- Click Create Filter.
- The rule is populated in the Ignored Traffic (Global) box at the bottom of the screen.
All traffic that is submitted from addresses that are matching the ignored traffic rules is dropped from the PCA.
Mixing filters for specific IP addresses and port ranges
It is possible to use combinations of specific IP addresses and port ranges to filter traffic.
To mix filtering modes in the same configuration, you must insert entries similar to the following in ctc-conf.xml
:
<Instance>
<ListenTos>
<ListenTo>
<Address>10.10.100.200</Address>
<PortRange>33280-65535</PortRange>
</ListenTo>
</ListenTos>
</Instance>
Edit Filters
In Edit Filters view, you can edit ports and port ranges to filter the data sent to each instance of the PCA. You can use this view to verify that all required port ranges are properly specified across all instances of the CX Passive Capture Application.
You can also specify data filters in the View Instances view.
By default, the Edit Filters view enables specification of up to two individual ports for which to send data to an individual PCA.
To specify a data filter:
- From the Instance column, select the PCA instance identifier to which the filter applies. All data that is captured from the specified server and ports is forwarded to the selected instance.
- In the Address column, enter the IP address of the server that is providing the data.
Note: Host names are not accepted.
- In the Netmask column, you can enter a netmask, if applicable.
- Enter the ports to capture:
- If Port Range is not selected, you can specify up to two ports to capture from the specified address.
- If Port Range is selected, you can specify a Start Port and End Port in the two textboxes. These entries indicate a range of ports, inclusive, that are forwarded to the selected PCA instance for capture.
CIDR Format
To configure a block of allowable IP addresses, use the CIDR format. CIDR specifies an IP address range by the combination of an IP address and its associated network mask.
CIDR notation uses the following format:
192.30.250.00/18
The 192.30.250.00
in this example is the network address itself. The 18
indicates that the first 18 bits are the network part of the address, leaving the last 14 bits for specific host addresses.
The following table contains more examples:
CIDR Format | Equivalent Netmask |
---|---|
10.10.0.0/16 |
255.255.0.0 |
10.10.10.0/24 |
255.255.255.0 |
10.10.10.0/28 |
255.255.255.240 |
SPAN Port Traffic
If you capture a subnet from a SPAN port, you must determine if the SPAN port is sending you only that subnet or other traffic.
If you receive just that subnet, select Specific Ports on All Hosts to capture specific ports. For example, to capture all port 80 and 443 traffic on all hosts, select Specific Ports on All Hosts and enter ports 80
and 443
.
If your SPAN port is mirroring additional traffic, then select Specific Host-Port Combinations. For the hosts, use CIDR syntax to match the subnet. In our port 80 and 443 example, if you wanted all the traffic for network 1.2.3.0 netmask 255.255.255.0, then specify the following Specific Host-Port Combinations:
Host | Port |
---|---|
1.2.3.0/24 | 80 |
1.2.3.0/24 | 44 |