[an error occurred while processing this directive][an error occurred while processing this directive]

Defining a Firewall Filter to Select Traffic for Active Flow Monitoring

The first step in active flow monitoring is to configure the match conditions for acceptable traffic or quarantined traffic. Common match actions for active flow monitoring include sample, discard accounting, port-mirror, and accept. To configure, include the desired action statements and a counter as part of the then statement in a firewall filter and apply the filter to an interface.

In sampling, the router reviews a portion of the traffic and sends reports about this sample to the flow monitoring server. Discard accounting traffic is counted and monitored, but not forwarded out of the router. Port-mirrored traffic is copied and sent to another interface. Accepted traffic is forwarded to the intended destination.

Most of these match combinations are valid. However, you can either port-mirror or sample with the same traffic at the same time, but not perform more than one action simultaneously on the same packets.

[edit]firewall {family inet {filter active_filter {term quarantined_traffic {from {source-address {10.36.1.2/32;}}then {count quarantined-counter;sample;discard accounting;}}term copy_and_forward_the_rest {then {port-mirror;accept;}}}}}

Published: 2010-04-15

[an error occurred while processing this directive]