Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a Flow Processor

By changing the Flow Processor configuration settings, you can manage the way that JSA collects and processes flows that are received from the device.

The following table describes the Flow Processor configuration parameters:

Table 1: Flow Processor Configuration Parameters

Parameter

Description

Maximum Content Capture

Specify the maximum amount of data (bytes per packet) that you want the Flow Processor to capture and retain in the flow payload.

Maximum Data Capture/Packet

Specify the maximum amount of data (bytes per packet) that you want the Flow Processor to analyze.

Flow buffer size

Specify the maximum number of flows that can be buffered in memory.

Maximum Number of Flows

Specify the maximum number of flows that you want to send from the Flow Processor to an Event Collector.

Alias Autodetection

Set to Yes to allow JSA to auto-detect flow sources.

With auto-detection turned on, JSA can automatically create flow source aliases for external flow sources, such as routers.

Remove duplicate flows

Set this to Yes if you want the Flow Processor to remove duplicate flows.

If you have asymmetric traffic in your network, set this parameter to No.

Verify NetFlow Sequence Numbers

Set this to Yes if you want the Flow Processor to check the incoming NetFlow sequence numbers to ensure that all packets are present and in order.

JSA displays a notification if a packet is missing or received in incorrect sequence.

External Flow De-duplication method

Choose the method that you want to use to remove duplicate external flows.

  • Select Source to compare the originating flow sources.

    This method compares the IP address of the device that exported the current external flow record to the IP address of the device that exported the first external record of the flow. If the IP addresses do not match, the current external flow record is discarded.

  • Select Record to compare the individual external flow records.

    This method logs a list of every external flow record that is detected by a device, and compares each subsequent record to that list. If the current record is found in the list, the record is discarded.

    If you choose this method, you must also set the External flow record comparison mask parameter.

Flow Carry-over Window

Specify the number of seconds that the Flow Processor process holds one-sided flows. The default setting is 6 seconds.

This setting allows time for JSA to receive the flow response. Flows that fall within the carry-over window are not sent until the next reporting interval.

External flow record comparison mask

Specify the method to use to compare external flow records.

This parameter is valid only if you chose Record as the method to use for external flow De-duplication.

You can choose which flow record fields are to be used when comparing external flow records:

  • D (Direction)

  • B (ByteCount)

  • P (PacketCount)

You can combine the flow record fields to include the following combinations:

  • The DBP option uses direction, byte count, and packet count.

  • The XBP option uses byte count and packet count.

  • The DXP option uses direction and packet count.

  • The DBX option uses direction and byte count.

  • The DXX option uses direction.

  • The XBX option uses byte count.

  • The XXP option uses packet count.

Create Super Flows

Set this to Yes if you want JSA to group flows that have similar properties into one flow record

Type A Superflows (Network Scan)

Specify the threshold to be reached before JSA creates a Type A (one to many) superflow.

Type B Superflows (DDos)

Specify the threshold to be reached before JSA creates a Type B (many to one) superflow.

Type C Superflows (Port Scan)

Specify the threshold to be reached before JSA creates a Type C (one to one) superflow.

Recombine Asymmetric flows

Set this to Yes if you want JSA to recombine asymmetric flows.

Ignore Asymmetric Superflows

Set this to Yes if you want JSA to create superflows when asymmetric flows are enabled.

Use Common Destination Port

Set this to Yes if you want JSA to determine whether to reverse the flow direction.

  1. On the navigation menu, click Admin.
  2. In the System Configuration section, click System and License Management.
  3. In the Display list, select Systems, and select the Flow Processor that you want to configure.
  4. On the Deployment Actions menu, click Edit Host.
  5. Click the gear icon next to Component Management.
  6. Edit the configuration options and click Save.
  7. Repeat the configuration steps for each Flow Processor in your deployment.
  8. Close the System and License Management window.
  9. Deploy your changes.

    This will restart the Flow Processor process on every managed host that you modified.

Related Documentation