Firstly, apologies for asking what may seem a very out of date and newb question. Secondly, thanks for any help in advance.
I recently found that we have an installation of CA NFA 9.2.0 which is collecting data. Too much data. After much faff, I managed to block the unwanted devices from sending netflow data to our collector and removed the irrelevant devices.
We have a three tiers - Harvester, Reporter (if that is the correct terminology) and a performance center instance.
The issue we have is that we have Splunk running in the estate and the port priority is incorrect because it uses port 9997. we have added the port to the port priorities tab and added it as an application definition, as well as naming the port from TCP-9997 to Splunk. the issue is that we still get multiple source ports shown as the "service" when viewing both interface level data and reports. The manual for 9.2.0 doesn't even mention the port priorities function!
Can anyone help - is there some sort of workaround or procedure that needs to be undertaken to make it work after adding it?
I noticed in version 9.3.2 (3, 4,5, ,6) there seem to be known issues with port priorities but as this is an older version I wondered if anyone had an personal experience or a workaround?
The documentation for Port Priorities can be found here: Work with Port Priorities - CA Network Flow Analysis - 9.3.6 - CA Technologies Documentation
What did you men by this "we still get multiple source ports shown as the "service" when viewing both interface level data and reports."? Did you mean that the ports show as the port number instead of the new custom name you gave the port?
You can try editing the name of the port on the Admin->Protocol Definitions page to update the name of the protocol.
The way NFA works to identity which application is in use in each conversation is it takes the lower of the destination and source port in each flow and uses that as the application. Using port priority overrides this and says anytime that you have a conversation with port, for example TCP-9997, it will use that port instead of the lower port.
This will work so long as the other port is not also listed in the Port Priority list. If both ports are in the port priority list, then it will default back to using the lower of the two ports in the conversation and display that, assuming the lower port is the application port and the higher port is the client port.
You Can also create a Custom Application Definition to route data from port 9997 to a unique port over 65500 and name it what you like. An application definition or mapping will override ports in a port priority list.
The documentation for application mappings can be found below:
Create a Subnet Application Mapping Rule - CA Network Flow Analysis - 9.3.6 - CA Technologies Documentation