Data Collection Tuning - Port Aggregation/Consolidation

Learn how to change the frequency and aggregation of NetFlow data for real-time or long-term.

NOTE: Network Segmentation will change default aggregation rules.

Data Collection Tuning - Port Aggregation/Consolidation

"Port Range" for all or specific IP addresses / ranges can be configured by using Data Collection Rules.

If the individual ports in the range do not needed to be differentiated, a port aggregation rule can be used for both Real-Time and Long-Term or Real-Time can keep individual ports and Long-Term can aggregate the same application ports into single port.

1) Go to Left Menu “Configuration->Data Collection Tuning->Config Rules-> Port Rule” Screen

Figure 1
  • PortRule ID =1 for Real-Time (Current Default Configuration)

    PortRule ID =3 for Long-Term (Current Default Configuration)

2) Double click on one row of the right table, say the row of PortRule ID=1 (NetSight) to enter into “Port Rule Definition” Screen


3) Port Rule Definition is used to filter, aggregate and reset port collected.

    • The “Order No” defines the priority to be checked against.

      Corresponding criteria can be based on the following combination

      Source/Dest is used to define the port side.

      AS Number or AS Number range

      IP or IP range

      Protocol or Protocol range

      Port or Port range

4) The port collected by “CySight” can be reset as the following according to corresponding criteria.

    • “Keep” means retain as it is

      ”Reset As Start Port” means reset port range to port

      “Reset to Port” means reset the defined port to another port.
  • Use of Port numbers greater than 65535, e.g. 80000,70000 is allowed to create new virtual application groupings

    If port is over 65535, a definition must be entered in “Selected_Port” definition (Configuration-> Applications ->Selected Port).
    • “Round to” means Round up to 10,100,1000 or 10000.

Figure 2


Click “add” button to enter the rule.


Figure 3 - Example assuming server farm is 192.168.0.0 to 192.168.0.255,

reset server side Port 5001, 5003, 5009 to 5000

4) After entering the value, the click “Confirm” button to add the rule into the system.

5) After adding the rule into system, restart the collection.


Windows
  • click Start Menu -> Programs -> CySight -> restart
Linux
  • Enter command line “service DigiToll restart”