You can use the Flow Cloner feature to forward flow data from a flow-enabled Harvester to another collection device, such as a Harvester in a different CA Network Flow Analysis deployment. The Flow Cloner enables you to send the same data to two collection devices without burdening your routers with sending the data twice. For example, you could use the Flow Cloner to send flows to an Intrusion Detection System (IDS).
Once you have the Flow Cloner installed and configured, the flows going to the Harvester are forwarded whenever the CA NFA Flow Cloner service is running. The service starts by default whenever the server is rebooted. You can change this setting to run the service on demand. In either case, the configuration file must identify a destination IP address or the CA NFA Flow Cloner service will not start.
The Flow Cloner listens for packets in promiscuous mode, then forwards them to the IP addresses that you designate. In this mode, the Flow Cloner passes the packets along to any other process that is listening for them. A Harvester that is co-installed with a running Flow Cloner sees all the packets that are destined for it.
Install the Flow Cloner on the Harvester server in a distributed deployment or on the standalone server in a standalone deployment.
Note: The Flow Cloner has not affected Harvester performance significantly during testing. If you use the Flow Cloner on a high-flow Harvester server, we recommend monitoring performance, however.
|
Copyright © 2013 CA.
All rights reserved.
|
|