Performing Advanced Administration › Set Up Application Mapping

Set Up Application Mapping

Create application mapping rules to identify traffic in reports. Rules can identify traffic types such as a ToS, host, subnet, or NBAR2 application.

You can use application mapping to combine, differentiate, or more clearly identify traffic in reports:

• Differentiate Traffic: Separate larger traffic blocks by re-mapping traffic sub-types to separate destination ports.

  For example, suppose reports show a large block of FTP traffic on TCP port 20. You want to track the FTP traffic from your internal FTP server separately from internet traffic. To accomplish this, you create a Host application mapping rule, which you name Internal FTP Traffic. The Host value of the rule matches the IP address of the internal FTP server. The Port value is 20. You specify 65000 as the Destination Port--a port that does not currently receive any traffic.

  Reports now show traffic from the FTP server on TCP port 65000 with the label Internal FTP Traffic. Other TCP port 20 traffic is still labeled FTP.

• Combine Traffic: Report traffic of different types as a single unit by re-mapping them to a single destination port.

  For example, suppose your enterprise mail systems use the IMAP and POP protocols. The IMAP mail uses TCP port 443 and the POP mail uses TCP ports 109 and 100. You want reports to show the combined mail traffic, so you create application mapping rules that re-map each type of mail traffic to port 3100. The traffic is combined in reports and is labeled with the rule name, Mail. Even though you created several rules, the program uses the same name for all of the rules that map traffic to port 3100.

• Identify Traffic: Use application mapping to re-label traffic without combining or separating it.

Application mapping affects the following reports:

• Enterprise Overview page: Top Protocols report
• Interface page: All reports that show protocol data
• Custom Reporting page and Analysis page: Protocol Index, which you use to select protocols to filter a new or edited report

Notes:

• Application mapping does not affect Flow Forensics reports.

  To continue the example for differentiating types of FTP traffic, the Flow Forensics Session Protocols reports show the FTP traffic as it was before you mapped the FTP sub-category.

  The Flow Forensics reports that display NBAR2 data show the official application name and ID regardless of any application mapping rules that you have.

• Reports show mapping results within the time frame that the rules are in effect. If you create rules today, reports of last week's data do not show the effects of the rules. If you create, delete, or edit application mapping rules within a report time frame, the report may show a dramatic change at the time you made the rule changes.

You can perform the following application mapping tasks:

• Use Administration functions in the NFA console to set up or modify application mapping rules to aggregate or segregate data:
  • Create an All (ToS) application mapping rule
  • Create a Host application mapping rule
  • Create a Subnet application mapping rule
  • Create an NBAR2 application mapping rule
  • Edit application mapping rules
• Configure global settings to support application mapping rules in reports
• Understand how application mapping rule priorities work
• Perform batch Import operations by using a .csv file:
  • Import the default NBAR2 application mapping rules
  • Import custom application mapping rules
  • Import application mapping rule updates
  • Review errors for failed rule imports

More information:

Application Mapping Priorities

Create a Host Application Mapping Rule

Create a Subnet Application Mapping Rule

Create an All (ToS) Application Mapping Rule