Configure the Flow Collector's Ignore List Feature

Introduction

This document describes how to configure your SNA flow collector to reject incoming netflow from a particular exporter by using Ignore List.

Background Information

Often times, the question is posed, "Is there any way to tell my SNA flow collector to reject incoming netflow from a particular exporters?"

The answer is yes, this is done through the use of the flow collectors "Ignore List" feature.

Configure

The ignore list feature is flow collector specific.  In later version of SNA 7.x, this feature is available inside of the flow collector configuration page on the SNA Manager Web UI.

Use this page to specify an unlimited number of hosts or subnets for which theFlow Collectorcompletelyignorestraffic.  If theFlow Collectorsees any traffic attributable to these IP addresses, it excludes that traffic from any graph or table.  Be certain that you can trust all traffic traveling to or from the hosts to beignored.Secure Network Analyticsdoes not analyze this traffic nor any that is spoofed to include any of these hosts. If an attack is launched on your network involving one of these hosts/subnets, theFlow Collectorcannot report it.

FAQs

What is the Effect of Ignore List on Flows Per Second (FPS)  calculations for Smart Licensing? 

Answer: Adding host IP addresses or ranges to the ignore list effectively prevents any of these flows from counting against the calculated FPS rate sent up to the SMC and used for Smart License reporting.  The flows are NO longer shown/counted in the flow trend graph displayed on the SMC dashboard.

How is the ignore list feature used when processing NVM flow when client is in split tunnel mode?

A customer could configure AnyConnect to send us on-network and off-network traffic (aka split tunnel). The off-network traffic uses the endpoint local IP address which most likely contain overlapping IPs. SNA does not support overlapping IPs, thus is has been suggested to use Ignore list feature to circumvent the split tunnel issue, thereby preserving the benefit of the NVM based flows for detections.

In this use case, we Configure the "Ignore List" to prevent the off-network NVM flows from flow cache → flow_stats, Flow Search, Custom Security Events

1. Add the IP address and Network Mask (e.g add 192.168.1.0/24, 127.0.0.1/24) into the Ignore List
2. Verify the nvm_flows are still populated with the NVM flows
3. Verify that the flow_stats do not have the NVM flows if either src or dst IP is in the Ignore List

Can I use an ignore list to ignore flows from an entire exporter? No, because the ignore list is based on flow data and not exporter data, adding an exporter IP address to the ignore list would effectively ignore flow data where the exporter IP was listed as either the source or the destination of the flow, instead of ignoring all flow records from that particular exporter