We added a small but quite powerful undocumented feature to StealthWatch 5.9 that prevents double reporting of Outside hosts as a result of Network Address Translations (NAT). Outside host double counting in StealthWatch occurs when you have an exporter both before and after a NAT’ing firewall, router, or proxy. In the example shown below the byte count for 44.1.1.1 will be double counted since StealthWatch will not deduplicate flows from “Edge Router” and “Catalyst 6500” as they do not have the same source/destination IP.
In StealthWatch 5.9, you can configure a list of “NAT hosts” that correspond to the NAT IP or CIDR (“209.182.184.2” in the example shown above). This setting will tell the Engine that any flow from a host on the NAT list should be excluded for Zone-based reporting and Top Talkers accumulation.
*** DISCLAIMER *** This feature is in “research” status and is not
supported by the SMC quite yet. We should see an SMC UI dialog
for configuring this list in 5.10 or (at the latest) 6.0.
To configure the 5.9 “NAT Alias” feature...
1. Access the Xe/NC and browse to:
https://<ip_of_xe>/sw/cgi-bin/optionConfig.cgi
2. Add a new setting "nat_host_list" and include each NAT IP range (there is an overall limit to 1024 bytes). You can use either a CIDR or specific IP. Values like “209.182.184.0/24” and “209.182.184.2” are both supported.
3. Hit "Apply" and then check an Outside zone (such as "United States") to make sure the setting took effect. You should see a noticeable drop in overall traffic for any outside zone if double counting was occurring.
Enjoy!
Comments