Application Filtering Intelligence

Application Filtering Intelligence (AFI) functionality on GigaSMART allows filtering traffic by selecting applications based on application name (such as YouTube, NetFlix, Sophos, or Facebook) or application family (such as Anti Virus, Web, ERP or Instant Messaging”) or application tag (such as Multimedia Streaming, Gaming, Cryptocurrency). Organizations use AFI to effectively filter and forward relevant route crucial applications to one or multiple tools or to a Null Port.

Note:  Application Filtering Intelligence(AFI) and Application Metadata Intelligence(AMI) licenses are available for individual purchase or as a bundle on GigaVUE HC Series. When obtained together, all applications passed by AFI are directed to packet monitoring tools and AMI. In certain scenarios, users may prefer to export NetFlow/IPFIX or application metadata for the filtered applications instead of monitoring raw packets. In such cases, users can select Null Port (dummy tool port) as the tool destination for AFI. Traffic sent to a Null Port is internally discarded.

Some organizations may want to conserve costs associated with network forensics. Generally, payload information is bulky. In most cases it’s also encrypted. Hence, organizations may choose to discard the payload as it offers little value. AFI enables such organizations to slice each flow. Organizations can configure the Packet Count to filter-in only the packet headers and discard the rest.

In diverse environments, organizations may need to monitor different types of traffic separately and block specific applications from being monitored. AFI allows configuring distinct maps to either forward or block applications to the relevant tools, and these maps are processed using logical OR operation.

You can configure up to five maps with priorities. Higher priority maps take precedence over lower ones. It's best to prioritize maps with specific rules. Advanced rules can be set within each map to optimize traffic further, using a logical AND operation for multiple rules.

Large Flows in Application Filtering Intelligence

A Large Flow data flow is a single session (TCP Session) with a relatively long-running network connection that consumes a large or disproportionate amount of bandwidth, buffers, and queues. Because of this nature, large flows can cause packet drops in other traffic and significantly increase the mean-time-to-completion (mttc) of smaller flows (mouse flows)1 Mouse data flows are emails, web pages, data requests, or other short-lived data flow.

Large flows are considered to affect the traffic in the following ways:

■

Disproportionately affects mouse data flows mean-time-to-completion (mttc).

■

Causes significant issues to tools, detecting problems with applications and next-generation firewall (NGFW), as it causes high CPU spikes and bandwidth consumption.

■

Large flows are often related to high use low inspection traffic, for example, backups, database replication, VM migrations, data migrations, etc., inside the data centers that impact network bandwidth for minutes or hours or more.

Refer to Handle Large Flows in Application Filtering Intelligence to learn more about configuration steps.