Application Filtering Intelligence
Supported Devices : GigaVUE-HC1 Gen 2, GigaVUE-HC1 Gen 3, GigaVUE-HC3 Gen 2, GigaVUE-HC3 Gen 3, GigaVUE-HC1-Plus, GigaVUE-HCT.
Refer to Supported GigaSMART Operations for more details on the devices that support GigaSMART operations.
Application Filtering Intelligence (AFI) functionality on GigaSMART allows filtering of traffic based on the application (such as YouTube, NetFlix, Sophos, or Facebook) or application family (such as antivirus, web, erp, or instant-messaging) or application tag (such as Multimedia Streaming, Gaming, Cryptocurrency).
Organizations can utilize AFI to effectively filter and route crucial applications to one or multiple tools or to a Null Port. This empowers organizations to oversee each flow independently. They have the flexibility to filter in only the packet headers by adjusting the Packet Count and discarding the rest.
Note: Application Filtering Intelligence(AFI) and Application Metadata Intelligence(AMI) licenses are available for individual purchase or as a bundle on GigaVUE HC Series. When obtained together, all applications passed by AFI are directed to packet monitoring tools and AMI. In certain scenarios, users may prefer to export NetFlow/IPFIX or application metadata for the filtered applications instead of monitoring raw packets. In such cases, users can opt for the Null Port (dummy tool port) as the tool destination for AFI. Traffic sent to a Null Port is internally discarded.
In diverse environments, organizations may need to monitor different types of traffic separately and block specific applications from being monitored. AFI allows for the establishment of distinct maps to either forward or block applications to the relevant tools, and these maps are processed using logical OR operation.
You can configure up to five maps with priorities. Higher priority maps take precedence over lower ones. It's best to prioritize maps with specific rules. Advanced rules can be set within each map to optimize traffic further, using a logical AND operation for multiple rules.
Note: The Application Families and Tag feature is supported only on Gen 3 GigaSMART module.
Application Filtering Intelligence (AFI) supports filtering over 4000 applications. When filtering encrypted applications, GigaVUE‑FM will add eight applications (SSH, SSL, IPSEC, ISAKMP, TOR, TOR2WEB etc.) by default as a filtering criterion. These application works as base of top-level applications like HTTPS. Application Filtering Intelligence will filter all valid applications which have either of the eight applications in their protocol path.
To upgrade the protocol signature, refer to Upgrading the Protocol Signature
Elephant Flows in Application Filtering Intelligence
An elephant data flow is a single session (TCP Session) with a relatively long-running network connection that consumes a large or disproportionate amount of bandwidth, buffers, and queues. Because of this nature, elephant flows can cause packet drops in other traffic and significantly increase the mean-time-to-completion (mttc) of smaller flows (mouse flows)1.
Elephant flows are considered to affect the traffic in the following ways:
| Disproportionately affects mouse data flows mean-time-to-completion (mttc). |
| Causes significant issues to tools, detecting problems with applications and next-generation firewall (NGFW), as it causes high CPU spikes and bandwidth consumption. |
| Elephant flows are often related to high use low inspection traffic, for example, backups, database replication, VM migrations, data migrations, etc., inside the data centers that impact network bandwidth for minutes or hours or more. |
Handling Elephant Flows
Application Filtering Intelligence detects and handles the elephant flows in the traffic. This feature helps to optimize the performance of the following GigaSMART cards when elephant flows are present in the traffic:
| HC1-X12G4 |
| SMT-HC3-C05 |
| SMT-HC0-Q02X08 |
In tunneled traffic, this feature detects the elephant flows, but it doesn’t involve in optimizing the performance of the GigaSMART engine.
To detect the elephant flows in the traffic, do the following in the GigaVUE-FM:
| 1. | On the left navigation pane, click on  , go to Physical > Nodes. |
| 2. | Click on the required Cluster ID. |
| 3. | From the device view, go to System > GigaSMART > GigaSMART Groups. |
| 4. | Click New to create a new GigaSMART Group for detecting the traffic with elephant flow. |
| a. | Enter the name of the group in the Alias field. |
| b. | Select the ports in the Port List. |
You can also include the detection of elephant flow in a existing GigaSMART group.
| 5. | In the GigaSMART Parameters > Eflow section, enable the Eflow checkbox to enable the detection of elephant flow. |
| 6. | Enable the Log check box to print the parameters of the elephant flow including the 5-tuple information into the GigaSMART logs. |
Note: It is recommended to disable the check box after collecting the required parameters.
| 7. | Enter the following parameters to identify the elephant flow: |
| a. | Interval — The interval within which packet-count and packet-ratio for a traffic flow are examined. The interval should be specified in seconds. The range lies between 0 to 3600. Specify the interval as 0 to ignore this parameter. The default value is 2 secs. |
| b. | Packet Count— Enter the maximum number of packets to be received by the flow within the given interval to categorize the flow as an elephant flow. The default value is 10,000. |
| c. | Packet Ratio — Enter the packet ratio, which is the percentage concentration of the packets in the flow to the packets seen overall by the gsgroup. Specify 0 to ignore this parameter. The default value is 0. |
You can handle the elephant flows in Application Filtering Intelligence Solution by using the gsgroup created to detect the elephant flow.
Refer to the GigaVUE-OS CLI Reference Guide to learn about the commands that must be configured to detect and handle the elephant flow of traffic.
