Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
136
Views
0
Helpful
1
Replies

Host Information not visible

Go to solution
ayoub-akhtar
Level 1
Level 1

‎03-25-2024 11:10 PM

The scenario is that all traffic ingesting to flow sensor is north-south, and all hosts are NATed by public IPs. Currently, there is no east-west traffic. However, if east-west traffic were to ingest, would the hosts be visible as endpoints or network devices and all information pertaining to host machine will be visible? As currently host information is not being displayed. Or should we need to mirror the traffic without NAT?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rocedar
Cisco Employee
Cisco Employee

‎03-29-2024 12:17 PM

Hi ayoub-akhtar,

I'm not sure I entirely understand your deployment, but it reads like you have a flow-sensor consuming spanned traffic after a NAT device (Like a firewall).  And you want SNA to be able to stitch those flows together with NetFlow collected from an exporter on the inside collected via a flow-collector.  I'm not sure it would do exactly that because the flow-sensor flows would be missing the NAT'd address from the inside of your environment.  It might be more prudent to send NetFlow from your firewall (or NSEL if it is an ASA/FTD) to a flow collector.  The NSEL telemetry would include fields for the NAT'd address as well as block/permit information for Access Control Rules.  This would likely give your SNA solution everything it needs to stitch the flows together with your east-west traffic.   

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rocedar
Cisco Employee
Cisco Employee

‎03-29-2024 12:17 PM

Hi ayoub-akhtar,

I'm not sure I entirely understand your deployment, but it reads like you have a flow-sensor consuming spanned traffic after a NAT device (Like a firewall).  And you want SNA to be able to stitch those flows together with NetFlow collected from an exporter on the inside collected via a flow-collector.  I'm not sure it would do exactly that because the flow-sensor flows would be missing the NAT'd address from the inside of your environment.  It might be more prudent to send NetFlow from your firewall (or NSEL if it is an ASA/FTD) to a flow collector.  The NSEL telemetry would include fields for the NAT'd address as well as block/permit information for Access Control Rules.  This would likely give your SNA solution everything it needs to stitch the flows together with your east-west traffic.   

0 Helpful
Customers Also Viewed These Support Documents