If your appliance is using the passive configuration (see the configuration guide for your appliance to learn more), Field Effect wants to see North-South traffic. The endpoint agents can monitor internal traffic, and external traffic is typically public noise from an analysis perspective, so there is no need to send it to the appliance. While it may not always be possible to only send
Private to Public traffic, it should be the majority of monitored traffic.
Ensure the SPAN port is configured to mirror only the WAN traffic on the switch or firewall it's configured to. This can be verified by logging into the switch that has the SPAN port set up.
Below are some pointers to help ensure we are receiving the required traffic:
- We need to see pre-NAT'd traffic, so before the firewall NATs the traffic.
- The SPAN port should be created on the switch or firewall just before the exit node (out to the router/internet).
- The different terminology used for the traffic we require:
- Private to Public traffic
- Internal to External traffic
- LAN to WAN traffic
- North/South traffic
- Traffic from within your network out to the internet
- On a device that is sitting right on the external network, such as a firewall, where the WAN port is the port connecting to the internet, and the firewall LAN port is the "inward facing" port connected to a switch or router; you will want to mirror the LAN port(s).
- On an internal networking device, such as a switch, where the LAN port(s) are inward facing and the WAN port(s) face the firewall; you will want to mirror the WAN port(s).
Once completed, you can confirm we are seeing the appropriate traffic by using the status page for your appliance: The Appliance Status Page: Overview. Please note, it will show the percentage of traffic we are seeing that is Private to Public.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article