Table of Contents
Advertisement
Chapter 2
Reporting and Mitigation Devices Overview
Step 2
Under NetFlow Configuration, enter the NetFlow Global NetFlow UDP Port. This is the default port
for MARS to listen for NetFlow; the default value is 2055.
Note
This value must match the value you entered in the "
configuring the router (see
2-32. Also, verify you have enabled this traffic to flow between the router or switch and the MARS
Appliance on any intermediate gateways, such as routers and firewalls.
Choose whether to Enable NetFlow Processing.
Step 3
Yes tells MARS to process the NetFlow logs.
•
No disables the processing of NetFlow data into the MARS.
•
Step 4
Choose whether to Always Store NetFlow Records.
Yes tells MARS to store all of the NetFlow events in the database. Selecting this option can slow
•
down the system by greatly decreasing the number of events per second that MARS is able to
process.
•
No tells MARS to store only anomalies. The MARS detects anomalies by using two dynamically
generated watermarks comparing the previous data against current data. When the data breaches the
first watermark, MARS starts to save that data. When the data rises above the second watermark,
MARS creates an incident.
Under NetFlow Valid Network Addresses, you can enter one or more for networks you want to monitor
Step 5
and use the << Add button to add them.
78-17020-01
ip flow-export destination
Enable Cisco IOS Routers and Switches to Send NetFlow to MARS, page
User Guide for Cisco Security MARS Local Controller
Data Enabling Features
" command when
2-35
Advertisement
Table of Contents
Troubleshooting
