.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
When configuring a Security Analytics Decoder to capture traffic, it appears that only one interface, or all interfaces may be selected as shown in the screenshot below:
Cause
At the time of this writing, an administrator may select all interfaces (em2, em3 and em4) or a single interface (em2, em3 or em4) when configuring capture. Capture cannot be configured on a subset of interfaces, such as em2 and em3 only, or em3 and em4 only.
Resolution
When configuring capture on Security Analytics decoders, all devices (excluding the management interface, em1) may be selected or a single interface of the administrators choosing may be selected. This behavior is by design. To request a change to this behavior, contact RSA customer support, and ask to be added to the enhancement request.Notes
Note that em1/eth0 are reserved for all decoder administrative and management functions and cannot be used for capture.
Internal Comments
Add customers that are requesting this functionality to the enhancement request listed in the Defect ID section of this article.20150614, Saxon
One solution to this question would be to leave the collection interfaces to "All" but disable unwanted NICs via the interface config file for selected NICs by setting the to down on start, and using the ifdown command to shut down unwanted interfaces.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: SA Security Analytics Decoder
RSA Version/Condition: 10.x and above
Summary
This article provides information on which interfaces may be configured on Security Analytics decoders for capture.
Approval Reviewer Queue
ASOC Approval Group