EWC sends data to Purview. Wan router also see the data


Userlevel 4
After configuring EWC to send data to PurView Analiticys an strange problem happend.

The data that the AP send to Purview was detected by our wan router and send the to opur intenal firewall.

For the firewall thsi is spoofing because the networks are on the internal side.

I made a trace on oure firewall and the data was on the WAN interface

How can this be resolved ?

8 replies

Userlevel 6
Johan, is the Purview/Analytics appliance or the EWC across the WAN/FW from the other?
Userlevel 4
Yes the Purview/Analytics applicance and the EWC are across the WAN, The firewall is on the same location as the AP's
Userlevel 6
Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.
Userlevel 4
Pala, Zdenek wrote:

Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.

is this the document you refers to: https://gtacknowledge.extremenetworks.com/articles/How_To/Configuring-a-Identifi-Wireless-Controller...

When I check the wlan I see that netflow is enable. that's oke ?
Userlevel 6
Pala, Zdenek wrote:

Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.

That article reflects method #1, Method #2 is configured directly via the XMC platform itself under configuration and then add it. See below.

Userlevel 4
Pala, Zdenek wrote:

Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.

But for data collection, I have to check the wlan's ?
Userlevel 6
Pala, Zdenek wrote:

Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.

Yes, It does need source WLAN or Ports as well. I omitted that for simplicity. You can add as few or as many as needed.
Userlevel 4
Pala, Zdenek wrote:

Hi. There are two ways how the EWC does talk to Analytics Engine (purview). Option 1 (old) there is netflow and FirstN mirror. Option 2 (newew) there is only IPFix I do not expect any issue with option 2 as IPFix is standard UDP traffic. With Option 1 you can have issues with firewall. Officially the option 1 does require direct connection between EWC and the engine. You should be very carefull with anything between EWC and Engine. Even switch between EWC and Engine can be tricky (raw mirrored frames are there). Regards Z.

new configuration works. thanks

Reply