000030521 - Security Analytics 10.X (all Revisions): Unable to selectively choose which interfaces to capture on

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030521
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Decoder
RSA Version/Condition: 10.x and above
IssueWhen configuring a Security Analytics Decoder to capture traffic, it appears that only one interface, or all interfaces may be selected as shown in the screenshot below:

User-added image
CauseAt the time of this writing, an administrator may select all interfaces  (em2, em3 and em4) or a single interface (em2, em3 or em4) when configuring capture. Capture cannot be configured on a subset of interfaces, such as em2 and em3 only, or em3 and em4 only.
ResolutionWhen configuring capture on Security Analytics decoders, all devices (excluding the management interface, em1) may be selected or a single interface of the administrators choosing may be selected.  This behavior is by design.  To request a change to this behavior, contact RSA customer support, and ask to be added to the enhancement request.

NotesNote that em1/eth0 are reserved for all decoder administrative and management functions and cannot be used for capture.