|Applies To||RSA Product Set: Web Threat Detection|
RSA Product/Service Type: Forensics
RSA Version/Condition: 6.1
Product Description: RSA WTD F&M SW On Prem Lic
|Issue||A Customer is interested in having two separate systems (an analytics box, that is all WTD components, except the SilverTap, which is on another system). The Customer would have configured the SilverTap server on the same network and both systems would be live and active simultaneously. |
Example question --
I have 2 different servers on the same network not clustered, can use the same SilverTap to capture traffic? (The purpose is to use one server as a development server.)
|Resolution||If a customer wants two separate systems(an analytics box, that is all WTD components, except the SilverTap, which is on another system). They would typically have configured the SilverTap server, and both Analytics and SilverTap are active simultaneously. This would not work as there would be contention with interprocess communication from the one tap to two servers. |
It is suggested to build a separate SilverTap that will feed off a mirror port of the load balancer. This should be configured similarly to your Production mirror port taking data off the load balancer. It would not be exactly the same traffic that passes through each system, as normally network traffic has its collisions, dropped packets, etc. The traffic would likely be a little different for each separate SilverTap.
Note: Also, what would not work if considering this as an option -- to take the same traffic from loadbalancer port to a different ethernet port on one Silvertap and configure the second system with the different port. This also would not work, the SilverTap needs to belong to one system. While you can have more than one SilverTap for a given analytics box, you cannot do the reverse.