Forwarding filtered flows

You can set up forwarding of filtered flows. You can use filtered flows to split flow forwarding across multiple boxes, and to forward specific flows for specific investigations.

1. On the target system, set up the source system as an off-site source.
   1. On the navigation menu ( ), click Admin.
   2. Click System and License Management > Deployment Actions > Manage Off-Site Sources.
   3. Add the source system IP address, and select Receive Events and/or Receive Flows.
   4. Select Manage Connections and select which host is expecting to receive the off-site connection.
   5. Click Save.
   6. Select Deploy Full Configuration from the Advanced menu for the changes to take effect.
2. On the source system, set up the forwarding destination, IP address, and port number.
   1. Click Main menu > Admin.
   2. Click Forwarding Destinations > Add.
   3. Set the IP address of the target system and the destination port.
   4. Enter 32000 for the port number on the source system. Port 32000 is used for flow forwarding.
   5. Select Normalized from the Event Format list.
3. Set up routing rules.
   1. Click Main menu > Admin.
   2. Click Routing Rules > Add.
   3. Select the rules that you want to add.
      Note: Rules forward flows that are based on offenses, or based on CRE information when Offline Forwarding is selected on the Routing Rules page.
   The flows that are filtered on the Routing Rules screen are forwarded.