SummaryIn Real Time Monitoring, HTTP parameter based application definitions for a defined policy are showing up as falling into the default 'web' policy at the same time as they fall into the user defined policy.
OverviewWhen a user defines their own application based on various HTTP parameters (such as domains, for example), and create a policy relating to that application, they expect the traffic to fall into this policy. However, on the real time monitoring page, when grouping the conversations by Policy, it is possible that the users will see traffic belonging to the application they created falling into a default 'web' policy as well as their own created policy. Depending on the traffic (whether there are constant connections), this could be seen all the time, or if intermittent, it can be seen only sometimes. This can lead to some confusion as to what policy the traffic is actually being put into.
CauseWhen traffic comes into the Exinda appliance with a generic HTTP signature, it originally gets classified as generic web traffic before it is inspected thoroughly and then placed in the correct policy. This is a process that happens on a connection being established from source to destination through the appliance, and in all, the process takes very little time; as a result, the traffic stays classified as generic 'web' traffic for a very short amount of time.
However, samples for monitoring are only taken at 10 second intervals, and as a result, if a connection is established and traffic reclassified in the same 10 second monitoring interval, the traffic will display as being in both policies at once. This can lead to some confusion for end users when viewing the real time monitor grouped by policy.