We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.
If we do compression on IF, will it automatically apply on data coming from UFs or should we do this config on all UFs as well.
Forwarder is an active component in event's path so every connection from/to the forwarder has its own settings and should not affect other connections from/to it. You can have a forwarder receiving encrypted and compressed data and sending it unencrypted and uncompressed and vice versa. (although it's not recommended of course to send it not TLS-protected).
Anyway, if you're using TLS, useClientSSLCompression is enabled by default (but you can still explicitly enable it). If you're not using TLS, with modern forwarders if one of the connection ends has compression enabled, the endpoints should negotiate compression on the link.
(of course we're talking about s2s, not some syslog forwarding).
we are collecting data over VPN site to site, so to manage properly and for security policies, instead of allowing all ips to communicate with IDX we only allowed HF working as IF to connect to IDX and all UFs are connected to IF
btw thanks for your response. can you provide some documentation for this
Hi @Nawab ,
compression must be applied both on connections between UFs and IF and IF and IDXs.
Only one question: why do you need an IF?
Ciao.
Giuseppe