Custom reports displaying IP address exclusions still show traffic for those hosts in the Protocol section of the results․​‌​‌​‌‍​‌

SYMPTOMS:

• You exclude a specific IP (e.g., [IP-address]) from a custom report.

• The excluded IP runs traffic on a specific protocol (e.g., UDP Port 3389).

• Report results for Protocol Totals still include data for that port/protocol despite the host exclusion.

CONTEXT: Occurs when generating NFA Custom Reports using host-level exclusion filters.

IMPACT: Reported protocol volumes do not match conversation-level host filters, leading to perceived data inconsistency

This behavior is due to a design difference in how different sections of a report calculate and filter data:

• Conversation Filters: These filters look at specific traffic pairs (Source IP to Destination IP). When a host is excluded, the specific conversation strings involving that host are filtered out of the conversation view.
• Protocol Totals: This section calculates the total volume of a protocol seen at the interface or harvester level.
  
  
  Because these sections use different underlying queries and logic, the protocol totals do not strictly inherit the host-level exclusion rules applied to the conversation section. If a protocol exists in the general traffic stream of the interface, it will be counted in the protocol totals regardless of specific host exclusions.