Acquire Traffic using Customer Orchestrated Source - GigaVUE-FM Orchestration

This section outlines the workflow for acquiring traffic with Customer Orchestrated Source and deploying GigaVUE Fabric Components using GigaVUE-FM.Refer to the following topics for instruction on configuring traffic acquisition, processing, and forwarding to your desired destination.

Install GigaVUE-FM on AWS

This step is optional and applies only when an existing GigaVUE-FM instance is not available.
Refer to Install GigaVUE-FM on AWS for steps to install GigaVUE‑FM on AWS and the steps to start GigaVUE‑FM instance and configure it.

Configure the permissions required in AWS

If you are using inline policy or basic authentication, then you must update the policy with the relevant IAM service. For details, see Minimum Permissions Required for Inline Policies and Basic Authentication.

These are the minimum permissions that are required to acquire traffic using the customer orchestrated, use a GigaVUE V Series Proxy and authenticate using an IAM instance role.

Copy 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVolumes",
                "ec2:DescribeAddresses",
                "ec2:RebootInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                “ec2:AssociateAddress”,
                “ec2:DisassociateAddress”,
                “ec2:RebootInstances”,
                “ec2:StartInstances”,
                “ec2:StopInstances”,
                “ec2:RunInstances”,
                “ec2:TerminateInstances”,
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListAccountAliases",
                "kms:ListAliases",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        }
    ]
}

For more information regarding policies and permissions, refer to AWS Documentation.

Create the AWS Credentials

You can monitor workloads across multiple AWS accounts within one Monitoring Domain.

  • After launching GigaVUE‑FM in AWS, if the IAM is attached to the running instance of FM, then the EC2 Instance Role authentication credential is automatically added to the Credential page as the default credential. You must attach the IAM prior to creating a Monitoring Domain.
  • If you use the Basic Credentials authentication credentials, you must add these to the GigaVUE‑FM on the AWS Settings page, or on the Monitoring Domain creation page.

For details, refer to Create a Monitoring Domain.

To create AWS credentials:

  1. Go to Inventory > VIRTUAL > AWS, and select Settings > Credentials
  2. On the Credential page, select Add. The Credential Configure page appears.

  3. Enter a name to identify the AWS Credential in the Name Field.
  4. Basic Credentials is selected as the default Authentication Type. For more information, refer to AWS Security Credentials
  5. Enter the credential of an IAM user or the AWS account root user in the Access Key field.
  6. Enter the security password or key in the Secret Access Key field.
  7. Select Save. You can view the list of available credentials on the AWS Credential page.

Create a Monitoring Domain

GigaVUE-FM connects to the AWS Platform through the public API endpoint and uses HTTPS, the default protocol to communicate with API. For more information about the endpoint and the protocol used, refer to AWS service endpoints.

GigaVUE-FM provides you the flexibility to monitor multiple VPCs. You can choose the VPC ID and launch the GigaVUE fabric components in the desired VPCs.

Note:  To configure the Monitoring Domain and launch the fabric components in AWS, you must have the fm_super_admin role or the write access to the Infrastructure Management category. For details, refer to Role Based Access Control.

To create a Monitoring Domain:

  1. Go to Inventory > VIRTUAL > AWS , and select Monitoring Domain.
  2. On the Monitoring Domain page, select New. The Monitoring Domain Configuration page appears.
  3. Select Check Permissions and validate whether you have the required permissions.
  4. In the Monitoring Domain field, enter an alias used to identify the Monitoring Domain.
  5. From the Traffic Acquisition Method drop-down list, select one of the following tapping methods:
    • Customer Orchestrated Source: If you select Customer Orchestrated Source as the tapping method, you can use the Customer Orchestrated Source as a source option in the Monitoring Session, where the traffic is directly tunneled to the GigaVUE V Series nodes without deploying UCT-Vs and UCT-V Controllers. The user is responsible for creating this tunnel feed and pointing it to the GigaVUE V Series Node(s).

      Note:  When using Application Metadata Exporter (AMX) application, select the Traffic Acquisition Method as Customer Orchestrated Source.

  6. In the Traffic Acquisition Tunnel MTU, enter the MTU value. The Maximum Transmission Unit (MTU) is the maximum size of each packet that the tunnel endpoint can carry from the UCT-V to the GigaVUE V Series Node. The default value is 8951.

    • When using IPv4 tunnels, the maximum MTU value is 8951. Ensure that the UCT-V tunnel MTU is 50 bytes less than the destination interface MTU size of the UCT-V.

    • When using IPv6 tunnels, the maximum MTU value is 8931. Ensure that UCT-V tunnel MTU is 70 bytes less than the destination interface MTU size of the UCT-V.

  7. Enable the Use FM to Launch Fabric toggle, to deploy GigaVUE Fabric Components using GigaVUE‑FM.
  8. Turn on the Enable IPv6 Preference toggle to create IPv6 tunnels between UCT-V and the GigaVUE V Series Nodes.

    Note:  This appears only when Use FM to Launch Fabric is disabled and Traffic Acquisition Method is UCT-V.

  9. Under Connections, in the Name field, enter an alias used to identify the connection.
  10. From the Credential drop-down list, select an AWS credential. For details, refer to Create AWS Credentials.
  11. From the Region drop-down list, select AWS region for the Monitoring Domain. For example, US West.

    Note:  China regions are not supported.

  12. From the Accounts drop-down list, select the AWS accounts.
  13. From the VPCs drop-down list, select the VPCs to monitor.
  14. Click Save.
Notes:
■   Ensure that all V Series Nodes within a single Monitoring Domain are running the same version. Mixing different versions in the same Monitoring Domain may lead to inconsistencies when configuring Monitoring Session traffic elements.
■   Similarly, when upgrading a V Series Node, ensure that the GigaVUE‑FM version is the same or higher than the V Series Node version.

You can view the new Monitoring Domain in the Monitoring Domain page list view.

To edit a Monitoring Domain, select the deployed Monitoring Domain and select Actions. From the drop-down list, select Edit and the Monitoring Domain Configuration page appears.

For details regarding the Check permissions while creating a Monitoring Domain, refer to Manage a Monitoring Domain .

Deploy GigaVUE Fabric Components in GigaVUE‑FM

You can configure the following fabric components:

■   UCT-V Controller
■   GigaVUE V Series Proxy
■   GigaVUE V Series Node

Prerequisite

Before you begin, create a monitoring domain in GigaVUE‑FM to establish connection between your AWS environment and GigaVUE‑FM. For details, refer to Create a Monitoring Domain.

To configure,

1. Go to Inventory > VIRTUAL > AWS.
2. Select the required Monitoring Domain and select Actions > Deploy Fabric.

The AWS Fabric Launch Configuration page appears.

3. From the Centralized VPC drop-down list, select the alias of the centralized VPC.
4. Centralized VPC refers to the launch location of UCT-V Controller, V Series Proxies, and the GigaVUE V Series Nodes.

Note:   Select Check Permissions to ensure you have the required permissions for inventory, security groups, fabric launch, and IAM policy. For details, refer to Acquire Traffic using Customer Orchestrated Source - GigaVUE-FM Orchestration.

5. From the EBS Volume Type drop-down list, select one of the following Elastic Block Store (EBS) volume that you can attach to the fabric components:
o   gp2 (General Purpose SSD)
o   gp3 (General Purpose SSD)
o   io1 (Provisioned IOPS SSD)
o   io2 (Provisioned IOPS SSD)
o   Standard (Magnetic)

Note:  The default EBS Volume Type is gp3 (General Purpose SSD).

6. Turn on the Enable Encryption toggle to encrypt the EBS volume with AWS Key Management Service (KMS).
7. From the KMS Key drop-down list, select the required KMS key. For details, refer to the Create a KMS Key section in the AWS Documentation.
8. From the SSH Key Pair drop-down list, select the key pair that you created to launch the UCT-V Controller, GigaVUE V Series node, and GigaVUE V Series Proxy from GigaVUE‑FM. For details, refer to the Create a key pair section in the AWS Documentation.
9. From the Management Subnet drop-down list, select the subnet you use for communication between the controllers and the nodes and with GigaVUE‑FM.
10. From the Security Groups drop-down list, select one or more security groups you created for the GigaVUE fabric nodes. For details, refer to Security Group.
11. Turn on the Enable Custom Certificates toggle to validate the custom certificate during SSL Communication.

GigaVUE‑FM validates the Custom certificate with the Trust Store. If the certificate is unavailable in the Trust Store, communication does not happen, and a handshake error occurs.

Note:  If the certificate expires after the successful deployment of the fabric components, the fabric components move to the failed state.

12. From the Custom SSL Certificate drop-down list, select the custom certificate that you have already installed.

Note:  You can also select Create New to upload the custom certificate for GigaVUE V Series Nodes, GigaVUE V Series Proxy, and UCT-V Controllers. For details, refer to Install Custom Certificate on AWS.

13. Turn on the Prefer IPv6 toggle to deploy all the fabric controllers and the tunnel between the hypervisor and GigaVUE V Series Nodes using an IPv6 address.

If the IPv6 address is unavailable, it uses an IPv4 address.

Note:  You can enable this option only when deploying a new GigaVUE V Series Node. If you want to enable this option after deploying the GigaVUE V Series Node, you must delete the existing GigaVUE V Series Node and deploy it again with this option enabled.

14. Complete the required fields to configure the following GigaVUE Fabric Components:
o   UCT-V Controller – Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs. A UCT-V Controller can manage only UCT-Vs that have the same version. If the version of UCT-V Controllers do not match the version of UCT-Vs, GigaVUE‑FM cannot detect the UCT-Vs in the instances.
o   GigaVUE V Series Proxy – Turn on the Configure a V Series Proxy toggle, if GigaVUE-FM cannot directly reach the GigaVUE V Series Nodes (management interface) directly over the network.
o   GigaVUE V Series Node – Creating a GigaVUE V Series Node profile automatically launches the GigaVUE V Series Nodes.

Note:  Refer to GigaVUE Fabric Components Configuration – Field References.

15. Select Save.

GigaVUE Fabric Components Configuration – Field References

The following table lists and describes the fields you must complete to configure the UCT-V Controller, GigaVUE V Series Proxy, and GigaVUE V Series Node.

Field

Description

UCT-V Controller

• Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs.

• A UCT-V Controller can manage only UCT-Vs that have the same version. If there is a version mismatch between the UCT-V Controllers and UCT-Vs, GigaVUE-FM cannot detect the UCT-Vs in the instances.

Controller Version(s)

To add UCT-V Controllers:

a. Under Controller Versions, click Add.
b. From the Version drop-down list, select a UCT-V Controller image that matches with the version number of UCT-Vs installed in the instances.
c. From the Instance Type drop-down list, select a size for the UCT-V Controller. Refer to Recommended Instance Types for AWS.
d. In the Number of Instances field, enter the number of UCT-V Controllers to launch. The minimum number you can enter is 1.

Agent Tunnel Type

Select one of the following tunnel types to send the traffic from UCT-Vs to GigaVUE V Series Nodes:

GRE
VXLAN – Select this type if Windows UCT-Vs co-exist with Linux UCT-Vs.
Secure tunnels (TLS-PCAPNG)

Agent CA

Select the Certificate Authority (CA) you want to use to connect the tunnel. UCT-V uses this CA to verify the server-side certificate of the GigaVUE V Series Node.

Note: Use this field only when configuring secure tunnels.

IP Address Type

Select one of the following IP address types:

• Private – If you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the UCT-V Controller and GigaVUE-FM.

• Public – If you want the IP address to be assigned from Amazon’s pool of public IP address. The public IP address changes every time the instance is stopped and restarted.

• Elastic—If you want a static public IP address for your instance, ensure that you have the elastic IP address available in your VPC. The elastic IP address does not change when you stop or start the instance.

o From the Elastic IPs drop-down list, select the required IP addresses.

Additional Subnets

(Optional) If UCT-Vs are available on networks that are not IP routable from the management network, you must specify additional networks or subnets so that the UCT-V Controller can communicate with all the UCT-Vs.

Click Add Subnet to select additional networks (subnets) if needed. Make sure to select a list of security groups for each additional network.

Tags

(Optional) The key name and value that helps to identify the UCT-V Controller instances in your environment. For example, you might have deployed UCT-V Controller in many regions. To distinguish these UCT-V Controllers based on the regions, you can provide a name (also known as a tag) that is easy to identify such as us-west-2- uctvcontrollers.

To add a tag, select Add, and enter a Key and Value. For example, enter Name as your Key and us-west-2-uctv-controllers as the Value.

GigaVUE V Series Proxy

 

Version

GigaVUE V Series Proxy version.

Instance Type

Instance type for the GigaVUE V Series Proxy. The recommended minimum instance type is t2.micro.

You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page.

Number of Instances

Number of GigaVUE V Series Proxy to deploy in the monitoring domain.

Set Management Subnet

Use the toggle button to select a management subnet.

  • Yes to use the management subnet that you selected previously.
  • No to use another management subnet.

Set Security Groups

Toggle option to Yes to set the security group that is created for the GigaVUE V Series Proxy. Refer to Security Group for more details.

IP Address Type

Select one of the following IP address types:

■   Select Private if you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the GigaVUE V Series Proxy and GigaVUE-FM instances in the same network.
■   Select Public if you want the IP address to be assigned from Amazon’s pool of public IP address. The public IP address gets changed every time the instance is stopped and restarted.
■   Select Elastic if you want a static IP address for your instance. Ensure to have the available elastic IP address in your VPC.

The elastic IP address does not change when you stop or start the instance.

Additional Subnets

(Optional) If there are GigaVUE V Series Nodes on subnets that are not IP routable from the management subnet, additional subnets must be specified so that the GigaVUE V Series Proxy can communicate with all the GigaVUE V Series Nodes.

Select Add to specify additional subnets, if needed. Also, make sure that you specify a list of security groups for each additional subnet.

Tags

(Optional) The key name and value that help to identify the GigaVUE V Series Proxy instances in your AWS environment.
GigaVUE V Series Node

SSL Key

Select the SSL key from the drop-down list.

Version

Enter the GigaVUE V Series Node version.

Instance Type

The instance type for the GigaVUE V Series Node. For details, refer to Recommended and Supported Instance Types for AWS.

You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page.

Volume Size

The size of the storage disk. The default volume size is 8. The recommended volume size is 80.

Note: When using Application Metadata Exporter, the minimum recommended Volume Size is 80GB.

IP Address Type

Select one of the following IP address types:

■   Select Private if you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the GigaVUE V Series Controller and GigaVUE-FM instances in the same network.
■   Select Elastic if you want a static IP address for your instance. Ensure to have the available elastic IP address in your VPC.

The elastic IP address does not change when you stop or start the instance.

Min Number of Instances

The minimum number of GigaVUE V Series Nodes in the Monitoring Domain.

1- The minimum number of instances must be 1.

Note: If the minimum number of instances is set as ‘0’, then the GigaVUE V Series nodes launch only when GigaVUE-FM discovers some targets to monitor and deploys a monitoring session.

Max Number of Instances

The maximum number of GigaVUE V Series Nodes deployed in the Monitoring Domain.

Data Subnets

The subnet that receives the mirrored GRE or VXLAN tunnel traffic from the UCT-Vs.

Note: Using the Tool Subnet check box, you can indicate the subnets the GigaVUE V Series uses to egress the aggregated/manipulated traffic to the tools.

Tags

(Optional) The key name and value that helps to identify the GigaVUE V Series Node instances in your AWS environment. For example, you might have GigaVUE V Series Node deployed in many regions. To distinguish these GigaVUE V Series Node based on the regions, you can provide a name that is easy to identify, such as us-west-2-vseries. To add a tag:

  1. Select Add tag.
  2. In the Key field, enter the key. For example, enter Name.
  3. In the Value field, enter the key value. For example, us-west-2-vseries.

For details regarding the Check permissions to validate IAM and security-group settings, refer to Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM.

Configure and Deploy Monitoring Session

In GigaVUE-FM, you must do the following to configure and deploy the Monitoring Session. Refer to Configure Monitoring Session section for more details.

1.   Access the Monitoring Session Page:
a. In GigaVUE-FM, go to Traffic > Virtual > Orchestrated Flows > AWS.
b. After creating a new Monitoring Session or on an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab. The GigaVUE-FM Monitoring Session canvas page appears.
2. Create an ingress REP:
a. In the canvas, from the New expand menu, drag and drop New Tunnel to the graphical workspace.
b. On the new tunnel icon, select the menu button and select Details.

The Add Tunnel Spec quick view page appears.
c. Enter the Alias, Description, and the Type details and click Save.
3. Add components to the canvas:
a. Drag and drop the required components to the canvas.
b. From the Applications expand menu, drag and drop the required applications to the graphical workspace.
4. Deploy the Monitoring Session:
a. From the Actions menu, select Deploy.
b. After successful deployment on all the V Series Nodes, the status appears as Success on the Monitoring Sessions Sources tab.

What to do Next

You can view the detailed statistics of an individual traffic processing element in the TRAFFIC PROCESSING tab. For more details, refer to View Monitoring Session Statistics (AWS).