Create Application Metadata Intelligence for Physical Environment

Create an Application Metadata Intelligence session in GigaVUE‑FM by selecting the applications available from the Total Applications displayed on the Application Intelligence (AMI) dashboard.

To create an Application Metadata Intelligence session, follow these steps:

1.   From the left navigation pane, go to Traffic >Solutions>App Intelligence. .
2. In the Application Intelligence Session , click Application Metadata.

You must configure Application Intelligence session, to monitor the application on the network and to display them on the Total Applications. To create Application Intelligence session refer to Application Intelligence Session.

3. From the navigation pane, click App Intelligence. Select the applications from the Total Applications in the right pane of the Application Intelligence dashboard.
4. Click Operations and select App Metadata from the drop-down list.

You can view the list of applications selected in the Selected Applications section.

Application Metadata Intelligence generates up to 6000 attributes for over 4000 applications without impacting the users, devices, applications, or the network appliances. The feature identifies applications even when the traffic is encrypted.

5. Expand the application and select the attributes to be extracted.

Note:   You can select the attributes only if the application has attributes.

Note:  Each exporter can be assigned up to 8 application profiles, with each profile containing multiple attributes from various protocols. In total, an exporter can be configured to include attributes from a maximum of 32 applications, and for each application, up to 64 attributes can be configured. The total number of Exporters that can be configured are five.

Note:  The attributes IP source and IP destination cannot be configured to be extracted from the App Editor section. To export, them utilize the Advanced Settings > Collects section. The total number multi-collects for both IPFIX and CEF are up to five.

6. In the DestinationTraffic section, you can attach five exporters to a GigaSMART group. You can only create a maximum of 5 exporters. Enter the following details:

Option

Mandatory

Default

Description

Tool Name

Yes

 

Configures the alias name for the tool.

IP Interface

Yes

 

Configures the IP interface on the Gigamon device that connects to the tool.

Tool IP Address

Yes

 

Configures the destination IP address for exporting the records.

Template

No

 

Configures pre-defined tool templates for exporting metadata. Tool templates are user configurable. Ex.

SplunkMetadataTemplate, SecurityPostureTemplate etc.

L4 Source Port

Yes

 

Configures the Source Port of the IP interface on the Gigamon device.

L4 Destination Port

Yes

 

Configures the destination port on the tools side.

Application ID

No

Disabled

Configures exporting Application Name for all applications identified by the DPI engine.

Note:  Requires AMI/SVP/ZTA license.

Application List

No

 

Each exporter can be customized to export metadata for certain applications/ protocols.

Format

Yes

 

Options: NetFlow, CEF

Configures the format for exporting the records.

Version

Yes

IPFIX

Options: v5, v9 and IPFIX.

Configures the version of NetFlow for exporting the records.

Template Refresh Interval

Yes

60s

Range: 1-216000s

Configures the interval at which the template record is exported while exporting the IPFIX records.

Changing the refresh interval can impact ingesting the records on the tools side. Please seek guidance from your tool’s vendor before changing the default.

Record Type

Yes

Cohesive/ Segregated

Default depends on the Flow Behavior configuration.

Segregated: Default when the Flow Behavior is set to Unidirectional. Separate records are exported for network and application metadata.
Cohesive: Default when the Flow Behavior is set to Bidirectional. Generates consolidated record comprising of network and application metadata.

If record size exceeds the IP interface MTU, the records will be exported as fragments.

Active Timeout

 

Yes

 

60s

 

Range: 1-604800s

. This option configures the timeout interval for exporting interim records for such flows.

Shorter timeouts increase the no. of records and longer timeouts result in fewer records. Longer timeouts can also increase the record size. Please seek expert guidance from Gigamon and tool vendor before changing the default.

Inactive Timeout

Yes

15s

Range: 1-604800s

Configures the timeout interval for marking flows as inactive and exporting their records soon after.

Inactive timeout constitutes idle time after receiving the last packet. Shorter timeouts can prematurely deem a flow as inactive and subsequent packets would be considered as a new flow that can skew the analytics on the tools side.

Please seek expert guidance from Gigamon and tool vendor before changing the default.

When editing the exporter template, if you change any of the non-editable fields (Format, Record Type, NetFlow Version), the solution fails.

Note:  When you create a session with flow-behaviour as bi-directional, GigaVUE‑FM allows you to select Netflow v5 and v9 templates. When you edit the same session, you cannot select the Netflow v5, and v9 templates.

a. .

Note:  If the export format is CEF, the default value for L4 destination port is 514. If the export format is NetFlow, the default value for L4 destination port is 2055.

Note:  The format and the record/template type get selected automatically, after selecting the Tool Template.

7. In the Advanced Settings > Collects section, you can select the following packet attributes:
o   Counter - Select the Bytes, and Packets.
o   IPv4 - Select the required attributes. By default, Source Address, Destination Address, and Protocol are enabled.
o   IPv6 - Select the required attributes. By default, Source Address, Destination Address, and Next Header are enabled.
o   Transport -Select the required attributes. By default, Source Port, Destination Port are enabled.

By default, the above collect types are displayed. Click to add the following collect types:

o   Data Link - Select any one of the parameters such as Source Mac, Destination Mac and VLAN.
o   Timestamp - Select the required timestamp such as System Uptime First, Flow Start, System Uptime Last, and Flow End.
o   Flow - Select the parameter as End Reason if required.
o   Interface - These options are supported only in standalone deployments (GigaVUE-HC1, GigaVUE-HC3, GigaVUE-HCT, and GigaVUE-HC1P) and legacy cluster deployments. Select any one of the following parameters.

Note:   when Input/Output Physical interface width is set to 2B, only the lower order bytes of the interface index are exported.

•   Input Physical - Select the Input Physical checkbox to export the ingress interface as one of the fields sent in the NetFlow record. It also allows exporting the interface index in the NetFlow record. Under Input Physical Width, choose 2 bytes or 4 bytes. A width of 4 bytes is recommended for both v9 and IPFIX protocols, while v5 supports only 2 bytes. CEF supports exporting the Input interface index with a width of 2B (default) or 4B.
•   Output Physical - Select the Output Physical checkbox to export the egress interface as one of the fields sent in the NetFlow record. It also allows exporting the interface index in the NetFlow record. Under Output Physical Width, choose 2 bytes or 4 bytes. A width of 4 bytes is recommended for both v9 and IPFIX protocols, while v5 supports only 2 bytes. CEF supports exporting the Output interface index with a width of 2B (default) or 4B.
•   Input Name - Select the Input Name checkbox to export the interface name. In the Input Name Width field, specify a value between 1 and 32 bytes. The default value is 16 bytes. The total character limit for the interface name is 128 characters.
8. In the ApplicationMetadata Settings section:

Option

Mandatory

Default

NetFlow

Description

Events

Yes

Transaction end

N/A

Options: None and Transaction End

Transaction End allows exporting records of TCP traffic soon after the connections terminate. Else, the records will be exported after the Inactive Timeout

Flow Direction/ Behavior

Yes

 

Supported

Options: Unidirectional, Bidirectional.

Enables record to be exported for each

direction (Unidirection) of the traffic flow or a single record to be exported for both directions (Bidirection) of the traffic flow.

Timeout

Yes

1800s

Supported

Range: 1 to 604800s

Configures the duration for which flows can be cached. Upon timeout, the flows are flushed. New flows are created as and when new packets are received.

 

Cache Size

Yes

1: Gen2

2: Gen3

Supported

Supported range:

Platform

Gen2- Range in million

Gen3- Range in million

GigaVUE‑HC1

2M

2M

GigaVUE‑HC3

5M

10M

GigaVUE‑HC1-Plus

 

10M

GigaVUE-HCT

 

2M

This option is supported only on GigaVUE HC Series (refer to the No. of Flows for GigaVUE V Series). It configures the session table size for maintaining the max no. of concurrent flows. The default value is set to support all combinations of the apps i.e. AppViz+AFI+AMI+De-dup. It can be changed fromGigaVUE-OS CLI under an expert’s guidance.

Multi-Collect

No

Enabled

N/A

By default, only one value is exported per attribute. Some attributes can have multiple values. Ex. DNS host address. When multi- collect is allowed, it enables exporting more than one value per attribute.

By default, multi-collect is supported for the following protocols, DNS, GTP and GTPV2.

IPFIX can support up to 5 multi-collects per attribute. CEF has no such limit.

 

Data Link

No

Disabled

N/A

Can be enabled to export Source and Destination MAC and ingress VLAN ID.

Observation Domain ID

No

0

Supported

Range: 0-255

When multiple application intelligence sessions are configured, customers can assign different IDs for creating additional level of abstraction for analysis on the tools side.
For example: If you enter 5 in this field, then the observation domain ID is calculated as follows:

 

Observation Domain ID (4-Bytes)

Byte 1

0

Byte 2

1

Byte 3

GS engine slot (for e.g. 2 if 1/2/e1)

Byte 4

User defined (for e.g. 5). Default : 0.

The calculated value of Observation Domain Id in Hexadecimal is 00 01 02 05, and in Decimal is 66053.

DPI Packet limit

NoDisabledN/A The value must range between 20 - 50 as the first 20 to 50 packets contains the most significant attributes.

Aggregate Round-Trip Time

No

Disabled

N/A

On GigaVUE HC Series, it’s supported only in the Gen3 GS module.

This option enables multi-collect for the following protocols, TCP, HTTP, SSH, TELNET, ICMP, ICMP6 and WSP.

By default, RTT and TCP Loss bytes are exported only at the beginning of a flow. These attributes can change over the lifetime of a flow. Aggregate mode can be enabled to closely monitor the flows. When enabled, the attributes are exported at each export interval as follows for the duration of the flow.

RTT: Exports minimum, Maximum, and Mean values for protocols such as TCP, HTTP, SSH, ICMP etc.

TCP Loss Count: Exports the consecutive missing bytes per flow.

Protocol NameAttribute
httprtt
icmprtt
icmp6rtt
sshrtt
tcprtt
tcprtt_app
telnetrtt
wspconnect_rtt
wspquery_rtt
■   You can use the toggle button to enable or disable the DPI Packet Limit. The range is from 20-50 with 20 as the default value.
■   You can enable or disable the Advance Hash option to perform the following:
•   Enable — Configures metadata cache advance-hash for encapsulated flows . This feature improves the efficiency of scheduling the distribution of encapsulated flows. It also improves the distribution of flows in service provider deployment cases. By default, when a new cache is created, advance hash is enabled. When upgraded from an older release, the advance hash is enabled.
•   Disable — Disables the metadata cache advance-hash for flows.
9. In the SelectedApplications section, select Export andclick Export To for the applications that needs to be exported to the destination tool.
10. Click Save.