Configure Secure Tunnel for Third Party Orchestration

You can configure the Secure tunnels on:

Precrypted Traffic

Secure tunnels help protect sensitive precrypted traffic by framing packets in PCAPng format and transmitting them through a TLS socket. When you enable secure tunnel for both precrypted and mirrored traffic, the system creates two separate TLS sessions.

Recommendation: Always enable secure tunnels for precrypted traffic to ensure secure data transmission.

For more information about PCAPng, refer toPCAPng Application.

Mirrored Traffic

You can also enable the Secure Tunnel for mirrored traffic. By default, Secure Tunnel is disabled.

Refer to the following sections for Secure Tunnel Configuration:

■   Configure Secure Tunnel for Third Party Orchestration in UCT-V
■   Configure Secure Tunnel for Third Party Orchestration

Prerequisites

■   While creating Secure Tunnel, you must provide the following details:
•   SSH key pair
•   CA certificate
■   Port 11443 is enabled in security group settings. For details, refer to Network Firewall Requirement.

Notes

■   Protocol versions IPv4 and IPv6 are supported.
■   If you wish to use IPv6 tunnels, your GigaVUE‑FM and the fabric components version must run vesion 6.6.00 or above.
■   For UCT-V with a version lower than 6.6.00, if the secure tunnel is enabled in the Monitoring Session, secure mirror traffic is transmitted over IPv4, regardless of IPv6 preference.
■   After configuring secure tunnels, if a Monitoring Domain contains only one GigaVUE V Series Node and that GigaVUE V Series Node reboots or restarts, then you must manually add the SSL Keys to the Monitoring Domain again. For details, refer to Edit SSL Configuration.

Configure Secure Tunnel from UCT-V to GigaVUE V Series Node

To configure a secure tunnel in UCT-V, you must configure one end of the tunnel to the UCT-V and the other end to GigaVUE V Series Node. You must configure the CA certificates in UCT-V and the private keys and SSL certificates in GigaVUE V Series Node. Refer to the following steps for configuration:

S. No

Task

 Refer to

1.

Upload a Custom Authority Certificate (CA)

You must upload a Custom Certificate to UCT-V Controller for establishing a connection with the GigaVUE  V Series Node.

To upload the CA using GigaVUE-FM follow the steps given below:

  1. Go to Inventory > Resources > Security > CA List.
  2. Click New, to add a new Custom Authority. The Add Custom Authority page appears.
  3. Enter or select the following information.

    Field

    		Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.

  4. Click Save.

For more information, refer to the section Adding Certificate Authority

2.

Upload a SSL Key

You must add a SSL key to GigaVUE V Series Node. To add SSL Key, follow the steps in the section SSL Decrypt

3

Enable the secure tunnel

You should enable the secure tunnel feature to establish a connection between the UCT-V and GigaVUE V Series Node. To enable the secure tunnel feature follow these steps:

1. In the Edit Monitoring Session page, click Options. The Monitoring Session Options page appears.
2. Enable the Secure Tunnel button. You can enable secure tunnel for both mirrored and precrypted traffic.

4.

Select the SSL Key and CA certificate, after deploying the fabric components.

You must select the added SSL Key and CA Authority in GigaVUE V Series Node after creating a Monitoring Domain configuring the fabric components in GigaVUE‑FM. Refer to Edit SSL Configuration for more detailed information on how to select the added SSL Key and CA Authority in GigaVUE V Series Node.

Configure Secure Tunnel between GigaVUE V Series Nodes

You can create secure tunnel:

■   Between twoGigaVUE V Series Nodes.
■   From one GigaVUE V Series Node to multiple GigaVUE V Series Nodes.

You must have the following details before you start configuring secure tunnels between two GigaVUE V Series Nodes:

■   IP address of the tunnel destination endpoint (Second GigaVUE V Series Node).
■   SSH key pair (pem file).

To configure secure tunnel between two GigaVUE V Series Nodes, refer to the following steps:

S. No

Task

 Refer to

1.

Upload a Certificate Authority (CA) Certificate

You must upload a Custom Certificate to UCT-V Controller to establish a connection between the GigaVUE V Series Node.

To upload the CA using GigaVUE‑FM follow the steps given below:

  1. Go to Inventory > Resources > Security > CA List.
  2. Select Add, to add a new Certificate Authority. The Add Certificate Authority page appears.
  3. Enter or select the following information.

    Field

    		Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.

  4. Select Save.
  5. Select Deploy All.

For more information, refer to the section Adding Certificate Authority

2.

Upload an SSL Key

You must add an SSL key to GigaVUE V Series node. To add an SSL Key, follow the steps in the section Upload SSL Keys

3

Create a secure tunnel between UCT-V and the first GigaVUE V Series Node

You should enable the secure tunnel feature to establish a connection between the UCT-V and the first GigaVUE V Series Node. To enable the secure tunnel feature follow these steps:

1. In the Edit Monitoring Session page, click Options. The Monitoring Session Options page appears.
2. Enable the Secure Tunnel button. You can enable secure tunnel for both mirrored and precrypted traffic.

4

Select the SSL Key and CA certificate, after deploying the fabric components.

You must select the added SSL Key and CA Authority in GigaVUE V Series Node after creating a Monitoring Domain configuring the fabric components in GigaVUE‑FM. Refer to Edit SSL Configuration for more detailed information on how to select the added SSL Key and CA Authority in GigaVUE V Series Node.

5

Create an Egress tunnel from the first GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session.

You must create a tunnel for traffic to flow out from the first GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session. Refer to Create Ingress and Egress Tunnels (Azure) for more detailed information on how to create tunnels.

To create the egress tunnel, follow these steps:

1. After creating a new Monitoring Session, or click Actions > Edit on an existing Monitoring Session, the GigaVUE-FM canvas appears.
2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel

Traffic Direction

Choose Out (Encapsulation) for creating an egress tunnel from the V Series node to the destination. Select or enter the following values:

o MTU- The default value is 1500.
o Time to Live - Enter the value of the time interval till which the session needs to be available. The value ranges from 1 to 255. The default value is 64.
o DSCP - Enter the Differentiated Services Code Point (DSCP) value.
o Flow Label - Enter the Flow Label value.
o Source L4 Port- Enter the Souce L4 Port value
o Destination L4 Port - Enter the Destination L4 Port value.
o Flow Label
o Cipher- Only SHA 256 is supported.
o TLS Version - Select TLS Version1.3.
o Selective Acknowledgments - Choose Enable to turn on the TCP selective acknowledgments.
o SYN Retries - Enter the value for number of times the SYN has to be tried. The value ranges from 1 to 6.
o Delay Acknowledgments - Choose Enable to turn on delayed acknowledgments.

Remote Tunnel IP

Enter the interface IP address of the the second GigaVUE V Series Node (Destination IP).
4. Select Save.

6

Select the added SSL Key after deploying the fabric components in the second GigaVUE V Series Node

You must select the added SSL Key in the second GigaVUE V Series Node. Select the the second GigaVUE V Series Node and follow the steps given in Edit SSL Configuration.

7

Create an ingress tunnel in the second GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session for the second GigaVUE V Series Node.

You must create a ingress tunnel for traffic to flow in from the first GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session. Refer to Create a Monitoring Session (Azure) to know about Monitoring Session.

 

To create the ingress tunnel, follow these steps:

1. After creating a new Monitoring Session, or click Actions > Edit on an existing Monitoring Session, the GigaVUE-FM canvas appears.
2. In the canvas, select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel

Traffic Direction

Choose In (Decapsulation) for creating an ingress tunnel that receives traffic from V Series node 1. Select or enter the values as described in Step 6.

IP Version

The version of the Internet Protocol. IPv4 and IPv6 are supported.

Remote Tunnel IP

Enter the interface IP address of the first GigaVUE V Series Node (Destination IP).
4. Select Save.