Configure GigaVUE Fabric Components in GigaVUE‑FM
You can configure the following fabric components:
| UCT-V |
| GigaVUE V Series Proxy |
| GigaVUE V Series Node |
Prerequisite
Before you begin, create a monitoring domain in GigaVUE‑FM to establish connection between your AWS environment and GigaVUE‑FM. For details, refer to Create a Monitoring Domain.
To configure,
| 1. | Go to Inventory > VIRTUAL > AWS. |
| 2. | Select the required Monitoring Domain and select Actions > Deploy Fabric. |
The AWS Fabric Launch Configuration page appears.
| 3. | From the Centralized VPC drop-down list, select the alias of the centralized VPC. |
| 4. | Centralized VPC refers to the launch location of UCT-V Controller, V Series Proxies, and the GigaVUE V Series Nodes. |
Note: Select Check Permissions to ensure you have the required permissions for inventory, security groups, fabric launch, and IAM policy. For details, refer to Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM.
| 5. | From the EBS Volume Type drop-down list, select one of the following Elastic Block Store (EBS) volume that you can attach to the fabric components: |
| gp2 (General Purpose SSD) |
| gp3 (General Purpose SSD) |
| io1 (Provisioned IOPS SSD) |
| io2 (Provisioned IOPS SSD) |
| Standard (Magnetic) |
Note: The default EBS Volume Type is gp3 (General Purpose SSD).
| 6. | Turn on the Enable Encryption toggle to encrypt the EBS volume with AWS Key Management Service (KMS). |
| 7. | From the KMS Key drop-down list, select the required KMS key. For details, refer to the Create a KMS Key section in the AWS Documentation. |
| 8. | From the SSH Key Pair drop-down list, select the key pair that you created to launch the UCT-V Controller, GigaVUE V Series node, and GigaVUE V Series Proxy from GigaVUE‑FM. For details, refer to the Create a key pair section in the AWS Documentation. |
| 9. | From the Management Subnet drop-down list, select the subnet you use for communication between the controllers and the nodes and with GigaVUE‑FM. |
| 10. | From the Security Groups drop-down list, select one or more security groups you created for the GigaVUE fabric nodes. For details, refer to Security Group. |
| 11. | Turn on the Enable Custom Certificates toggle to validate the custom certificate during SSL Communication. |
GigaVUE‑FM validates the Custom certificate with the Trust Store. If the certificate is unavailable in the Trust Store, communication does not happen, and a handshake error occurs.
Note: If the certificate expires after the successful deployment of the fabric components, the fabric components move to the failed state.
| 12. | From the Custom SSL Certificate drop-down list, select the custom certificate that you have already installed. |
Note: You can also select Create New to upload the custom certificate for GigaVUE V Series Nodes, GigaVUE V Series Proxy, and UCT-V Controllers. For details, refer to Install Custom Certificate on AWS.
| 13. | Turn on the Prefer IPv6 toggle to deploy all the fabric controllers and the tunnel between the hypervisor and GigaVUE V Series Nodes using an IPv6 address. |
If the IPv6 address is unavailable, it uses an IPv4 address.
Note: You can enable this option only when deploying a new GigaVUE V Series Node. If you want to enable this option after deploying the GigaVUE V Series Node, you must delete the existing GigaVUE V Series Node and deploy it again with this option enabled.
| 14. | Complete the required fields to configure the following GigaVUE Fabric Components: |
| UCT-V Controller – Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs. A UCT-V Controller can manage only UCT-Vs that have the same version. If the version of UCT-V Controllers do not match the version of UCT-Vs, GigaVUE‑FM cannot detect the UCT-Vs in the instances. |
| GigaVUE V Series Proxy – Turn on the Configure a V Series Proxy toggle, if GigaVUE-FM cannot directly reach the GigaVUE V Series Nodes (management interface) directly over the network. |
| GigaVUE V Series Node – Creating a GigaVUE V Series Node profile automatically launches the GigaVUE V Series Nodes. |
Note: Refer to GigaVUE Fabric Components Configuration – Field References.
| 15. | Select Save. |
GigaVUE Fabric Components Configuration – Field References
The following table lists and describes the fields you must complete to configure the UCT-V Controller, GigaVUE V Series Proxy, and GigaVUE V Series Node.
|
Field |
Description |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
UCT-V Controller • Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs. • A UCT-V Controller can manage only UCT-Vs that have the same version. If there is a version mismatch between the UCT-V Controllers and UCT-Vs, GigaVUE-FM cannot detect the UCT-Vs in the instances. |
|||||||||||||
|
Controller Version(s) |
To add UCT-V Controllers:
|
||||||||||||
|
Agent Tunnel Type |
Select one of the following tunnel types to send the traffic from UCT-Vs to GigaVUE V Series Nodes:
|
||||||||||||
|
Agent CA |
Select the Certificate Authority (CA) you want to use to connect the tunnel. UCT-V uses this CA to verify the server-side certificate of the GigaVUE V Series Node. Note: Note: Use this field only when configuring secure tunnels. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types: • Private – If you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the UCT-V Controller and GigaVUE-FM. • Public – If you want the IP address to be assigned from Amazon’s pool of public IP address. The public IP address changes every time the instance is stopped and restarted. • Elastic—If you want a static public IP address for your instance, ensure that you have the elastic IP address available in your VPC. The elastic IP address does not change when you stop or start the instance. o From the Elastic IPs drop-down list, select the required IP addresses. |
||||||||||||
|
Additional Subnets |
(Optional) If UCT-Vs are available on networks that are not IP routable from the management network, you must specify additional networks or subnets so that the UCT-V Controller can communicate with all the UCT-Vs. Click Add Subnet to select additional networks (subnets) if needed. Make sure to select a list of security groups for each additional network. |
||||||||||||
|
Tags |
(Optional) The key name and value that helps to identify the UCT-V Controller instances in your environment. For example, you might have deployed UCT-V Controller in many regions. To distinguish these UCT-V Controllers based on the regions, you can provide a name (also known as a tag) that is easy to identify such as us-west-2- uctvcontrollers. To add a tag, select Add, and enter a Key and Value. For example, enter Name as your Key and us-west-2-uctv-controllers as the Value. |
||||||||||||
|
GigaVUE V Series Proxy
|
|||||||||||||
|
Version |
GigaVUE V Series Proxy version. |
||||||||||||
|
Instance Type |
Instance type for the GigaVUE V Series Proxy. The recommended minimum instance type is t2.micro. You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page. |
||||||||||||
|
Number of Instances |
Number of GigaVUE V Series Proxy to deploy in the monitoring domain. |
||||||||||||
|
Set Management Subnet |
Use the toggle button to select a management subnet.
|
||||||||||||
|
Set Security Groups |
Toggle option to Yes to set the security group that is created for the GigaVUE V Series Proxy. Refer to Security Group for more details. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types:
The elastic IP address does not change when you stop or start the instance. |
||||||||||||
|
Additional Subnets |
(Optional) If there are GigaVUE V Series Nodes on subnets that are not IP routable from the management subnet, additional subnets must be specified so that the GigaVUE V Series Proxy can communicate with all the GigaVUE V Series Nodes. Select Add to specify additional subnets, if needed. Also, make sure that you specify a list of security groups for each additional subnet. |
||||||||||||
|
Tags |
(Optional) The key name and value that help to identify the GigaVUE V Series Proxy instances in your AWS environment. |
||||||||||||
| GigaVUE V Series Node | |||||||||||||
|
SSL Key |
Select the SSL key from the drop-down list. |
||||||||||||
|
Version |
Enter the GigaVUE V Series Node version. |
||||||||||||
|
Instance Type |
The instance type for the GigaVUE V Series Node. For details, refer to Recommended and Supported Instance Types for AWS. You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page. |
||||||||||||
|
Volume Size |
The size of the storage disk. The default volume size is 8. The recommended volume size is 80. Note: When using Application Metadata Exporter, the minimum recommended Volume Size is 80GB. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types:
The elastic IP address does not change when you stop or start the instance. |
||||||||||||
|
Min Number of Instances |
The minimum number of GigaVUE V Series Nodes in the Monitoring Domain. 1- The minimum number of instances must be 1. Note: If the minimum number of instances is set as ‘0’, then the GigaVUE V Series nodes launch only when GigaVUE-FM discovers some targets to monitor and deploys a monitoring session. |
||||||||||||
|
Max Number of Instances |
The maximum number of GigaVUE V Series Nodes deployed in the Monitoring Domain. |
||||||||||||
|
Data Subnets |
The subnet that receives the mirrored GRE or VXLAN tunnel traffic from the UCT-Vs. Note: Using the Tool Subnet check box, you can indicate the subnets the GigaVUE V Series uses to egress the aggregated/manipulated traffic to the tools. |
||||||||||||
|
Tags |
(Optional) The key name and value that helps to identify the GigaVUE V Series Node instances in your AWS environment. For example, you might have GigaVUE V Series Node deployed in many regions. To distinguish these GigaVUE V Series Node based on the regions, you can provide a name that is easy to identify, such as us-west-2-vseries. To add a tag:
|
||||||||||||
Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM
To check for permissions from the AWS Fabric Launch page, follow these steps:
-
In the AWS Fabric Launch page, enter the details as mentioned in Configure GigaVUE Fabric Components in GigaVUE‑FM.
-
Select the Check Permissions button.
The Check Permissions widget opens. The widget displays the permission status for Inventory, Security Group, and Fabric Launch.
-
Select the INVENTORY tab and select Check Inventory Permissions to view the required inventory permissions.
Inventory permissions with the access status Denied are missing in the IAM Policy or have a restricted boundary.
-
Select the SECURITY GROUPS tab and select Check Security Group Permissions to view the required ports.
The ports need to open for the security groups. The ports in the Denied State are not open in the security group. The ports with the status Explicit denied are blocked or restricted by the user. The ports with status Partially configured have incorrect IP address.
-
Select the FABRIC LAUNCH tab and select Check Fabric Launch Permissions to view the permissions required for deploying the GigaVUE fabric components.
The IAM Policy might be missing Virtual Machine permissions with the access status Denied.
Note: The permissions Microsoft.Compute/virtualMachines/write and Microsoft.Network/networkInterfaces/join/action are dependent. You cannot validate them separately. So, if either of the permissions is denied or not configured, then both permissions are displayed as Denied.
The IAM POLICY tab lists the sample policy containing the required permissions for deploying the GigaVUE Cloud Suite for AWS. You must update the AWS IAM policy with the missing permissions that the JSON highlights.
