Configure Secure Tunnel (AWS)

You can configure the Secure tunnel:

Precryption Traffic

You can send the Precryption traffic through a secure tunnel. When secure tunnels for Precryption is enabled, packets are framed and sent in PCAPng format.

When you enable the secure tunnel option for mirrored traffic and Precryption traffic, two TLS secure tunnel sessions are created.

We recommend always to enable secure tunnels for Precryption traffic to securely transfer sensitive information.

For more information about PCAPng, refer to PCAPng Application.

Mirrored Traffic

You can enable the Secure Tunnel for mirrored traffic. By default, Secure Tunnel is disabled.

Refer to the following sections for Secure Tunnel Configuration:

■   Configure Secure Tunnel from UCT-V to GigaVUE V Series Node
■   Configure Secure Tunnel between GigaVUE V Series Nodes
■   Configure Secure Tunnel between GigaVUE V Series Nodes and GigaVUE HC Series

Prerequisites

■   Enable TCP Port 11443 in security group settings. For details on Network Firewall / Security Group, refer to Security Group .
■   While creating Secure Tunnel, you must provide the following details:
•   SSH key pair
•   CA Certificate chain

Notes

■   Protocol versions IPv4 and IPv6 are supported.
■   For IPv6 tunnels, GigaVUE‑FM and the fabric components versions are 6.6.00 or above.
■   For UCT-V with a version lower than 6.6.00, if the secure tunnel is enabled in the monitoring session, secure mirror traffic will be transmitted over IPv4, regardless of IPv6 preference.

Configure Secure Tunnel from UCT-V to GigaVUE V Series Node

To configure a secure tunnel in UCT-V, you must configure one end of the tunnel to the UCT-V and the other end to GigaVUE V Series node. You must configure the CA Certificate chain in UCT-V and the private keys and SSL certificates in GigaVUE V Series node. Refer to the following steps for configuration:

S. No

Task

 Refer to

1

Upload a CA Certificate chain in a single file

You must upload a CA Certificate chain for establishing a connection with the GigaVUE V Series node.

To upload the CA using GigaVUE‑FM follow the steps given below:

  1. Go to Inventory > Resources > Security > CA List.
  2. Click New, to add a new CA Certificate chain Authority. The Add Custom Authority page appears.
  3. In the Alias field, enter the CA name.

  4. Field

    		 Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.
  5. Select Save.

Note:  Ensure that the Intermediate CA Certificate(s) are included in the CA certificate chain file in the correct signing order, followed by the Root CA Certificate at the end.

For more information, refer to the section Adding Certificate Authority

2

Upload an SSL Key Pair

You must add an SSL key pair to GigaVUE V Series node. Follow the steps in the Upload SSL Keys section for detailsSSL Decrypt

3

Select the SSL Key Pair while creating a monitoring domain and configuring the fabric components in GigaVUE-FM.

You must select the added SSL Key Pair in GigaVUE V Series Node Key while creating a monitoring domain configuring the fabric components in GigaVUE‑FM. To select the SSL key pair, follow the steps in the Configure GigaVUE Fabric Components in GigaVUE‑FM sectionConfigure GigaVUE Fabric Components in GigaVUE-FM

If the existing Monitoring Domain does not have an SSL key pair, you can add it by following the given steps:

1. Select the Monitoring Domain for which you want to add the SSL key pair.
2. Select the Actions drop down list and select Edit SSL Configuration. An Edit SSL Configuration window appears.
3. Select the CA in the UCT-V Agent Tunnel CA drop down list.
4. Select the SSL key pair in the V Series Node SSL key drop down list.
5. Select Save.

4

Select the CA Certificate chain while creating the monitoring domain configuring the fabric components in GigaVUE-FM.

You should select the added CA Certificate chain in UCT-V Controller. To select the CA Certificate chain, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE‑FM.

5

Enable the secure tunnel

You should enable the secure tunnel feature to establish a connection between the UCT-V and GigaVUE V Series Node. To enable the secure tunnel feature follow these steps:

1. Go to Traffic > Virtual > Orchestrated Flows > Select your cloud platform.
2. Select a Monitoring Session from the Monitoring Sessions list view on the left side of the screen and click the TRAFFIC ACQUISITION tab.
3. Enable the Secure Tunnel button. You can enable secure tunnel for both mirrored and Precryption traffic.

Note:  When GigaVUE V Series Node is upgraded or deployed to 6.5, all the existing monitoring sessions will be redeployed, and individual TLS Tunnel End Points are created for each UCT-V.

Configure Secure Tunnel between GigaVUE V Series Nodes

You can create secure tunnel:

■   Between two GigaVUE V Series Nodes.
■   From one GigaVUE V Series Node to multiple GigaVUE V Series Nodes.

You must have the following details before you start configuring secure tunnels between two GigaVUE V Series Nodes:

■   IP address of the tunnel destination endpoint (Second GigaVUE V Series Node).
■   SSH key pair (pem file).

To configure secure tunnel between two GigaVUE V Series Nodes, refer to the following steps:

S. No

Task

 Refer to

1

Upload a CA Certificate chain in a single file

You must upload a CA Certificate chain to UCT-V Controller to establish a connection between the GigaVUE V Series node.

To upload the CA using GigaVUE‑FM follow these steps:

  1. Go to Inventory > Resources > Security > CA List.
  2. Click Add, to add a new Certificate Authority. The Add Certificate Authority page appears.
  3. Enter or select the following information.

    Field

    		Action

    Alias

    Alias name of the CA.

    File Upload

    Choose the certificate from the desired location.

  4. Select Save.
  5. Select Deploy All.

Note:  Ensure that the Intermediate CA Certificate(s) are included in the CA certificate chain file in the correct signing order, followed by the Root CA Certificate at the end.

For more information, refer to the section Adding Certificate Authority

2

Upload an SSL Key Pair

You must add an SSL key pair to GigaVUE V Series Node. Follow the steps in the section SSL DecryptSSL Decrypt

3

Select the added SSL Key Pair while creating a Monitoring Domain

Select the SSL Key Pair added in the Step 2 while creating a Monitoring Domain and configuring the fabric components in GigaVUE‑FM for the first GigaVUE V Series Node.

You must select the SSL Key Pair added in the first GigaVUE V Series Node.

To select the SSL key pair, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE‑FM

4

Select the added CA Certificate chain while creating the monitoring domain

You should select the added CA Certificate chain in UCT-V Controller. To select the CA Certificate chain, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE‑FM.

5

Creating a secure tunnel between UCT-V and the first GigaVUE V Series Node.

You should enable the secure tunnel feature to establish a connection between the UCT-V and the first GigaVUE V Series Node. To enable the secure tunnel feature follow these steps:

1. Go to Traffic > Virtual > Orchestrated Flows > Select your cloud platform.
2. Select a Monitoring Session from the Monitoring Sessions list view on the left side of the screen and click the TRAFFIC ACQUISITION tab.
3. Enable the Secure Tunnel button. You can enable secure tunnel for both mirrored and Precryption traffic.

6

Create an Egress tunnel from the first GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session.

You must create a tunnel for traffic to flow out from the first GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Configure Monitoring Session to know about monitoring session.

To create the egress tunnel, follow these steps:

1. After creating a new Monitoring Session or on an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab. The GigaVUE‑FM Monitoring Session canvas page appears.
2. In the canvas, click the icon on the left side of the page to view the traffic processing elements. Select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel

Traffic Direction

Choose Out (Encapsulation) for creating an egress tunnel from the GigaVUE V Series Node to the destination. Select or enter the following values:

o MTU- The default value is 1500.
o Time to Live - Enter the value of the time interval till which the session needs to be available. The value ranges from 1 to 255. The default value is 64.
o DSCP - Enter the Differentiated Services Code Point (DSCP) value.
o Flow Label - Enter the Flow Label value.
o Source L4 Port- Enter the Souce L4 Port value
o Destination L4 Port - Enter the Destination L4 Port value.
o Flow Label
o Cipher- Only SHA 256 is supported.
o TLS Version - Select TLS Version1.3.
o Selective Acknowledgments - Choose Enable to turn on the TCP selective acknowledgments.
o SYN Retries - Enter the value for number of times the SYN has to be tried. The value ranges from 1 to 6.
o Delay Acknowledgments - Choose Enable to turn on delayed acknowledgments.

Remote Tunnel IP

Enter the interface IP address of the second GigaVUE V Series Node (Destination IP).
4. Click Save.

7

Select the added SSL Key Pair while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in the second GigaVUE V Series Node.

You must select the added SSL Key pair in GigaVUE V Series Node. To select the SSL key pair, refer to Configure GigaVUE Fabric Components in GigaVUE‑FM section.

8

Create an ingress tunnel in the second GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the Monitoring Session for the second GigaVUE V Series Node.

You must create a ingress tunnel for traffic to flow in from GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Configure Monitoring Session to know about monitoring session.

 

To create the ingress tunnel, follow these steps:

1. After creating a new Monitoring Session or on an existing Monitoring Session, navigate to the TRAFFIC PROCESSING tab. The GigaVUE‑FM Monitoring Session canvas page appears.
2. In the canvas, click the icon on the left side of the page to view the traffic processing elements. Select New > New Tunnel, drag and drop a new tunnel template to the workspace. The Add Tunnel Spec quick view appears.
3. On the New Tunnel quick view, enter or select the required information as described in the following table:

Field

 Action

Alias

The name of the tunnel endpoint.

Description

The description of the tunnel endpoint.

Type

Select TLS-PCAPNG for creating egress secure tunnel.

Note:  If you are enabling Secure tunnel in Monitoring Session with traffic acquisition method as UCT-V, you must not create TLS-PCAPNG Tunnel with direction IN, Destination L4 port 11443, and GigaVUE V Series Node version 6.5 and above.

Traffic Direction

Choose in (Decapsulation) for creating an ingress tunnel that receives traffic from the first GigaVUE V Series Node. Select or enter the values as described in Step 6.

IP Version

The version of the Internet Protocol. IPv4 and IPv6 are supported.

Remote Tunnel IP

Enter the interface IP address of the first GigaVUE V Series Node (Destination IP).
4. Select Save.

For more information, refer to Secure Tunnels.