Configure Secure Tunnel
Secure tunnel can be configured on:
Precrypted Traffic
You can send the precrypted traffic through secure tunnel. When secure tunnel for precryption is enabled, packets are framed and sent to the TLS socket. PCAPng format is used to send the packet.
When you enable the secure tunnel option for both regular and precryption packets, then two TLS secure tunnel sessions are created.
It is recommended to always enable secure tunnels for precrypted traffic to securely transfer the sensitive information.
For more information about PCAPng, refer toPCAPng Application.
Mirrored Traffic
You can enable the Secure Tunnel for mirrored traffic. By default, Secure Tunnel is disabled.
Refer to the following sections for Secure Tunnel Configuration:
Configure Secure Tunnel from UCT-V to GigaVUE V Series Node in UCT-V |
Configure Secure Tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2 |
Prerequisites
Port 11443 should be enabled in security group settings. |
While creating Secure Tunnel, you must provide the following details: |
• | SSH key pair |
• | CA certificate |
Configure Secure Tunnel from UCT-V to GigaVUE V Series Node
To configure a secure tunnel in UCT-V, you must configure one end of the tunnel to the UCT-V and the other end to GigaVUE V Series node. You must configure the CA certificates in UCT-V and the private keys and SSL certificates in GigaVUE V Series node. Refer to the following steps for configuration:
S. No |
Task |
Refer to | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1. |
Upload a Custom Authority Certificate (CA) |
)You must upload a Custom Certificate to UCT-V Controller for establishing a connection with the GigaVUE V Series node. To upload the CA using GigaVUE-FM follow the steps given below:
For more information, refer to the section Adding Certificate Authority |
|||||||||||||||
2. |
Upload a SSL Key |
You must add a SSL key to GigaVUE V Series node. To add SSL Key, follow the steps in the section SSL Decrypt |
|||||||||||||||
3 |
Enable the secure tunnel |
You should enable the secure tunnel feature to establish a connection between the UCT-Vand GigaVUE V Series node. To enable the secure tunnel feature follow these steps:
Note: When GigaVUE V Series is upgraded or deployed to 6.5, all the existing monitoring sessions will be redeployed, and individual TLS TEPs are created for each agent. |
|||||||||||||||
4. |
Select the SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM. |
You must select the added SSL Key in GigaVUE V Series node Key while creating a monitoring domain configuring the fabric components in GigaVUE‑FM. To select the SSL key, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE-FM
If the existing monitoring domain does not have a SSL key, you can add it by following the given steps:
|
|||||||||||||||
5. |
Select the CA certificate while creating the monitoring domain configuring the fabric components in GigaVUE‑FM. |
You should select the added Certificate Authority (CA) in UCT-V Controller. To select the CA certificate, follow the steps in the sectionConfigure GigaVUE Fabric Components in GigaVUE-FM |
Configure Secure Tunnel from GigaVUE V Series Node 1 to GigaVUE V Series Node 2
You can create secure tunnel in the following ways:
Between GigaVUE V Series Node 1 to GigaVUE V Series Node 2 |
From GigaVUE V Series Node 1 to multiple GigaVUE V Series nodes. |
You must have the following details before you start the configuration of secure tunnel from GigaVUE V Series Node 1 toGigaVUE V Series Node 2:
IP address of the tunnel destination endpoint (GigaVUE V Series Node 2). |
SSH key pair (pem file). |
To configure secure tunnel from GigaVUE V Series Node 1 toGigaVUE V Series Node 2, refer to the following steps:
S. No |
Task |
Refer to | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1. |
Upload a Certificate Authority (CA) Certificate |
You must upload a Custom Certificate to UCT-V Controller for establishing a connection between the GigaVUE V Series node. To upload the CA using GigaVUE-FM follow the steps given below:
For more information, refer to the section Adding Certificate Authority |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2. |
Upload a SSL Key |
You must add a SSL key to GigaVUE V Series node. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Creating a secure tunnel between UCT-Vand GigaVUE V Series Node 1. |
You should enable the secure tunnel feature to establish a connection between the UCT-Vand GigaVUE V Series node 1. To enable the secure tunnel feature follow these steps:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4. |
Select the added SSL Key while creating a monitoring domain. |
Select the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 1. You must select the added SSL Key in GigaVUE V Series Node 1. To select the SSL key, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE-FM |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5. |
Select the added CA certificate while creating the monitoring domain |
You should select the added Certificate Authority (CA) in UCT-V Controller. To select the CA certificate, follow the steps in the section Configure GigaVUE Fabric Components in GigaVUE-FM
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Create an Egress tunnel from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session. |
You must create a tunnel for traffic to flow out from GigaVUE V Series Node 1 with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Configure Monitoring Session to know about monitoring session.
To create the egress tunnel, follow these steps:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7. |
Select the added SSL Key while creating a monitoring domain and configuring the fabric components in GigaVUE‑FM in GigaVUE V Series Node 2 |
You must select the added SSL Key in GigaVUE V Series Node. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Create an ingress tunnel in the GigaVUE node 2 with tunnel type as TLS-PCAPNG while creating the monitoring session for GigaVUE node 2. |
You must create a ingress tunnel for traffic to flow in from GigaVUE V Series Node with tunnel type as TLS-PCAPNG while creating the monitoring session. Refer to Configure Monitoring Session to know about monitoring session.
To create the ingress tunnel, follow these steps:
|
For more information, refer to Secure Tunnels.