Configure Precryption in UCT-V

GigaVUE-FM allows you to enable or disable the Precryption feature for a monitoring session.

To enable or disable the Precryption feature in UCT-V, refer to Create monitoring session.

Rules and Notes

  • To avoid packet fragmentation, you should change the option precryption-path-mtu in UCT-V configuration file (/etc/uctv/uctv.conf) within the range 1400-9000 based on the platform path MTU.
  • Protocol version IPv4 and IPv6 are supported.
  • Using IPv6 tunnels requires GigaVUE-FM and the fabric components version 6.6.00 or above.

To create a new monitoring session with Precryption, follow these steps:

  1. On the left navigation pane in GigaVUE‑FM, select Traffic > Virtual > Orchestrated Flows and select your cloud platform. The Monitoring Sessions page appears.
  2. Select New to open the Create a New Monitoring Session page.
  3. Enter the appropriate information for the monitoring session:
    1. In the Alias field, enter the name of the monitoring session.
    2. In the Monitoring Domain field, enter the name of the monitoring domain that you want to select.
    3. In the Connection field, enter the desired connection(s) to include as part of the monitoring domain. You can select the connections required for the monitoring domain.

  4. Select Next. The Edit Monitoring Session page appears with the new canvas.

  5. Select the Options button.

    The Monitoring Session options appear.

  6. Select the Precryption tab.

  7. Enable Precryption.

  8. Select Save.

    The Edit Monitoring Session page appears. You can proceed to create map, tunnels, and add applications.

Note:  We recommend to enable the secure tunnel feature whenever the Precryption feature is enabled. Secure tunnel helps to securely transfer the cloud captured packets or precrypted data to a GigaVUE V Series Node. For more information, refer to Secure Tunnel .

Validate Precryption connection

To validate the Precryption connection, follow these steps:

  1. Navigate to the Monitoring Session dashboard and check the Precryption option.

    The yes status indicates an active state.

  2. Select Status to view the rules configured.

Limitations

During precryption, the agent generates a TCP message and captures the payload in clear text. It probes the SSL connect and accept APIs to extract Layer 3 and Layer 4 (L3/L4) details from the packet. When the agent receives the SSL data on a specific interface, it sets the default gateway's MAC address as the destination MAC address for the TCP packet. If the gateway is misconfigured, the agent sets the destination MAC address to all zeros.

To know more, refer to Precryption™.