Configure GigaVUE Fabric Components in GigaVUE-FM
You can configure the following fabric components:
| UCT-V Controller |
| GigaVUE V Series Proxy |
| GigaVUE V Series Node |
Prerequisite:
Create a Monitoring Domain in GigaVUE-FM to establish connection between your AWS environment and GigaVUE-FM. Refer to Create a Monitoring Domain.
| 1. | Go to Inventory > VIRTUAL > AWS. |
| 2. | Select the required Monitoring Domain and click Actions > Deploy Fabric. The AWS Fabric Launch Configuration page appears. |
| 3. | From the Centralized VPC drop-down list, select the alias of the centralized VPC in which the UCT-V Controllers, V Series Proxies, and the GigaVUE V Series Nodes are launched. |
Note: Click Check Permissions to ensure you have the required permissions for inventory, security groups, fabric launch, and IAM policy. Refer to Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM for more details.
| 4. | From the EBS Volume Type drop-down list, select one of the following Elastic Block Store (EBS) volume that you can attach to the fabric components: |
| gp2 (General Purpose SSD) |
| io1 (Provisioned IOPS SSD) |
| Standard (Magnetic) |
| 5. | To encrypt the EBS volume with AWS Key Management Service (KMS), turn on the Enable Encryption toggle, and then, and then, from the KMS Key drop-down list, select the required KMS key. Refer to Create a KMS Key in the AWS Documentation. |
| 6. | From the SSH Key Pair drop-down list, select the key pair that you created to launch the UCT-V Controller, GigaVUE V Series node, and GigaVUE V Series Proxy from GigaVUE-FM. Refer to Create a key pair in the AWS Documentation. |
| 7. | From the Management Subnet drop-down list, select the subnet you use for communication between the controllers and the nodes and with GigaVUE-FM. |
| 8. | From the Security Groups drop-down list, select one or more security groups you created for the GigaVUE fabric nodes. Refer to Security Group. |
| 9. | Turn on the Enable Custom Certificates toggle, to validate the custom certificate during SSL Communication. GigaVUE-FM validates the Custom certificate with the Trust Store. If the certificate is unavailable in the Trust Store, communication does not happen, and a handshake error occurs. |
Note: If the certificate expires after the successful deployment of the fabric components, the fabric components move to the failed state.
| 10. | From the Custom SSL Certificate drop-down list, select the custom certificate that you have already installed. Otherwise, select Create New to upload the custom certificate for GigaVUE V Series Nodes, GigaVUE V Series Proxy, and UCT-V Controllers. Refer to Install Custom Certificate on AWS. |
| 11. | Turn on the Prefer IPv6 toggle to deploy all the fabric controllers and the tunnel between the hypervisor and GigaVUE V Series Nodes using an IPv6 address. If the IPv6 address is unavailable, it uses an IPv4 address. |
Note: You can enable this option only when deploying a new GigaVUE V Series Node. If you want to enable this option after deploying the GigaVUE V Series Node, you must delete the existing GigaVUE V Series Node and deploy it again with this option enabled.
| 12. | Complete the required fields to configure the following GigaVUE Fabric Components: |
| UCT-V Controller – Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs. A UCT-V Controller can manage only UCT-Vs that have the same version. If there is a version mismatch between the UCT-V Controllers and UCT-Vs, GigaVUE-FM cannot detect the UCT-Vs in the instances. |
| GigaVUE V Series Proxy – Turn on the Configure a V Series Proxy toggle, if GigaVUE-FM cannot directly reach the GigaVUE V Series Nodes (management interface) directly over the network. |
| GigaVUE V Series Node – Creating a GigaVUE V Series Node profile automatically launches the GigaVUE V Series Nodes. |
Note: Refer to GigaVUE Fabric Components Configuration – Field References.
| 13. | Click Save. |
GigaVUE Fabric Components Configuration – Field References
The following table lists and describes the fields you must complete to configure the UCT-V Controller, GigaVUE V Series Proxy, and GigaVUE V Series Node.
|
Field |
Description |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
UCT-V Controller • Configure UCT-V Controllers in the AWS cloud only if you want to capture traffic using UCT-Vs. • A UCT-V Controller can manage only UCT-Vs that have the same version. If there is a version mismatch between the UCT-V Controllers and UCT-Vs, GigaVUE-FM cannot detect the UCT-Vs in the instances. |
|||||||||||||
|
Controller Version(s) |
To add UCT-V Controllers:
|
||||||||||||
|
Agent Tunnel Type |
Select one of the following tunnel types to send the traffic from UCT-Vs to GigaVUE V Series Nodes:
|
||||||||||||
|
Agent CA |
Select the Certificate Authority (CA) you want to use to connect the tunnel. UCT-V uses this CA to verify the server-side certificate of the GigaVUE V Series Node. Note: Note: Use this field only when configuring secure tunnels. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types: • Private – If you want to assign an IP address that is not reachable over Internet. You can use private IP address for communication between the UCT-V Controller and GigaVUE-FM. • Public – If you want the IP address to be assigned from Amazon’s pool of public IP address. The public IP address gets changed every time the instance is stopped and restarted. • Elastic—If you want a static public IP address for your instance, ensure that you have the elastic IP address available in your VPC. The elastic IP address does not change when you stop or start the instance. o From the Elastic IPs drop-down list, select the required IP addresses. |
||||||||||||
|
Additional Subnets |
(Optional) If there are UCT-Vs on networks that are not IP routable from the management network, you must specify additional networks or subnets so that the UCT-V Controller can communicate with all the UCT-Vs. Click Add Subnet to select additional networks (subnets) if needed. Make sure to select a list of security groups for each additional network. |
||||||||||||
|
Tags |
(Optional) The key name and value that helps to identify the UCT-V Controller instances in your environment. For example, you might have UCT-V Controllers deployed in many regions. To distinguish these UCT-V Controllers based on the regions, you can provide a name (also known as a tag) that is easy to identify such as us-west-2- uctvcontrollers. To add a tag, click Add, and enter a Key and Value. For example, enter Name as your Key and us-west-2-uctv-controllers as the Value. |
||||||||||||
|
GigaVUE V Series Proxy
|
|||||||||||||
|
Version |
GigaVUE V Series Proxy version. |
||||||||||||
|
Instance Type |
Instance type for the GigaVUE V Series Proxy. The recommended minimum instance type is t2.micro. You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page. |
||||||||||||
|
Number of Instances |
Number of GigaVUE V Series Proxy to deploy in the monitoring domain. |
||||||||||||
|
Set Management Subnet |
Use the toggle button to select a management subnet.
|
||||||||||||
|
Set Security Groups |
Toggle option to Yes to set the security group that is created for the GigaVUE V Series Proxy. Refer to Security Group for more details. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types:
The elastic IP address does not change when you stop or start the instance. |
||||||||||||
|
Additional Subnets |
(Optional) If there are GigaVUE V Series Nodes on subnets that are not IP routable from the management subnet, additional subnets must be specified so that the GigaVUE V Series Proxy can communicate with all the GigaVUE V Series Nodes. Click Add to specify additional subnets, if needed. Also, make sure that you specify a list of security groups for each additional subnet. |
||||||||||||
|
Tags |
(Optional) The key name and value that helps to identify the GigaVUE V Series Proxy instances in your AWS environment. |
||||||||||||
| GigaVUE V Series Node | |||||||||||||
|
SSL Key |
Select the SSL key from the drop-down list. |
||||||||||||
|
Version |
Enter the GigaVUE V Series Node version. |
||||||||||||
|
Instance Type |
The instance type for the GigaVUE V Series Node. Refer to Recommended Instance Types for AWS for more details on the recommended instance for GigaVUE V Series Node. You can review and modify the number of instances for the nitro-based instance types in the Configure AWS Settings page. |
||||||||||||
|
Volume Size |
The size of the storage disk. The default volume size is 8. The recommended volume size is 80. Note: When using Application Metadata Exporter, the minimum recommended Volume Size is 80GB. |
||||||||||||
|
IP Address Type |
Select one of the following IP address types:
The elastic IP address does not change when you stop or start the instance. |
||||||||||||
|
Min Number of Instances |
The minimum number of GigaVUE V Series Nodes that must be deployed in the Monitoring Domain. The minimum number of instances must be 1. When 0 is entered, no GigaVUE V Series Node is launched. Note: If the minimum number of instances is set as ‘0’, then the nodes will be launched when a monitoring session is deployed if GigaVUE-FM discovers some targets to monitor. |
||||||||||||
|
Max Number of Instances |
The maximum number of GigaVUE V Series Nodes that can be deployed in the Monitoring Domain. |
||||||||||||
|
Data Subnets |
The subnet that receives the mirrored GRE or VXLAN tunnel traffic from the UCT-Vs. Note: Using the Tool Subnet checkbox you can indicate the subnets to be used by theGigaVUE V Series to egress the aggregated/manipulated traffic to the tools. |
||||||||||||
|
Tags |
(Optional) The key name and value that helps to identify the GigaVUE V Series Node instances in your AWS environment. For example, you might have GigaVUE V Series Node deployed in many regions. To distinguish these GigaVUE V Series Node based on the regions, you can provide a name that is easy to identify such as us-west-2-vseries. To add a tag:
|
||||||||||||
Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM
To check for permissions from the AWS Fabric Launch page, follow the steps given below:
- In the AWS Fabric Launch page, enter the details as mentioned in Configure GigaVUE Fabric Components in GigaVUE-FM.
- Click the Check Permissions button. The Check Permissions widget opens.
- The permission status for Inventory, Security Group, and Fabric Launch are displayed in this widget.
- Click the INVENTORY tab and click Check Inventory Permissions, to view the required inventory permissions. Inventory permissions with the access status "Denied" could be missing in the IAM Policy or have restricted boundary.
- Click the SECURITY GROUPS tab and click Check Security Group Permissions, to view the required ports that need to be opened for the security groups. The ports in the Denied State are not open in the security group. The ports with the status Explicit denied are blocked or restricted by the user. The ports with status Partially configured have incorrect IP address.
- Click the FABRIC LAUNCH tab and click Check Fabric Launch Permissions, to view the permissions required for deploying the GigaVUE fabric components. The Virtual Machine permissions with the access status "Denied" could be missing in the IAM Policy.
Note: The permissions "Microsoft.Compute/virtualMachines/write" and "Microsoft.Network/networkInterfaces/join/action" are dependent and cannot be validated separately. So, if either of the permissions is denied or not configured, then both permissions will be displayed as "Denied".
- The IAM POLICY tab lists the sample policy containing the required permissions for deploying the GigaVUE Cloud Suite for AWS. You must update the AWS IAM policy with the missing permissions that are highlighted in the JSON.
