Configure Precryption in UCT-V
GigaVUE-FM allows you to enable or disable the Precryption feature for a monitoring session.
To enable or disable the Precryption feature in UCT-V, refer to Create monitoring session.
Rules and Notes
- To avoid packet fragmentation, you should change the option precryption-path-mtu in UCT-V configuration file (/etc/uctv/uctv.conf) within the range 1400-9000 based on the platform path MTU.
- Protocol version IPv4 and IPv6 are supported.
- If you wish to use IPv6 tunnels, your GigaVUE-FM and the fabric components version must be 6.6.00 or above.
To create a new monitoring session with Precryption, follow these steps:
- In GigaVUE‑FM, on the left navigation pane, select Traffic > Virtual > Orchestrated Flows and select your cloud platform. The Monitoring Sessions page appears.
- Click New to open the Create a New Monitoring Session page.
- Enter the appropriate information for the monitoring session as described in the following table:
Field
Description
Alias
The name of the monitoring session.
Monitoring Domain
The name of the monitoring domain that you want to select.
Connection
The connection(s) that are to be included as part of the monitoring domain. You can select the required connections that need to be part of the monitoring domain.
- Click Next. The Edit Monitoring Session page appears with the new canvas.
- Click Options button. The Monitoring Session Options appears.
- Click Precryption tab.
- Enable Precryption.
- Click Save. The Edit Monitoring Session page appears. You can proceed to create map, tunnels, and adding applications.
Note: It is recommended to enable the secure tunnel feature whenever the Precryption feature is enabled. Secure tunnel helps to securely transfer the cloud captured packets or precrypted data to a GigaVUE V Series Node. For more information, refer to Secure Tunnel .
Validate Precryption connection
To validate the Precryption connection, follow the steps:
To confirm it is active, navigate to the Monitoring Session dashboard and check the Precryption option, which should show yes. |
Click Status, to view the rules configured. |
Limitations
During precryption, the agent generates a TCP message with the payload being captured in clear text. Capturing the L3/L4 details of this TCP packet by probing the SSL connect/accept APIs. The default gateway's MAC address will be the destination MAC address for the TCP packet when SSL data is received on a specific interface. If the gateway is incorrectly configured, the destination MAC address could be all Zeros.