Integrate Gigamon GigaVUE with the Packet Decoder

Document created by RSA Information Design and Development on Aug 30, 2017Last modified by David O'Malley on Sep 5, 2017
Version 3Show Document
  • View in full screen mode
  

There are two main tasks to configure the Gigamon® third-party Tap vendor packet capture solution:

Task 1. Integrate the Gigamon® solution.

Task 2. Configure a tunnel on Packet Decoder.

Task 1. Integrate the Gigamon Solution

Gigamon® Visibility Platform on AWS will be available through the AWS Marketplace and activated by a BYOL license. A thirty-day free trial is also available.

For more information on the Gigamon® solution refer to the "Gigamon® Visibility Platform for AWS Data Sheet" (https://www.gigamon.com/sites/default/files/resources/datasheet/ds-gigamon-visibility-platform-for-aws-4095.pdf ).

For deployment details refer to the "Gigamon® Visibility Platform for AWS Getting Started Guide" (https://www.gigamon.com/sites/default/files/resources/deployment-guide/dg-visibility-platform-for-aws-getting-started-guide-4111.pdf).

After the “Monitoring Session” is deployed within the Gigamon GigaVUE-FM, you can configure the Security AnalyticsTunnel.

Task 2. Configure Tunnel on the Packet Decoder

  1. SSH to the Decoder.
  2. Submit the following command strings.

    $ sudo ip link add tun0 type gretap local any remote <ip_address_of_VSERIES_NODE_TUNNEL_INTERFACE> ttl 255

    $ sudo ip link set tun0 up mtu <MTU-SIZE>

    $ sudo ifconfig (to verify if the tunnel tun0 is being listed in the list of interfaces)

    $ sudo lsmod | grep gre ( to make sure if the below kernel modules are running:

    ip_gre 18245 0

    ip_tunnel 25216 1)

    If they are not running then execute the below commands to enable the modules

    $ sudo modprobe act_mirred

    $ sudo modprobe ip_gre

  3. Create a firewall rule in the Packet Decoder to allow traffic through the tunnel.
    1. Open the iptables file.
      vi /etc/sysconfig/iptables
    2. Append the line -A INPUT -p gre -j ACCEPT before the commit statement
    3. Restart iptables by executing the following commands.
      service iptables restart
      service ip6tables restart
  4. Set the interface in the Packet Decoder.
    1.  Log in to Security Analytics, select the decoder/config node in Explorer view for the Packet Decoder service.
    2. Set the capture.selected = packet_mmap_,tun0.
  5. (Conditional) - If you have multiple tunnels on the Packet Decoder.
    1. Restart Decoder service after you create the tunnel in Packet Decoder.
    2. Log in to Security Analytics, select the decoder/config node in Explorer view for the Packet Decoder service, and set the following parameters.

      capture.device.params = interfaces=tun0,tun1,tun2

      capture.selected = packet_mmap_,All

  6. Restart decoder service.
    $ sudo restart nwdecoder

    The user should be all set to capture the network traffic in Decoder.

 

You are here

Table of Contents > Checklist > Step 5. Configure Packet Capture > Integrate Gigamon GigaVUE with the Packet Decoder

Attachments

    Outcomes