Gigamon GigaVUE-OS Security Hardening Guide User Guide
- June 9, 2024
- Gigamon
Table of Contents
- GigaVUE-OS Security Hardening Guide
- Introduction
- Physical Control
- Network Controls
- Best Practices for Security Hardening
- GigaVUE-OS Security Hardening
- Security Options
- Common Criteria
- Additional Sources of Information
- Glossary
- References
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
GigaVUE-OS Security Hardening Guide
GigaVUE Cloud Suite
Product Version: 6.2
Document Version: 1.0
Last Updated: Wednesday, February 15, 2023
(See Change Notes for document updates.)
GigaVUE-OS Security Hardening Guide
Copyright 2023 Gigamon Inc.. All rights reserved.
Information in this document is subject to change without notice. The software
described in this document is furnished under a license agreement or
nondisclosure agreement. No part of this publication may be reproduced,
transcribed, translated into any language, stored in a retrieval system, or
transmitted in any form or any means without the written permission of Gigamon
Inc..
Trademark Attributions
Gigamon and the Gigamon logo are trademarks of Gigamon in the United States
and/or other countries.
Gigamon trademarks can be found at www.gigamon.com/legal-
trademarks. All other trademarks are
the trademarks of their respective owners.
Gigamon Inc.
3300 Olcott Street
Santa Clara, CA 95054
408.831.4000
Change Notes
When a document is updated, the document version number on the cover page
will indicate a new version and will provide a link to this Change Notes
table, which will describe the updates.
Product Version | Document Version | Date Updated | Change Notes |
---|---|---|---|
6.2.00 | 1.0 | 02/15/2022 | The original release of this document with 6.2.00 GA |
GV-OS-Security
Get started with GigaVUE Security Hardening
This guide provides the best practices on securing the GigaVUE operating
system.
Introduction
This guide provides you information on the options that are available in the
GigaVUE-OS to harden a device against attack by threat actors and other threat
vectors, such as brute for attacks.
This document is intended for an audience who is familiar with the
configuration of GigaVUE-OS Appliances.
Physical Control
Physical access to any device can result in equipment that has been tampered
with, both in transit and also after it is deployed. Before deploying, you
must ensure that the device must be stored in safe location and also verify
that the device is not tampered with before installation.
Checking for tampering
When shipped from the factory, all GigaVUE appliances are provided in a sealed
box. You must inspect the box before installation to ensure that it has not
been opened.
Anti-tampering stickers
Tampering of the GigaVUE Appliance can be detected using Anti-Tampering
Stickers which Gigamon provides for purchase. These ensure that any physical
intrusion into the chassis of the device can be easily detected. Instructions
for best placement of the Anti-Tampering stickers is provided. Incorrect
placement of sticker might result in closing of ventilation holes which can
adversely affect the air flow required for cooling the appliance.
Disabling the Serial Interface
GigaVUE Appliance must be installed in a physically secure environment. It is
recommended to disable the serial interface. The login to GigaVUE-OS using
serial port is secured by authentication methods (i.e. local / TACACS+ /
RADIUS).
By default, the serial port session does not log out when a serial port is
disconnected. You must configure the session time.
NOTE: Access to the serial port is required to reset the device. If you
lose the login credentials for the GigaVUE-OS appliance, you will not be able
to factory-reset the device. It requires a RMA which will have associated
costs.
To disable the Serial Interface, run the command no serial enable.
gigavue-appliance > enable
gigavue-appliance # configure terminal
gigavue-appliance (config) # no serial enable
Disable serial console will make serial connection unusable.
Only use this config command when you have available telnet/ssh connections.
Enter ‘YES’ to confirm this operation: YES
Serial Console disabled.
gigavue-appliance (config) #
You can enable the serial interface by running the command serial enable
gigavue-appliance (config) # serial enable
Serial Console enabled.
gigavue-appliance (config) #
Network Controls
Overview of IP Filter
The GigaVUE-OS Appliance allows the administrator to drop undesired
connections from the network received on the management interface. It prevents
unauthorized access to and from the interface. For example, you can restrict a
syslog server that can communicate with the GigaVUE Appliance.
An IP filter is a chain of rules for the treatment of packets. It comprises of
the following chains:
- FORWARD: It is used for forwarding the traffic from one interface to another. The forward chain is not used under normal operations. The default policy for this chain is DROP.
- INPUT: It is used for the traffic that is received by the interface and the destination of the traffic is the GigaVUE Appliance. The default policy for this chain is DROP.
- OUTPUT: It is used for the traffic being sent from the GigaVUE Appliance. This is used to restrict the remote systems that can be accessed by the GigaVUE appliance. For example, remote Syslog Servers or connecting to SCP/FTP/HTTP/HTTP Servers. The default policy for this chain is ACCEPT.
The Chain that is to be applied to the packet is determined by its source and
destination. For example, a user connecting to the GigaVUE appliance using SSH
will have the INPUT Chain and its rules applied to the session. A user logged
into the GigaVUE appliance who is trying to connect from the GigaVUE appliance
to a remote system will have the OUTPUT Chain and its rules applied to the
session.
Each of the above Chains has a set of rules which are processed in order.
The INPUT Chain has a policy set to DROP. If there is no match in the rules
for the packets, then the packets will be dropped.
There are six rules in this Chain. The function of each rule is:
- Accepts all ICMP packets from any source to any destination.
- Accepts all IGMP packets from any source to any destination.
- Accepts all the packets where there is an established or related session. For example, accepting packets in both directions of a flow ( SSH Client to GigaVUE Appliance / GigaVUE Appliance to SSH Client).
- Allows all communications for the loopback (lo) interface.
- Accepts all communications from the subnet 12.00.1.0/24 to any destination .
- Accepts all communications to the subnet 12.00.1.0/24 from any destination.
Rules 5 and 6 allow connections from the subnet 12.00.1.0/24. This is being
used internally within the GigaVUE Appliance to allow the Management Board to
communicate with GigaSMART. The traffic to/from these IP’s do not appear on
the physical network and that these connections between the Management Board
and GigaSMART are authenticated.
There is a Policy associated with each Chain, which can be set to ACCEPT or
DROP the targets. If the Policy is set to DROP, and there are no matches for
the incoming packets in the rules of the Chain, then the packet will be
dropped. If the Policy is set to ACCEPT and if there are no matches for the
incoming packets in the rules of the Chain, then the packet will be accepted.
For more information on IP Security Chain, refer the IP Filter Chains for
Security topics in the GigaVUE-OS CLI Reference Guide.
Best Practices for Security Hardening
The following sections list best practices for security:
- Use of SNMPv1 and SNMPv2 are Not Recommended
- Use of Self-Signed Certificates are Not Recommended
- Use of FTP and TFTP are Not Recommended
- Use of Secure Cryptography Mode to Run Scans is Recommended
- Change the Password on admin Account
- Best Practices for Passwords
Use of SNMPv1 and SNMPv2 are Not Recommended
Using SNMPv1 and SNMPv2 are not recommended because they authenticate using
unencrypted, plaintext community strings.
Using SNMPv3 is recommended for access to the SNMP agent, as well as to SNMP
traps. SNMPv3 authenticates using encrypted community strings. For more
information, refer to Use SNMP.
Use of Self-Signed Certificates are Not Recommended
Using self-signed TLS/SSL certificates are not recommended.
Certificates generated by a third party certification authority are
recommended because they are issued by a Certification Authority (CA). Refer
to SHA1-Based Signature in TLS/SSL Server X.509
Certificate
for how to obtain a third party certificate.
Use of FTP and TFTP are Not Recommended
Using FTP or TFTP for file transfers is not recommended.
Using SFTP, SCP, or HTTPS is recommended for uploading or downloading files to
or from GigaVUE
Cloud Suite nodes.
Use of Enhanced Cryptography Mode to Run Scans is Recommended
Using secure cryptography mode to run scans is recommended.
Refer to Configure Enhanced Cryptography
Mode
for more information.
When a scan includes password brute force testing, it is recommended to
disable locking users due to many attempts.
To disable lockout of accounts based on failed authentication attempts, select
Settings > Authentication > AAA. Under Lockout, unselect Enable Lockout.
GigaVUE-OS Security Hardening
To harden the GigaVUE Cloud Suite operating system, GigaVUE-OS, against
security threats, Gigamon fixes known vulnerabilities, keeps up-to-date any OS
components that provide remote access (such as Apache, SSH, SSHD, and
OpenSSL), and analyzes the system for attack vectors.
GigaVUE Cloud Suite nodes run the GigaVUE-OS, which is hardened against the
following:
- SHA1-Based Signature in TLS/SSL Server X.509 Certificate
- ICMP Timestamp Response
- TCP Timestamp Response
- Non-Standard SNMP Community Name
SHA1-Based Signature in TLS/SSL Server X.509 Certificate
Certificates generated by a third party certification authority are more
secure than self-signed certificates. High strength ciphers with key lengths
equal to or greater than 112 bits are also more secure than ciphers with less
than 112 bits.
GigaVUE-OS supports TLS/SSL server X.509 certificates, including SHA2-256 and
SHA2-512-based certificates, as well as SHA1-based certificates.
However, SHA1 has known weaknesses that expose it to collision attacks, which
may allow an attacker to generate additional X.509 certificates with the same
signature as the original.
Therefore, when a third party certificate is requested, SHA2-256 or SHA2-512
should be requested as the signature algorithm, and not SHA1.
To obtain a third party certificate, on Linux or Linux app (such as Cygwin),
generate a private key as follows:
- openssl req -new -key privkey.pem -out cert.csr
The file, cacert.pem will be sent to a third party certificate authority,
which will generate a certificate.
The ciphers supported with TLS v1.0, 1.1, and 1.2 are listed in Table 1:
Supported Ciphers with TLS v1.0 and v1.1 and Table 2: Supported Ciphers with
TLS v1.2.
Table 1: Supported Ciphers with TLS v1.0 and v1.1
Modern Ciphers | Classical Ciphers |
---|---|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
(0x16)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
(0xc008)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)|
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)|
The ciphers supported with TLS v1.2 are listed in Table 2: Supported Ciphers
with TLS v1.2.
Table 2: Supported Ciphers with TLS v1.2
Authenticated Encryption with Additional Data (AEAD) Ciphers| SHA-2
Ciphers
---|---
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15)|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)|
ICMP Timestamp Response
The GigaVUE-OS does not respond to Internet Control Message Protocol (ICMP)
timestamp requests The response to such a request is an ICMP timestamp
response. The response can contain the date and time from a GigaVUE Cloud
Suite node, which could be used to exploit weak time-based random number
generators in other services on the node, therefore this is disabled.
In addition, ICMP echo broadcasts, including timestamp requests and responses,
are disabled, since ICMP echo requests may be used for Denial of Service (DoS)
attacks, such as packet flooding.
TCP Timestamp Response
The GigaVUE-OS does not respond to Transmission Control Protocol (TCP)
timestamp requests.
The response to such a request is a TCP timestamp response. The response can
be used to approximate the uptime of the GigaVUE Cloud Suite node, which can
then be used in is DoS attacks.
In addition, some operating systems can be fingerprinted based on the behavior
of their TCP timestamps, therefore this is disabled.
Non-Standard SNMP Community Name
Gigamon does not recommend using the default SNMP community string, public. It
recommends using a non-standard SNMP community name, gigamon.
For steps to protect against SNMP vulnerabilities, refer to Use SNMP chapter.
Security Options
This chapter describes how to set options relating to security – who can log
into the node, how they are authenticated, and what rights they have once
logged in.
The chapter includes the following topics:
- About Security and Access
- Authentication and Authorization (AAA)
- Supported Clients
- Default Ports
- FIPS 140-2 Compliance
- UC APL Compliance
- Common Criteria
About Security and Access
The GigaVUE HC Series nodes provide an interlocking set of options that let
you create a comprehensive security strategy for the node. These options are
summarized in the following table:
Security Tools | Description |
---|---|
Roles/Groups | Roles specify which users have access to a given port. The |
following built-in roles are provided:
● Admin – This role provides access to all command modes, including Standard,
Enable, and Configure. Admin users also have access to all commands and all
ports. They are also members of all groups.
● Default – This role also provides access to all command modes. Users with
the Default Role has no access to unassigned ports. New users are created with
the Default role automatically. However, you can remove it if you do not want
to allow a user access to unassigned ports
● Monitor – This built-in role provides view-only access to ports and
configurations
Administrators create additional custom roles and assign them to users
together with the Default role. For example, if you create a role named
Security_Team and assign it to tool port 5/1/x2, users assigned the
Security_Team role will be able to access tool port 5/1/x2. Conversely, users
without a role that gives them some access to tool port 5/1/x2 will not even
be able to see it in the CLI. Users can have multiple assigned roles, allowing
administrators to fine-tune access to the Visibility Platform.
Permissions| Administrators assign Permissions to specify what users can do
with a port to which they have access. You can assign the following permission
levels:
● Level 1: Can view the port but cannot make any changes to port settings or
maps. When applied to a network port, can view maps attached to the network
port. This level is used for users who only need to monitor the activities of
the port.
● Level 2: Can use the port for maps, create tool-mirror to/from port, and
change egress port filters. Can configure port-lock, lock-share, and all
traffic objects except port-pair. Also includes all Level 1 permissions.
● Level 3: Can configure port parameters (such as administrative status of
the port, speed, duplex, and autonegotiation), as well as create port pairs.
Also includes all Level 2 and Level 1 permissions.
● Level 4: Can change the port type. Also includes all Level 3, 2, and 1
permissions.
Permissions are hierarchical so that higher levels include all lower-level
permissions (for example, a Level 3 user also has Level 2 permissions and can
configure all traffic distribution, set locks, and share locks).
Administrators can configure permissions differently on a port-by-port basis
for a given role. This can be useful in situations where you want to give a
group full authority to reconfigure maps and port parameters for a set of tool
ports but only map creation permissions for a network port shared with other
groups.
Port Locking/Sharing| Port locking lets a user with Level 2+ access to a port
prevent other users from changing any settings for a locked port. This is
useful in situations where a user needs undisturbed access to a port for
short-term troubleshooting.
When a port is locked, all users with Level 2+ access to the port will
temporarily only have Level 1 access (read-only). Normal configured
permissions are restored when the lock is released.
Users can also share a locked port with any other specified user. Sharing a
locked port provides the account with whom the port is shared the same port
permissions as the account sharing the port.
So, for example, if UserX has Level 2 permissions on port 12/5/x3, he can
share a lock on 12/5/x3 with any other user account, providing them with Level
2 permissions regardless of their normal privileges on the port.
Security Tools| Description
---|---
Authentication| The GigaVUE Cloud Suite HC Series node can authenticate users
against a local user database or against the database stored on an external
authentication server (LDAP, RADIUS, or TACACS+).
Admin users can specify the authentication methods used for logging in using
AAA Authentication.
NOTE: The serial console port always retains local authentication as a
fallback option to prevent unintended lockouts.
Management Port Security
Management port security lets you restrict the exchange of packets through the
management port by creating an access control list to restrict user and SNMP
access.
Use the CLI to access and configure the Management port and Console port. For
instructions, refer to the GigaVUE-OS CLI Reference Guide.
NOTE: Exercise caution when using the following configuration example
described in the GigaVUE-OS CLI Reference Guide so as not to interfere with
communications through the backplane or within a cluster.
Authentication and Authorization (AAA)
Use the AAA page for authentication, authorization, and accounting settings
for the GigaVUE HC Series node. In general, configuring authentication
consists of specifying the login methods accepted, the order in which they are
tried, the local user account to map to external logins, whether to accept
roles specified by the AAA server, and the configuration of the external
authentication server itself.
To open the AAA page, select Settings > Authentication > AAA.
Supported Clients
The following versions of serial, SSH clients are supported:
Table 3: Tested SSH Clients
OS | Client | Version |
---|---|---|
Windows 7, Windows 10 | PuTTY | 0.64 |
Windows 7, Windows 10 | Tera Term | 4.87 |
Windows 7, Windows 10 | Cygwin | 1.1.6 |
Linux Ubuntu L4.5 | Tera Term | 4.87 |
OS | Client | Version |
--- | --- | --- |
Linux Ubuntu L4.4 | LXTerminal | 0.2.0 |
OSX 10.12 (16A323) | Term2 | 3.010 |
OSX 10.12 (16A323) | vSSH | 1.11.1 |
Default Ports
The following default ports are normally open on GigaVUE Cloud Suite nodes:
Table 4: Open Default Ports
Port Number | Protocol | Description | Service/Server |
---|---|---|---|
22 | TCP | SSH | OpenSSH_8.8p1 |
80 | TCP | HTTP | Apache httpd |
161 | UDP | SNMP | SNMP |
443 | TCP | HTTPS | Apache httpd |
9090 | TCP | APIs | Gigamon |
Other default ports are normally closed on GigaVUE Cloud Suite nodes, unless
configured:
Table 5: Default Ports, Normally Closed
Port Number | Description |
---|---|
20 | FTP |
49 | TACACS+ |
123 | NTP |
162 | SNMP host |
389 | LDAP |
514 | syslog |
1080 | Web proxy |
1812 | RADIUS |
2055 | NetFlow Collector |
The following table contains examples of other valid ports, depending on
vendor:
Table 6: Other Valid Ports
Port Number | Description |
---|---|
53 | DNS |
25/465/587 | SMTP |
Port Number | Description |
--- | --- |
319/120 | PTP |
256 | Route Access Protocol (RAP) |
512 | Binary Interchange File Format (BIFF) |
FIPS 140-2 Compliance
GigaVUE-OS is compliant with the Federal Information Processing Standard
(FIPS), a US governmstandard for security requirements of cryptographic
modules. The Gigamon Linux-based cryptograpmodule (the FIPS module) provides
cryptographic functions for GigaVUE Cloud Suite nodes and offa high level of
security for the Ethernet management interface. The FIPS module is compliant
with FIPS 140-2 Level 1 and was validated by the National Institute of
Standards and Technology (NIST)The certificate number is 2128.
Also, OpenSSL is integrated with the FIPS module and is updated to version
1.0.2zf.
To enable FIPS:
- Select Settings > Global Settings > Security.
- Click Edit.
- On the Edit Security Settings page, select FIPS 140-2 Mode.
- Click OK to save the changes.
Once FIPS is enabled, the device will reload and the device configuration will
be reset. All traffic, keys and certification configurations will be cleared.
For communications with the GigaVUE Cloud Suite node, SSL or SSH clients are
requested to use high strength ciphers during the session set up negotiation.
A high strength cipher is one that uses a key that is equal to or greater than
128 bits.
Weak ciphers will be rejected by the GigaVUE Cloud Suite node. For example, if
a client attempts to connect to the GigaVUE Cloud Suite Ethernet management
port using blowfish, the following error message will be displayed: No
matching cipher found.
UC APL Compliance
GigaVUE Cloud Suite HC Series products are compliant with Unified Capabilities
Approved Products List (UC APL). The products include the GigaVUE-HC2, as well
as the GigaVUE Cloud Suite-TA10 and GigaVUE Cloud Suite-TA40.
UC APL certification ensures that the GigaVUE Cloud Suite HC Series products
comply with Internet Engineering Task Force (IETF) and Defense Information
Systems Agency (DISA) standards on Internet Protocol (IP) devices. The UC APL
certification verifies that the GigaVUE Cloud Suite H Series products comply
with and are configured to be consistent with the DISA Field Security Office
(FSO) Security Technical Implementation Guides (STIG).
Certified equipment is listed on the US Department of Defense (DoD) UC APL
list.
UC APL requires the GigaVUE Cloud Suite HC Series products run the most
current version of the Apache branch to ensure the most secure version is
used. The component versions of Apache on GigaVUE Cloud Suite HC Series
products are as follows:
- httpd 2.4.54
- apr 1.6.3
- apr-util 1.6.1
- pcre 7.8
For more information on configuring UC APL certification, see UC APL Compliance
Common Criteria
The Common Criteria for Information Technology Security Evaluation, or Common
Criteria, is an international standard (ISO/IEC 15408) for computer security
certification.
Common Criteria is a framework in which computer system users can specify
their security functional requirements and security assurance requirements
(SFRs and SARs, respectively) through the use of Protection Profiles (PPs),
vendors can then implement and/or make claims about the security attributes of
their products, and testing laboratories can evaluate the products to
determine if those claims are met.
Common Criteria provides assurance that the process of specification,
implementation, and evaluation of a computer security product has been
conducted in a rigorous and standard and repeatable manner, at a level that is
commensurate with the target environment for use.
Common Criteria is used as the basis for a Government driven certification
scheme. Typically, evaluations are conducted for the use of Federal Government
agencies and critical infrastructure.
Gigamon is actively keeping our products certified. Visit the NIAP CCEVS
website to see the current GigaVUE-OS and models that are currently certified
or check which version of the GigaVUE-OS is currently in-evaluation.
Configure Common Criteria
To certify a GigaVUE Cloud Suite node with Common Criteria, you must
perform the following:
- Enable enhanced cryptography mode. Refer to Configure Enhanced Cryptography Mode.
- Enable secure passwords mode and configure a password length of 15. Refer to Configure Secure Passwords Mode.
- Configure syslog to send audit data securely. Refer to Encrypt Syslog Audit Data.
Manage Roles and Users—GigaVUE-OS
This chapter provides basic information about role-based access and the
procedures for manage roles and users in GigaVUE-OS and assigning access
permissions. The following topics are covered:
- About Role-Based Access
- Configure Role-Based Access and Setting Permissions in H-VUE
About Role-Based Access
GigaVUE HC Series nodes use role-based access to manage access to the Gigamon
Visibility Platform. Through GigaVUE-FM, you can create roles and assign users
to those roles, allowing you to partition separate sets of tool ports for
different groups of users while different sets of network ports are shared.
This makes it possible to provides different groups of users with different
analysis needs to have full access to the packets they need for their tools.
Notes:
- To take advantage of GigaVUE-FM, Gigamon highly recommends that you have the same user name and password (with roles) registered with the physical node(s). In doing so, GigaVUE-FM provides the ability to manage and monitor physical devices with all of its features.
- If a user has full access (super admin or admin) on GigaVUE-FM but limited access on the node, they will be able to view the traffic and all the ports from the Dashboard page, Audit logs and Reports but will not be able to configure the node itself.
- If the user with the same name is created on GigaVUE-FM and the node but the passwords are different, the user will be able to view all the ports on the node from GigaVUE-FM but will not be able to configure the node from GigaVUE-FM. In order to have full access, it is required that both the username and passwords be identical on the node as well as GigaVUE-FM. To avoid such situations it is recommended to use centralized authorization servers such as LDAP, RADIUS or TACACS+.
Role-Based Access and Setting Permissions in GigaVUE Cloud Suite Nodes
To know more about RBAC in GigaVUE-FM see the following topics:
- Add Users
- Create Roles
Additional Sources of Information
This appendix provides additional sources of information. Refer to the following sections for details:
- Documentation
- Documentation Feedback
- Contact Technical Support
- Contact Sales
- The VÜE Community
Documentation
This table lists all the guides provided for GigaVUE Cloud Suite software
and hardware. The first row provides an All-Documents Zip file that contains
all the guides in the set for the release.
NOTE: In the online documentation, view What’s New to access quick links
to topics for each of the new features in this Release; view Documentation
Downloads to download all PDFs.
Table 1: Documentation Set for Gigamon Products
GigaVUE Cloud Suite 6.2 Hardware and Software Guides
DID YOU KNOW? If you keep all PDFs for a release in common folder, you can
easily search across the doc set by opening one of the files in Acrobat and
choosing Edit > Advanced Search from the menu. This opens an interface that
allows you to select a directory and search across all PDFs in a folder.
Hardware
how to unpack, assemble, rack-mount, connect, and initially configure ports
the respective GigaVUE Cloud Suite devices; reference information and
specifications for the respective GigaVUE Cloud Suite devices
GigaVUE-HC1 Hardware Installation Guide
GigaVUE-HC2 Hardware Installation Guide
GigaVUE-HC3 Hardware Installation Guide
GigaVUE-HC1-Plus Hardware Installation Guide
GigaVUE-TA25E Hardware Installation Guide
GigaVUE-TA200E Hardware Installation Guide
GigaVUE-TA25 Hardware Installation Guide
GigaVUE-TA200 Hardware Installation Guide
GigaVUE-TA400 Hardware Installation Guide
GigaVUE-TA10 Hardware Installation Guide
GigaVUE-TA40 Hardware Installation Guide
GigaVUE Cloud Suite 6.2 Hardware and Software Guides
GigaVUE-TA100 Hardware Installation Guide
GigaVUE-TA100-CXP Hardware Installation Guide
GigaVUE-OS Installation Guide for DELL S4112F-ON
G-TAP A Series 2 Installation Guide
GigaVUE M Series Hardware Installation Guide
GigaVUE-FM Hardware Appliance Guide for GFM-HW1-FM010 and and GFM-HW1-FM001-HW
Software Installation and Upgrade Guides
GigaVUE-FM Installation, Migration, and Upgrade Guide
GigaVUE-OS Upgrade Guide
GigaVUE V Series Migration Guide
Fabric Management and Administration Guides
GigaVUE Administration Guide
covers both GigaVUE-OS and GigaVUE-FM
GigaVUE Fabric Management Guide
how to install, deploy, and operate GigaVUE-FM; how to configure GigaSMART
operations; covers both GigaVUE-FM and GigaVUE-OS features
Cloud Guides
how to configure the GigaVUE Cloud Suite components and set up traffic
monitoring sessions for the cloud platforms
GigaVUE V Series Applications Guide
GigaVUE V Series Quick Start Guide
GigaVUE Cloud Suite for AWS–GigaVUE V Series 2 Guide
GigaVUE Cloud Suite for Azure–GigaVUE V Series 2 Guide
GigaVUE Cloud Suite for OpenStack–GigaVUE V Series 2 Guide
GigaVUE Cloud Suite for Nutanix Guide—GigaVUE V Series 2 Guide
GigaVUE Cloud Suite for VMware—GigaVUE V Series Guide
*GigaVUE Cloud Suite for Third Party Orchestration
GigaVUE Cloud Suite for AnyCloud Guide
Universal Container Tap Guide
Gigamon Containerized Broker Guide
GigaVUE Cloud Suite 6.2 Hardware and Software Guides
GigaVUE Cloud Suite for AWS–GigaVUE V Series 1 Guide
GigaVUE Cloud Suite for Azure–GigaVUE V Series 1 Guide
GigaVUE Cloud Suite for OpenStack–GigaVUE V Series 1 Guide
GigaVUE Cloud Suite for Nutanix Guide—GigaVUE-VM Guide
GigaVUE Cloud Suite for VMware—GigaVUE-VM Guide
Reference Guides
GigaVUE-OS CLI Reference Guide
library of GigaVUE-OS CLI (Command Line Interface) commands used to configure
and operate GigaVUE HC Series and TA Series devices
GigaVUE-OS Cabling Quick Reference Guide
guidelines for the different types of cables used to connect Gigamon devices
GigaVUE-OS Compatibility and Interoperability Matrix
compatibility information and interoperability requirements for Gigamon
devices
GigaVUE-FM REST API Reference in GigaVUE-FM User’s Guide
samples uses of the GigaVUE-FM Application Program Interfaces (APIs)
Release Notes
GigaVUE-OS, GigaVUE-FM, GigaVUE-VM, G-TAP A Series, and GigaVUE Cloud Suite
Release Notes
new features, resolved issues, and known issues in this release ;
important notes regarding installing and upgrading to this release
NOTE: Release Notes are not included in the online documentation.
NOTE: Registered Customers can log in to My
Gigamon to download the
Software and Release Notes from the
Software & Docs page on to My
Gigamon. Refer to How
to Download Software and Release Notes from My Gigamon.
In-Product Help
GigaVUE-FM Online Help
how to install, deploy, and operate GigaVUE-FM.
How to Download Software and Release Notes from My Gigamon
Registered Customers can download software and corresponding Release Notes
documents from the Software & Release Notes page on to My
Gigamon. Use the My
Gigamon Software & Docs page to download:
- Gigamon Software installation and upgrade images,
- Release Notes for Gigamon Software, or
- Older versions of PDFs (pre-v5.7).
To download release-specific software, release notes, or older PDFs:
- Log in to My Gigamon
- Click on the Software & Release Notes link.
- Use the Product and Release filters to find documentation for the current release. For example, select Product: “GigaVUE-FM” and Release: “5.6,” enter “pdf” in the search box, and then click GO to view all PDF documentation for GigaVUE-FM 5.6.xx.
NOTE: My Gigamon is available to registered customers only. Newer
documentation PDFs, with the exception of release notes, are all available
through the publicly available online documentation.
Documentation Feedback
We are continuously improving our documentation to make it more accessible
while maintaining accuracy and ease of use. Your feedback helps us to improve.
To provide feedback and report issues in our documentation, send an email to:
documentationfeedback@gigamon.com
Please provide the following information in the email to help us identify and
resolve the issue. Copy and paste this form into your email, complete it as
able, and send. We will respond as soon as possible.
Documentation Feedback Form
About You| Your Name|
Your Role|
Your Company|
For Online Topics| Online doc link| (URL for where the issue is)
---|---|---
Topic Heading| (if it’s a long topic, please provide the heading of the
section where the issue is)
For PDF Topics| Document Title| (shown on the cover page or in page header )
---|---|---
Product Version| (shown on the cover page)
Document Version| (shown on the cover page)
Chapter Heading| (shown in footer)
PDF page #| (shown in footer)
How can we improve?| Describe the issue| Describe the error or issue in the
documentation. (If it helps, attach an image to show the issue.)
---|---|---
How can we improve the content?
Be as specific as possible.|
Any other comments?|
Contact Technical Support
For information about Technical Support: Go to Settings > Support > Contact
Support in GigaVUE-FM.
You can also refer to https://www.gigamon.com/support-and-services/contact-
support for Technical Support hours and contact information.
Email Technical Support at support@gigamon.com.
Contact Sales
Use the following information to Gigamon channel partner or Gigamon sales
representatives.
Telephone: +1.408.831.4025
Sales: inside.sales@gigamon.com
Partners:
www.gigamon.com/partners.html
Premium Support
Email Gigamon at inside.sales@gigamon.com
for information on purchasing 24×7 Premium Support.
Premium Support entitles you to round-the-clock phone support with a dedicated
Support Engineer every day of the week.
The VÜE Community
The VÜE Community is a technical site where
Gigamon users, partners, security and network professionals and Gigamon
employees come together to share knowledge and expertise, ask questions, build
their network and learn about best practices for Gigamon products.
Visit the VÜE site to:
- Find knowledge base articles and documentation
- Ask and answer questions and learn best practices from other members.
- Join special-interest groups to have focused collaboration around a technology, use-case, vertical market or beta release
- Take online learning lessons and tutorials to broaden your knowledge of Gigamon products.
- Open support tickets (Customers only)
- Download the latest product updates and documentation (Customers only)
The VÜE Community is a great way to get answers fast, learn from experts and
collaborate directly with other members around your areas of interest.
Register today at community.gigamon.com
Questions? Contact our Community team at
community@gigamon.com.
Glossary
D | decrypt list | need to decrypt (formerly blacklist) |
---|---|---|
decryptlist | need to decrypt – CLI Command (formerly blacklist) | |
drop list | selective forwarding – drop (formerly blacklist) | |
F | forward list | selective forwarding – forward (formerly whitelist) |
L | l eader | leader in clustering node relationship (formerly master) |
M | member node | follower in clustering node relationship (formerly slave |
or non-master)
N| no-decrypt list| no need to decrypt (formerly whitelist)
nodecryptlist| no need to decrypt- CLI Command (formerly whitelist)
P| primary source| root timing; transmits sync info to clocks in its
network segment (formerly grandmaster)
R| receiver| follower in a bidirectional clock relationship (formerly
slave)
S| source| leader in a bidirectional clock relationship (formerly
master)
References
- Gigamon VÃœE Community
- Gigamon VÃœE Community
- Gigamon VÃœE Community
- Secure Login
- Add Users
- Configure Enhanced Cryptography Mode
- Configure Enhanced Cryptography Mode
- Configure Secure Passwords Mode
- Create Roles
- Encrypt Syslog Audit Data
- SHA1-Based Signature in TLS/SSL Server X.509 Certificate
- Use SNMP