Gigamon GigaVUE HC Series ThreatINSIGHT Sensor User Guide

Gigamon GigaVUE HC Series ThreatINSIGHT Sensor

**

**

Copyright 2021 Gigamon Inc.. All rights reserved.
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, transcribed, translated into any language, stored in a retrieval system, or transmitted in any form or any means without the written permission of Gigamon Inc..

Trademark Attributions
Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com /legal-trademarks. All other trademarks are the trademarks of their respective owners.
Gigamon Inc.
3300 Olcott Street
Santa Clara, CA 95054
408.831.4000

Gigamon ThreatINSIGHT Sensor

This section describes the Gigamon ThreatINSIGHT Sensor, which is used to detect, respond to, and investigate network-based threats. It also provides instructions for deploying the Gigamon ThreatINSIGHT Sensor on the GigaVUE-HC1 SMT-HC1-S module using GigaVUE-FM.
Refer to the following sections:

• Threat Detection and Response with Gigamon ThreatINSIGHT
• Rules and Notes
• Work With Gigamon ThreatINSIGHT Sensor—A Roadmap
• Get Started With Gigamon ThreatINSIGHT Sensor Deployment
• Manage Gigamon ThreatINSIGHT Sensor
• Troubleshoot Gigamon ThreatINSIGHT Sensor Deployment and Management Issues

Threat Detection and Response with Gigamon ThreatINSIGHT

Gigamon ThreatINSIGHTis a SaaS-based network security monitoring platform built with the ability to detect, respond, and investigate network-based threats. ThreatINSIGHT has the following key features:

• Rapid threat-hunting support with rich metadata search of supported protocols
• Powerful visualization tools for tracking the different aspects of your network
• Automated threat-detections built with alerting functionality

The GigamonThreatINSIGHT Sensor that is deployed on the GigaVUE-HC1 SMT- HC1-S module using GigaVUE-FM, provides a single, integrated security solution for threat-detection.
NOTE: For more information about Gigamon ThreatINSIGHT, refer to the ThreatINSIGHT Portal Guides. To access the Portal Guides, log in to Gigamon ThreatINSIGHT, and then go to Help > Portal Guides.

Rules and Notes

Keep in mind the following rules and notes before you deploy Gigamon ThreatINSIGHT on the SMT-HC1-S module:

• You can attach only one ThreatINSIGHT Sensor to a GigaSMART engine.
• You cannot enable other GigaSMART operations on the GigaSMART engine to which the ThreatINSIGHT Sensor is attached.
• You cannot delete a virtual port that is attached to the GigaSMART engine on which the ThreatINSIGHT Sensor is provisioned.
• If you delete the ThreatINSIGHT Sensor tool from GigaVUE-FM, the ThreatINSIGHT Sensor statistics are cleared from GigaVUE-FM and the GigaVUE-HC1 device. You must re-provision the ThreatINSIGHT Sensor tool in GigaVUE-FM using a new provision code from the Gigamon ThreatINSIGHT Portal.

Work With Gigamon ThreatINSIGHT Sensor—A Roadmap

Perform the following tasks to deploy the ThreatINSIGHT Sensor and monitor the traffic flow:

Deploy Gigamon ThreatINSIGHT Sensor on the SMT-HC1-S Module

To integrate Gigamon ThreatINSIGHT with SMT-HC1-S module, you must deploy the ThreatINSIGHT Sensor as one of the tools on the SMT-HC1-S module. This topic provides instructions to complete the deployment.
Prerequisites
Ensure that you complete the following prerequisites before you start with Gigamon ThreatINSIGHT Sensor deployment:

• Upgrade your GigaVUE-FM instance to v5.10.00 or above.
  NOTE: The latest LTS version is usually recommended. For the latest Long Term Support (LTS) release information, refer to the Gigamon Software Release Status article on the Community.

• Add the GigaVUE-HC1 device that has the SMT-HC1-S module installed. For instructions, refer to Add New Physical Node or Cluster to GigaVUE-FM.

• Generate a provision code from the Gigamon ThreatINSIGHT Portal to validate your Gigamon ThreatINSIGHT integration. The provision code that you generate is valid for 24 hours. For instructions, refer to the “Generate a Registration Code” section in the ThreatINSIGHT Portal Guides.
  NOTE: To access the Portal Guides, log in to the ThreatINSIGHT Portal and go to Help > Portal Guides.

• Ensure that the GigaSMART engine port on which you want to deploy the ThreatINSIGHT Sensor has internet connectivity so that the ThreatINSIGHT Sensor can connect to AWS.
  NOTE: If you are installing the SMT-HC1-S (Gen 3 GigaSMART Card), use the recommended upgrade path specific to this module. Refer to SMT-HC1-S (Gen 3 GigaSMART Card), for details.

• To configure the network access:

  • From the device view, go to Ports > Ports > All Ports.
  • Select the engine port and then click Edit.
  • You can either manually assign the IP address or select the Enable DHCP check box to dynamically assign the IP address and other network configuration parameters.
  • Select eth2 as the interface, and then click OK.

Deploy Gigamon ThreatINSIGHT Sensor Using GigaVUE-FM

Before you proceed with the deployment, ensure that you complete all prerequisites listed in the Prerequisites section.
To deploy Gigamon ThreatINSIGHT Sensor on the SMT-HC1-S module of GigaVUE-HC1:

1. Log in to GigaVUE-FM, and then go to Inventory > Tools > Insight Sensors.

2. Click Add, and then in the Add Gigamon Integrated ThreatINSIGHT page, enter a unique name for the ThreatINSIGHT Sensor that you are deploying.

3. In the Provision Code field, enter the provision code that you have generated from the Gigamon ThreatINSIGHT Portal.

4. In the Cluster field, select the GigaVUE-HC1 node that has the SMT-HC1-S module installed.

5. In the Processing Engines field, select the required GigaSMART engine port to which you want to deploy the ThreatINSIGHT Sensor.
   NOTE: Only GigaSMART engine ports that are capable of ThreatINSIGHT Sensor deployment are listed.

6. Click Activate.

GigaVUE-FM creates the required configurations, such as the GigaSMART group and the Virtual port on the SMT-HC1-S module. GigaVUE-FM, then establishes connection with the ThreatINSIGHT Sensor using the provision code you provided. The ThreatINSIGHT Sensor communicates with the Gigamon ThreatINSIGHT Portal and obtains a sensor alias, which is populated in GigaVUE-FM and Gigamon ThreatINSIGHT Portal. It may take couple of minutes for the ThreatINSIGHT Sensor to be provisioned.

Verify Gigamon ThreatINSIGHT Sensor Status

Ensure that the status of the ThreatINSIGHT Sensor is Online. You can view the status and alias of the ThreatINSIGHT Sensor in the following pages:

• GigaVUE-FM—In the Tools page, select the ThreatINSIGHT Sensor that you have deployed, click the vertical ellipsis, and then select View Details.
• Gigamon ThreatINSIGHT Customer Portal—Click the Setting icon, and then select Sensors.

Manage Gigamon ThreatINSIGHT Sensor

• Once the Gigamon ThreatINSIGHT Sensor is deployed, you can view network events on the Gigamon ThreatINSIGHT portal. You can also view statistics from GigaVUE-FM. This topic provides information about these activities as well as instructions for disabling or deleting the Gigamon ThreatINSIGHT Sensor.
• Disable and Enable Gigamon ThreatINSIGHT Sensor
• You can choose to disable the ThreatINSIGHT Sensor in GigaVUE-FM. Before you disable the ThreatINSIGHT Sensor, ensure that the sensor is not used in any maps. To disable the
• ThreatINSIGHT Sensor, go to the Tools page, select the ThreatINSIGHT Sensor, and then click Actions > Disable. It may take few minutes for the ThreatINSIGHT Sensor to be disabled.
• To enable the ThreatINSIGHT Sensor, go to the Tools page, select the ThreatINSIGHT Sensor, and then click Actions > Enable. You do not need a new provision code to enable the
• ThreatINSIGHT Sensor. The status of the ThreatINSIGHT Sensor changes to Online. Refer to Verify Gigamon ThreatINSIGHT Sensor Status.

Delete Gigamon ThreatINSIGHT Sensor

• If you delete a ThreatINSIGHT Sensor tool from GigaVUE-FM, the ThreatINSIGHT Sensor statistics are cleared from GigaVUE-FM and the GigaVUE-HC1 device. You must re-provision the ThreatINSIGHT Sensor tool in GigaVUE-FM using a new provision code generated from the Gigamon ThreatINSIGHT Portal.
• Before you delete a ThreatINSIGHT Sensor, ensure that the sensor is not used in any maps and that you have disabled the sensor.
• To delete the ThreatINSIGHT Sensor, go to the Tools page, select the ThreatINSIGHT Sensor, and then click Actions > Delete.
  NOTE : If you want to add the ThreatINSIGHT Sensor tool back in GigaVUE- FM, it is recommended that you provide the same name so that you can obtain the old statistics from the ThreatINSIGHT Sensor tool.

View Network Events in Gigamon ThreatINSIGHT Portal

The ThreatINSIGHT Sensor performs deep packet inspection of all observed network traffic and extracts out key protocol metadata for processing by the Gigamon ThreatINSIGHT data pipeline. This metadata is organized into records called events. For more information about events, refer to the “Network Events” section in the ThreatINSIGHT Portal Guides.
To view the network events in Gigamon ThreatINSIGHT Portal, go to Investigate

Events. You can run a query to view the events generated in the Last 1 Hour, Last 24 Hours, Last 7 Days, or Last 30 Days. For example, to view all the events generated for a specific ThreatINSIGHT Sensor alias, run the following query:

sensor_id = “test60”

View Gigamon ThreatINSIGHT Sensor Statistics in GigaVUE-FM

GigaVUE-FM polls the ThreatINSIGHT Sensor to obtain statistics for the following types of counters:

• Total Data —The total data received and analyzed by the ThreatINSIGHT Sensor.
• Total Packets— The number of packets received and analyzed by the ThreatINSIGHT Sensor.
• Throughput—The amount of data successfully processed by the ThreatINSIGHT Sensor. This is the default counter.
• Errors—The number of packets received with errors.
• Discards—The number of packets discarded by the ThreatINSIGHT Sensor.
• Dropped—The number of packets dropped by the ThreatINSIGHT Sensor.

The counters are aggregated by hour, day, week, or month.
To view the statistics in GigaVUE-FM, go to the Tools page, select the ThreatINSIGHT Sensor, click the vertical ellipsis, and then select View Statistics Graph.

NOTE: You cannot clear these counters.

Use the Details tab in the View Statistics page to view the diagnostics statistics of the ThreatINSIGHT Sensor’s Communication port (management port) and Connectivity port (stack port – eth2). These statistics gets refreshed every 10 seconds.

Gigamon ThreatINSIGHT Sensor Deployment Guide

Troubleshoot Gigamon ThreatINSIGHT Sensor on GigaVUE-HC1

You can troubleshoot the ThreatINSIGHT Sensor deployment issues using the information available in the Details page in GigaVUE-FM. To access the page, go to the Tools page, select the ThreatINSIGHT Sensor, click the vertical ellipsis, and then select View Details.
Use the ThreatINSIGHT Sensor’s diagnostics statistics that appear in the Details tab in the View Statistics page to troubleshoot management issues such as:

• the ThreatINSIGHT Sensor is unable to obtain configurations from GigaVUE-FM or GigaVUE-OS CLI,
• the ThreatINSIGHT Sensor is unable to export events to the Gigamon ThreatINSIGHT Portal, and so on.

To view the diagnostics statistics in GigaVUE-FM, go to the Tools page, select the ThreatINSIGHT Sensor, click the vertical ellipsis, select View Statistics Graph, and then go to the Details tab.
For more details, refer to Troubleshoot Gigamon ThreatINSIGHT Sensor Issues.

Documents / Resources

| Gigamon GigaVUE HC Series ThreatINSIGHT Sensor [pdf] User Guide
GigaVUE HC Series, ThreatINSIGHT Sensor, GigaVUE HC Series ThreatINSIGHT Sensor, GigaVUE-HC1, GigaVUE SMT-HC1-S
---|---

References

• Gigamon VÃœE Community
• GigaVUE 5.9 Online Documentation

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>