쫑콩아빠의 지금 이 순간...

DeepFinder 는 H/W, Proxy, Reverse Proxy 웹방화벽의 SSL 처리 방식과 달라 가속기 등의 추가 구매 없이, 성능/속도 저하없이 SSL 트래픽을 필터링합니다.
Cloud 시대에 어플라이언스 타입의 WAF가 해결하기 어려운 부분을 쉽게 구성할 수 있다.
기존 WAF의 운영에서 불편한 인증서 관리가 필요 없고 SSL암복호화 수행을 따로 하지 않기 때문에 리소스의 저하도 발생 하지 않는다.

Gigamon 장비는 제품별로 다양한 Packet 처리가 가능하다.
Mirror 트래픽을 전달 받아 가공을 통해 보안/모니터링/분석 장비에 전달함으로 효과를 얻을 수도 있고
Inline에 직접 개입하여 보안 장비들을 효과적으로 사용할 수 있게 구성이 가능하다.
참 재미난 Concept 이다. 
As-Is의 구성은 현재 많이 사용되는 이중화 구성이다. 예전에는 이 구성이 최적화된 구성이었으나 시대가 바뀌었고
예전 구성에서의 문제점들을 해결할 수 있는 방법도 생겨났다.

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/source-port-labeling.html

Identify each packet's entry point

The Source Port Labeling feature of the GigaSMART® engine provides context to packets and allows tools to properly assess network behavior and threats based on where they are happening in the network. When a packet arrives into the Gigamon® Visibility Platform, it could have come from one of dozens or hundreds of network access points.

Before forwarding the packet to a monitoring or security tool, Source Port Labeling adds a trailer to the packet that identifies on which port the packet arrived. The tool can query the Gigamon Visibility Platform using the Rest API and look up the Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) information associated with the packet’s source port to know exactly where in the network problems or threats reside.

Benefits of the Source Port Labeling feature

• Accurately analyze traffic aggregated from multiple collection points.
• Correlate traffic with CDP/LLDP information on the network.
• Identify incorrect cabling of taps and SPAN ports and verify accuracy of flow maps.

gigamon-0200fd (config policy alias test3) # condition  add ?
< condition >    Add a condition to the policy
GsCpuUtilHigh    
GsCpuUtilLow     
GsHbStatusDown   
GsHbStatusUp     
GsPktBufThHigh   
GsPktBufThLow    
GsPktDropRateHigh 
GsPktDropRateLow 
GsRxPktErrorHigh 
GsRxPktErrorLow  
GsRxPktRateHigh  
GsRxPktRateLow   
InlineToolDown   
InlineToolReady  
InlineToolUp     
PortDown         
PortRxBufferHigh 
PortRxBufferLow  
PortRxDiscardsHigh 
PortRxDiscardsLow 
PortRxDropsHigh  
PortRxDropsLow   
PortRxErrorsHigh 
PortRxErrorsLow  
PortRxUtilHigh   
PortRxUtilLow    
PortTxBufferHigh 
PortTxBufferLow  
PortTxDiscardsHigh 
PortTxDiscardsLow 
PortTxDropsHigh  
PortTxDropsLow   
PortTxErrorsHigh 
PortTxErrorsLow  
PortTxUtilHigh   
PortTxUtilLow    
PortUp           
TimeFriday       
TimeMonday       
TimeOfDay        
TimeSaturday     
TimeSunday       
TimeThursday     
TimeTuesday      
TimeWednesday    
TimeWeekday      
TimeWeekend      


gigamon-0200fd (config policy alias test3) # action add ?
< action >       Add an action to the policy.
FlexInlineOOBAdd 
FlexInlineOOBDelete 
InlineNetTrafficPath 
InlineToolDisable 
InlineToolEnable 
InlineToolRecover 
MapDisable       
MapEnable        
MapGsRuleAdd     
MapGsRuleDelete  
MapRuleAdd       
MapRuleDelete    
PhysicalByPassDisable 
PhysicalByPassEnable 
PolicyDisable    
PolicyEnable     
PortDisable      
PortEnable       
PortFilterAdd    
PortFilterDelete 
PortFilterDeleteAll 
WriteMemory      

Regular GigaStream Configuration
To configure a regular tool GigaStream, refer to the following example:

Step

Description

Command

1.    
Configure ports using type tool for a regular tool GigaStream.
(config) # port 1/3/q2..q3 type tool

2.  
Configure a regular GigaStream.
(config) # gigastream alias stream1 port-list 1/3/q1..q4

3.  
Configure a comment for the GigaStream.
(config) # gigastream alias stream1 comment “regular gigastream”

4.  
Assign hash weights in percentage or ratio to the ports in the GigaStream
(config gigastream alias stream1) # port-list 1/3/q1..q4 hash-weight 30,30,20,20
(config gigastream alias stream1) # port-list 1/3/q1..q4 hash-weight 3,3,2,2

5.  
Assign drop weight for the GigaStream
(config gigastream alias stream1) # drop-weight 2

6.  
Display the configuration for this example.
(config) # show gigastream

How To: Packet capture on Gigamon interface
2020. 4. 25•How to
Feature
Flow Mapping
Title
How To: Packet capture on Gigamon interface
Objective
Perform packet capture on Gigamon interface for troubleshooting.
 
Environment
HC-Series
Procedure
Please note: This feature is currently available for software version 5.4 and above.

Step1. Identify one unused port on the chassis and enable the port. This unused port will be used to capture and copy the traffic. (port type can be any). Channel port is only required in case you want to capture in direction (Tx or both). It is not required in order to capture only Rx traffic.
Rx = IfInPackets on a port.
Tx = IfOutPackets on a port.
port 1/3/x9 params admin enable
port 1/3/x9 alias unused-channel-port

Step2.  Add a capture filter to start the packet capture. 
#Example1
pcap alias nw-side
port 1/4/g16 both (Interface on which you want to capture the packets)  
channel-port 1/3/x9 (Unused port to copy the traffic)
packet-limit 20000
filter ipsrc 10.10.10.10 /32
exit

#To create another filter, please create another pcap profile.
#Example2
pcap alias IT-side
port 1/3/x11 rx
channel-port 1/3/x10
packet-limit 20000
filter ipdst 30.30.30.30 /32
exit

#Example3
pcap alias SSL
port 1/3/x11 tx
channel-port 1/3/x10
packet-limit 20000
filter ipdst 30.30.30.30 /32
exit

#Verification
show pcap alias nw-side
show pcap
show file pcap

Step3.  Reproduce the problem. 
Initiate a session between the client and server, to ensure that specific packets can be captured.

Step4. Stop the packet capture.
no pcap alias issl1
or
clear pcap all
or 
no pcap all

Step5. Verify if the packet capture file has been created.
show file pcap

Step6. Upload to your local machine or scp/tftp server. 
file pcap upload <filename> scp://user:pass@10.10.10.10/dir/folder/<filename>
file pcap delete-all
file pcap delete <filename>

Step7. Analyze the pcap file

 
Additional Notes
Filtering can be defined based on 6 conditions
IP source
IP destination
Port source
Port destination
Protocol
Tcp control
Tag
packet capture broadcom pcap bcm data port tcpdump