AFP, ASF Sample
gigamon-2c013c (config) # sh running-config
##
Running database "initial"
Generated at 2019/12/23 05:23:44 +0000
Software version on which this output was taken: GigaVUE-OS 5.7.01 142718 2019-09-23 23:20:06
##
Port level configurations
##
port 1/1/g1 type network
port 1/1/g2 type network
port 1/1/g3 type network
port 1/1/g4 type network
port 1/1/x1 type hybrid
port 1/1/x1 params admin enable
port 1/1/x2 type network
port 1/1/x2 params admin enable
port 1/1/x3 type tool
port 1/1/x3 params admin enable
port 1/1/x4 type network
port 1/1/x4 params admin enable
port 1/1/x5 type network
port 1/1/x6 type tool
port 1/1/x6 params admin enable
port 1/1/x7 type tool
port 1/1/x7 params admin enable
port 1/1/x8 type tool
port 1/1/x8 params admin enable
port 1/1/x9 type network
port 1/1/x10 type tool
port 1/1/x10 params admin enable
port 1/1/x11 type network
port 1/1/x12 type tool
port 1/1/x12 params admin enable
port 1/2/x1 type network
port 1/2/x2 type network
port 1/2/x3 type network
port 1/2/x4 type network
port 1/2/x5 type inline-net
port 1/2/x5 params admin enable speed 1000
port 1/2/x6 type inline-net
port 1/2/x6 params admin enable speed 1000
port 1/2/x7 type inline-net
port 1/2/x8 type inline-net
port 1/3/g1 type network
port 1/3/g1 params taptx passive
port 1/3/g2 type network
port 1/3/g2 params taptx passive
port 1/3/g3 type network
port 1/3/g3 params taptx passive
port 1/3/g4 type network
port 1/3/g4 params taptx passive
port 1/3/g5 type network
port 1/3/g5 params taptx passive
port 1/3/g6 type network
port 1/3/g6 params taptx passive
port 1/3/g7 type network
port 1/3/g7 params taptx passive
port 1/3/g8 type network
port 1/3/g8 params taptx passive
##
Gigastream hash configurations
##
gigastream advanced-hash slot 1/cc1 default
##
Gigastream configurations
##
gigastream alias T-LB-1
port-list 1/1/x6,1/1/x8 params hash advanced
exit
gigastream alias T-LB-2
port-list 1/1/x10,1/1/x12 params hash advanced
exit
##
SAPF configurations
##
apps asf alias youtube-asf
bi-directional enable
buffer enable
buffer-count-before-match 6
packet-count disable
protocol tcp-udp
sess-field add ipv4-5tuple outer
timeout 15
exit
##
Gsgroup configurations
##
gsgroup alias GS1 port-list 1/1/e1
##
Gs params configurations
##
gsparams gsgroup GS1
cpu utilization type total rising 80
dedup-action drop
dedup-ip-tclass include
dedup-ip-tos include
dedup-tcp-seq include
dedup-timer 50000
dedup-vlan ignore
diameter-packet timeout 2
diameter-s6a-session limit 10000
diameter-s6a-session timeout 30
eng-watchdog-timer 60
erspan3-timestamp format none
flow-mask disable
flow-sampling-rate 5
flow-sampling-timeout 1
flow-sampling-type device-ip
generic-session-timeout 5
gtp-control-sample enable
gtp-flow timeout 48
gtp-persistence disable
gtp-persistence file-age-timeout 30
gtp-persistence interval 10
gtp-persistence restart-age-time 30
gtp-randomsample disable
gtp-randomsample interval 12
ip-frag forward enable
ip-frag frag-timeout 10
ip-frag head-session-timeout 30
lb failover disable
lb failover-thres lt-bw 80
lb failover-thres lt-pkt-rate 1000
lb replicate-gtp-c disable
lb use-link-spd-wt disable
node-role disable
resource buffer-asf 2
resource cpu overload-threshold 90
resource hsm-ssl buffer disable
resource hsm-ssl packet-buffer 1000
resource inline-ssl standalone enable
resource metadata disable
resource packet-buffer overload-threshold 80
resource xpkt-pmatch num-flows 0
session logging level none
sip-media timeout 30
sip-nat disable
sip-session timeout 30
sip-tcp-idle-timeout 20
ssl-decrypt decrypt-fail-action drop
ssl-decrypt enable
ssl-decrypt hsm-pkcs11 dynamic-object enable
ssl-decrypt hsm-pkcs11 load-sharing enable
ssl-decrypt hsm-timeout 1000
ssl-decrypt key-cache-timeout 10800
ssl-decrypt non-ssl-traffic drop
ssl-decrypt pending-session-timeout 60
ssl-decrypt session-timeout 300
ssl-decrypt tcp-syn-timeout 20
ssl-decrypt ticket-cache-timeout 10800
tunnel-health-check action pass
tunnel-health-check disable
tunnel-health-check dstport 54321
tunnel-health-check interval 600
tunnel-health-check protocol icmp
tunnel-health-check rcvport 54321
tunnel-health-check retries 5
tunnel-health-check roundtriptime 1
tunnel-health-check srcport 54321
xpkt-pmatch disable
exit
Gsop configurations
gsop alias youtube-gsop apf set asf set port-list GS1
Vport configurations
vport alias vp1 gsgroup GS1
vport alias vp1 failover-action vport-bypass
vport alias vp1 outer-traffic-path to-inline-tool
vport alias vp1 inner-traffic-path to-inline-tool
vport alias vp1 deferred-binding disable
vport alias vp1 asf profile youtube-asf
vport alias vp1 mmon disable
Inline-network configurations
inline-network alias default_inline_net_1_2_1
pair net-a 1/2/x5 and net-b 1/2/x6
physical-bypass disable
traffic-path bypass
exit
##
Traffic map connection configurations
인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-rx)
map-passall alias N1-map-source-packet-rx
roles replace admin to owner_roles
to 1/1/x1
from 1/2/x5
exit
인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-tx)
map-passall alias N1-map-source-packet-tx
roles replace admin to owner_roles
to 1/1/x1
from 1/2/x6
exit
인라인네트워크에서 받은 미러패킷을 버철포트로 전달
map alias All-traffic
type firstLevel byRule
roles replace admin to owner_roles
comment " "
rule add pass macsrc 00:00:00:00:00:00 00:00:00:00:00:00 bidir
to vp1
from 1/1/x1
exit
유투브사이트에서 비디오 플레이 될때 탐지함.
map alias traffic-sapf-youtube
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch RegEx youtube|ytimg|yt3.ggpht|tubeMogul|tmogul|googlevideo|tmogulyoutu 0..1460
to 1/1/x3
from vp1
exit
PC에서 시만텍서버와 클라이언트 또는 패턴 업데이트 될때 탐지함.
map alias traffic-sapf-symatec
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch RegEx symantec|syma|sep|livet|symant 0..1460
to 1/1/x3
from vp1
exit
번외 - 특정 헥사 코드값 만을 탐지
map alias traffic-sapf-hex
type secondLevel byRule
roles replace admin to owner_roles
comment hex-.ama
use gsop youtube-gsop
gsrule add pass pmatch protocol ipv4 pos 1 RegEx [\x2e\x61\x6d\x61] 0..80
to 1/1/x7
from vp1
exit
The RegEx expression identifies the
SSL handshake type Client Hello patterns and All Buffered packets(TCP) #
pos -> number presenting the occurrence(발생 될 숫자 지정)
HTTPS사이트에 접근하면 탐지
map alias traffic-sapf-https
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch protocol tcp pos 1 RegEx \x16\x03.{3}\x01 0..6
to 1/1/x7
from vp1
exit
특정 지정한 패킷(HTTPS,youtube,symatec 등) 외 탐지
map-scollector alias traffice-non-asf
roles replace admin to owner_roles
from vp1
collector T-LB-1
exit
'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글
| Gigamon Unprotected Inline Bypass with Default Heartbeat (0) | 2021.01.17 |
|---|---|
| Gigamon Unprotected Inline Bypass (0) | 2021.01.17 |
| How To: Configure Out of band clustering on H seriesStep by step example for out of band clustering (0) | 2021.01.17 |
| GigaSMART SSL Decryption for Out-of-Band Tools (0) | 2021.01.17 |
| Gigamon Flexible Inline Single Tag Configuration (0) | 2021.01.17 |