Configure Packet Mirroring

You must complete the following tasks to create packet mirroring in GCP.

Task 1 - Create Instance Group

Task 2 - Create Packet Mirroring Policy

Task 3 - Create Load Balancer

Task 4 - Verify Packet Mirroring in GCP

Task 1 - Create Instance Group

Complete the following steps to create the Instance group:

  1. In the Google Cloud Console, go to the Instance groups page.

  2. Click Create Instance Group.

    netwitness_createinstancegroup1_1200x261.png

  3. Click New Unmanaged Instance Group from the left panel.

    netwitness_newunmanagedinstancegroup_656x445.png

  4. Fill in the details to configure the unmanaged instance group:

    • Name: Enter a name for the unmanaged instance group.

    • Description: Enter the description for instance group.

    • Under Location: Select a region from the Region drop-down list and select a zone from the Zone drop-down list.

    • Network: Select a network from the drop-down list.

    • Subnetwork: Select a subnetwork from the drop-down list.

    • VM Instance: Select the required decoder from the Select VMs drop-down list. The mirrored traffic will be sent to this VM instance.

    • Port Mapping: By default, the port is selected.

  5. Click Create.

Task 2 - Create Packet Mirroring Policy

In the following procedure, Mirrored source and destination VM instances are in the same VPC network or subnetwork. You can also set both Mirrored source and destination VM instances on a different VPC network or subnetwork. For more information, see https://cloud.google.com/vpc/docs/using-packet-mirroring.

Complete the following steps to Create Packet Mirroring Policy.

  1. In the Google Cloud console, go to the Packet Mirroring page.

  2. Click Create Policy.

    netwitness_createpolicy_959x231.png

  3. Under Define policy overview, enter the following details:

    netwitness_definepolicyoverview_497x341.png

    • Name: Enter a name for the policy.

    • Region: Select the region from the drop-down list.

    • Under Policy enforcement, select Enabled and click Continue.

  4. Under Select VPC network, select Mirrored source and collector destination are in the same VPC network.

    netwitness_select_vpc_install_359x300.png

    • Select the required network from the Network drop-down list.

    • Click Continue.

  5. Under Select mirrored source, select Select individual instances.

    netwitness_select_mirrored_source_820x396.png

    Select the required instances from the Instance selection table and click Continue.

    Note: All traffic will be mirrored from this instance.

  6. Under Select collector destination, click create new L4 internal load balancer and follow Task 3 - Create Load Balancer to complete configuration of load balancer.

    netwitness_selectcollector_503x536.png

  7. Once the load balancer is created, click Refresh in the Collector destination drop-down menu.

    netwitness_selectcollectordestination_528x536.png

  8. Select the newly created load balancer and Continue.

  9. Do one of the following:

    • Select either both ingress (incoming) and egress (outgoing) traffic to be mirrored from the source VM instance by enabling Mirror all traffic (default) which is same as Allow both ingress and egress traffic under Traffic direction.

    • Select Mirror filtered traffic and select Allow egress traffic only to mirror only the outgoing traffic from the source VM instance and send them to decoder.

    • Select Mirror filtered traffic and select Allow ingress traffic only to mirror only the incoming traffic from from the source VM instance you want and send them to decoder.

    netwitness_selectmirroredtrafffic_444x576.png

  10. Click Submit. The policy will be created successfully.

Task 3 - Create Load Balancer

Complete the following steps to create the Load Balance:

  1. Click Load balancing.

  2. Click + Create Load Balancers.

  3. Enter the following details to configure load balancer:

    • Name: Enter a name for the load balancer.

    • Region: Select a region from the drop-down list.

    • Network: Select a network from the drop-down list.

  4. Click Backend configuration.

    netwitness_backend_827x640.png

  5. Under New backend, select the instance group created in Task 1 - Create Instance Group from the Instance group drop-down list.

  6. Perform the following steps to create a Health Check:

    netwitness_health_check_286x448.png

    • Name: Enter a name for the health check.

    • (Optional) Description: Enter the description for the health check.

    • Under Scope: By default, Regional option is selected.

    • Region: Select the region from the drop-down list.

    • Protocol: Select the TCP protocol from the drop-down list.

    • Port: Enter the port number 80.

    • Proxy Protocol: By default, None option is selected.

    • Logs: By default, Off option is selected.

    • Under Health Criteria, retain the default values.

    • Click Save.

  7. Click Frontend Configuration.

  8. Under New Frontend IP and port, configure the following details:

    netwitness_frontend_989x913.png

    • (Optional) Name: Enter a name.

    • Description: Provide the description.

    • Under Protocol, in the TCP section, select a subnetwork from the drop down list.

    • Under Internal IP, in the Purpose section, by default Non-shared is selected.

    • IP address: By default, Epherneral (Automatic) is selected.

    • Under Ports, select All option.

    • Under Global Access, by default Disable is selected.

    • Under Packet Mirroring, select Enable this load balancer for Packet Mirroring.

    • (Optional) Under Review and Finalize, review all the configured details.

    • Click Create.

  9. The Load Balancer will be created. The Health Check may show unhealthy status but it does not impact packet mirroring policy.

    netwitness_load_balancing_1320x242.png

Task 4 - Verify Packet Mirroring in GCP

  1. Go to the Packet Decoder service and click netwitness_ic-actns.png > View > Config page and set the Capture Interface Selected parameter to the following value:

    packet_mmap_eth0(bpf)

    netwitness_decoder_configuration_1161x287.png

  2. SSH to the source mirrored instance.

  3. Run the following command curl <yahoo.com> on source mirrored instance.

  4. SSH to the Packet Decoder.

  5. Run the following command tcpdump on Packet Decoder and verify if the traffic has been mirrored.

    netwitness_tcpdump_1612x215.png

  6. Log in to the NetWitness Platform to verify on Packet Decoder.

  7. Go to Investigate > Events and select Concentrator from query profile drop-down menu.

  8. To verify, click search will filter out the domains name based on their configuration.