PE - Configure Packet Engine
Security/Monitoring Configure Packet Engine
Configure Packet Engine
Selecting Overview → Manage → Security/Monitoring → Configure Packet Engine displays the Packet Engine dashboard.
When dashboard initially loads you are presented with the following if no Packet Engines are configured:
Manage Security/Monitoring Packet Engine Dashboard
A Packet Engine is added by clicking Add Packet Engine and entering the required information.
Clicking Add initiates the function and returns a notification of success or failure and reason.
Adding a Packet Engine
To add a packet engine, click Add Packet Engine to display the Add Packet Engine dialog box.
Manage Security/Monitoring Add Packet Engine
Enter the Server Name, Host Name/IP and Port.
Click Fetch to obtain a list of Ethernet adapters available.
Enter the interface number, IP address and Name for the switch and click the icon.
NOTE: Username and Password are only required for Remote PCAP and should not be entered.
Click ADD to continue with adding the Packet Engine or Cancel to return to the previous screen without adding a Packet Engine.
When added, the dashboard displays the Ethernet interface address and the assigned name of the packet capture agent, the IP address of the packet capture engine along with the port number – 8080 and the Ethernet adapter number and IP address of the UNUM host.
Manage Security/Monitoring Add Packet Engine
The following is an example of a populated packet capture engine configuration screen with multiple interfaces.
Manage Security/Monitoring Add Packet Engine Example
When the new packet engine is added, it is displayed on the dashboard.
Manage Security/Monitoring Added Packet Engine Example
Deleting Packet Engine Files
You delete a Packet Engine using the icon on the dashboard.
Manage Security/Monitoring Delete Packet Engine
Clicking on Keep File will delete the PCAP agent data from the database. Clicking on OK will remove both the data from the database and delete the file.
Third Party Tools
Installed third party packet capture tools are listed in the dashboard and additional third-party tools are added by clicking on the Add Third Party Tool link.
Manage Security/Monitoring Packet Engine Add Third Party Tools
Enter the Server Name along with the Ethernet adapter interface number, the IP address and a name for the packet capture tool.
Click to add the field to the dashboard and when complete click Add.
For example, Server Name = “Colossus”, Interface = “eth2”, IP Address = “10.9.8.118” and Name = “Forbin”
Manage Security/Monitoring Packet Engine Add Third Party Tools Example
And, clicking Add, adds the third-party tool to the dashboard.
Manage Security/Monitoring Packet Engine Third Party Tools Added
Packet Engines can either be a packet capture endpoint controlled by UNUM or a Third-Party Tool.
Note: There is no management of any third-party tool, it is the responsibility of the user to manually upload any PCAP files generated by this third-party tool into UNUM.
Packet Engine Search Function
You can easily search and filter multiple Packet Engine entries using the Filter By: feature in the dashboard. Begin by typing search or filter criteria and the dashboard automatically updates as shown in the example below:
Manage Security/Monitoring Packet Engine Search Filter Function
Using a Remote PCAP Agent
It is assumed all nodes, including the Elasticsearch node, the pcap-agent node and UNUM are behind a firewall and on a trusted network with trusted communications between nodes and therefore do not need to be encrypted, thus authentication is unnecessary.
As stated above UNUM and any additional nodes including pcap-agent are deployed in a private trusted network. The pcap-agents including any remote pcap-agents must have a network interface on the same UNUM network so that it is reachable by UNUM. The other interfaces may be on different networks for capturing packets.
The remote node provisioned as a remote PCAP engine must be installed using the same OVA image. Only OVA deployment and provisioning is supported. Provisioning on a bare metal server is not supported.
You need to specify IP, username, password and check the sudo user option otherwise Remote PCAP does not work.
After the remote node is up, all UNUM services start by default. You provision the remote node from the UNUM User Interface which stops any running UNUM services and re-launches only the PCAP Engine service with configurations pushed from UNUM.
You add a PCAP Engine with the IP of the additional OVA. An internal script modifies the second OVA into a remote PCAP engine when you add the packet engine.
Manage Security/Monitoring Packet Engine Remote PCAP Agent Connected
Running the command "docker ps" on the remote machine console returns:
Manage Security/Monitoring Packet Engine Remote PCAP Agent Running on Remote Machine