2.2.5. Capture and monitoring interfaces: single-tenant vs. multi-tenant

2.2.5.1. GCap detection engine and rules

SIGFLOW is the name of the GCap detection engine configured:

  • By a set of rules (RULESET) defined on the GCenter

  • By locally defined rules, therefore not known to the GCenter

These rules must describe the characteristics of the attacks to be detected as well as being optimised to reduce false positives.
The set of rules is composed of signatures grouped by categories that were provided by sources.
This compilation is done by the administrator on the GCenter. Therefore, it can be configured differently depending on the number of GCap and their specifications.


2.2.5.1.1. CLI commands

The ability to view and create local rules is handled differently depending on the configuration.
For more information on rules, see the table Managing the detection engine (advanced functions).


2.2.5.2. Transferring the rule set in single-tenant mode

2.2.5.2.1. Single-tenant principle

Once configured on GCenter, a single set of rules (RULESET) is sent to the GCap detection engine.
The GCap detection engine applies this ruleset to all capture interfaces: this is the single-tenant configuration.

Sigflow rules in single-tenant


2.2.5.2.2. Configuring the single-tenant mode

In the GCenter web interface, in the SIGFLOW - GCaps Profiles > Detection rulesets part, the default option is single-tenant.


2.2.5.3. Transferring the SIGFLOW rule set in multi-tenant mode

2.2.5.3.1. Multi-tenant principle

Once configured on GCenter, it is possible to define a different set of SIGFLOW rules for each of the capture interfaces.
Then each of these rulesets will be applied to its capture interface: this is the multi-tenant configuration.

Sigflow rules in multi-tenant

In contrast to single-tenant, multi-tenant will enable optimising resources and costs while simplifying the process of managing detection rules per environment.
The flexibility of the architecture enables efficient refinement of detection rules, easier isolation of threats, and customisation of capture.


2.2.5.3.2. Configuring the multi-tenant mode

In the GCenter web interface, in the SIGFLOW - GCaps Profiles > Detection rulesets part, the default option is single-tenant.
It is also possible to choose two other options:

  • 'Multi-tenant by interface' or

  • 'Multi-tenant by VLAN'

In the event one of these options is selected, it offers the possibility to assign different SIGFLOW rulesets for:

  • Each of the GCap interfaces or

  • For the various VLAN's...

... and thus have a different supervision on various networks.

It is strongly advisable to optimise the SIGFLOW ruleset in advance before choosing this configuration option.
The rules must be adapted to the monitored environment.
This version of GCap enables compatibility with GCenter.