1. Presentation
GCAP is the probe enabling the capturing of network flows. It enables generating alerts, providing metadata on the various protocols, and reconstructing the captured files. This data is then transmitted to the GCenter in order to continue the analysis of the elements, and to enrich and make available the information generated.
More information on GCAP is available in its documentation
2. Pairing
2.1. Add a GCAP
Menu: Administrators > GCAP Pairing/Status
In order for TRACKWATCH equipment to interact, a GCAP probe must first be added.
Pairing enables configuring the IPSec tunnel between the GCAP and the GCENTER.
It is necessary to fill in the Fully Qualified Domain Name FQDN field (Example: 'GCAPname.domain.com') in the Pair a new object section.
After that, you must press the Start pairing button to initiate the process.
This operation will generate an OTP on the GCENTER web interface. This must be filled in on the GCAP probe in order to successfully pair the devices.
The GCENTER's Fully Qualified Domain Name field is used to verify the tunnel and network connection certificates being established.
The GCENTER'SSH fingerprint enables you to ensure that the GCAP is communicating with the correct GCENTER. This is the GCENTER fingerprint. This process is described in more detail in the GCAP documentation.
Once the pairing process is complete, it is possible to check via the GCENTER interface if the linkage was successful.
The Online, Undetermined, and Offline statuses identify the status of the VPN link.
The client-side VPN is in an unknown status GCENTER:
The client-side VPN is disconnected from GCENTER:
The client-side VPN is paired with the GCENTER:
Diagnostic statuses are available from the 'VPN' tab so that the administrator can quickly verify the correct association.
2.2. Re-pairing a GCAP
Menu: Administrators > GCAP Pairing/Status
If necessary, a GCAP can be re-paired to the GCenter.
To do this, simply click on Pair again and repeat the same process to pair the probe with the GCENTER.
The administrator must tick the 'Are you sure?' box before validating the procedure.
2.3. Delete a GCAP
Menu: Administrators > GCAP Pairing/Status
It is possible to remove a GCAP from the management platform using the Delete button.
The administrator must tick the 'Are you sure?' box before validating the procedure.
This will remove all data relating to the GCAP pairing such as certificates and configuration. Any logs, metadata or alerts, generated in the past and indexed in elasticsearch will not be modified.
3. Configuration
3.1. Details of a GCAP
Menu: Administrators > GCAP Pairing/Status
Once the VPN tunnel is in the Online status, it is possible to access information pertaining to the GCAP probe.
This table enables you to easily view the status of all GCAP probes associated with the GCENTER.
Hostname (FQDN): The fully qualified name of the probe.
Last rule update (UTC): corresponds to the time stamp of the most recent update in UTC in the format [year-month-day hh: mm: ss] of the Sigflow engine signature rules.
Version': corresponds to the software release (Example: '_2-5-3~_prod') of the GCAP detection probe.
The Info column provides more information on the GCAP probe, thanks to the Details button.
Network, system and Sigflow engine acquisition data are sent to the GCENTER. The administrator has real-time access to the monitoring of the elements of the GCAP capture probe including hard drive throughput, processor, memory, network traffic, and network interfaces, etc.
The following metrics are escalated:
| Metric | Commentary |
|---|---|
| Uptime | |
| CPU Usage | |
| Load | |
| Memory Used | |
| Swap Usage | |
| gcp0 In | |
| gcp0 Out | |
| gcp1 In | |
| gcp1 Out | |
| monX in | |
| monX Drop in | |
| monX Error in | |
| monX Pckts In | |
| Suricata Running Status | 1 - OK / 0 - NOK |
| Alerts | |
| Sessions | |
| Applied | Number of rules applied |
| Kernel pkts received | |
| Kernel pkts dropped | |
| Codebreaker Powershell | |
| Failed | Number of erroneous rules |
| Filtered pkts | |
| Filtered bytes | |
| Codebreaker plain shellcode | |
| Reconstructed files | |
| Sent Files | |
| Codebreaker encoded shellcode | |
| Section Protocol flows | number of new flows / min of the protocol |
3.2. Set a default profile
Menu: Administrators > GCAP Pairing/Status
The default profiles are sets of values for Base variables and Files rules management.
Several profiles are available depending on the current security requirements:
Minimal: the minimal configuration.
Balanced: the configuration recommended by Gatewatcher.
MPL: the configuration required in MPL mode.
Paranoid: all parameters are activated.
Intuitio: Configuration for the NDR.
Updating your default profile does not change the settings of the currently paired Gcap.