Install a vSensor in a VMware vSphere environment

You can install an Arctic Wolf® Virtual Sensor (vSensor) in a VMware vSphere® environment.

Note:
  • Each virtual appliance virtual machine (VM) supports one network interface. If more network interfaces are necessary, deploy more virtual appliance VMs.
  • If you are deploying multiple virtual appliance instances, Arctic Wolf recommends that you use the same OVA file, and then complete the installation and activation process again for each virtual appliance.
  • Cloning a virtual appliance instance is not supported because it creates operational errors in the original virtual appliance and in the cloned instance.
Note:
  • Some detections may not be available if sensors cannot see the relevant network traffic, including traffic flowing through different switches or unmonitored firewalls. Make sure that sensors are properly placed across all network egress points.
  • During connectivity tests, appliances may communicate with external IP addresses behind a cloud service that Arctic Wolf hosts.

These resources are required:

  • These system resources:

    Model

    Number of vCPUs

    RAM

    Storage

    AWNv100

    2

    8 GB

    40 GB

    AWNv200

    8

    16 GB

    40 GB

    AWNv1000

    24

    48 GB

    40 GB
    Note: Reducing or limiting resource allocations below the specified requirements affects virtual appliance performance. If the appliance's CPU is throttled, security observations can be lost. Do not configure the Reservation, Limit, or Shares settings to throttle the appliance's CPU.
  • vSphere with vCenter 6.5 or newer

These actions are required:

  • Make sure you have the appropriate Arctic Wolf permissions to install the appliance. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
  • Add all necessary IP addresses, ports, and services to your allowlist for full appliance functionality.
    Tip: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  • If you rate-limit the appliance with Quality of Service (QoS), remove this for best performance.
  • If your firewall provides SSL/TLS inspection, do not do this inspection on the appliance management IP address.
  • If you use an application proxy or layer 7 filter on your firewall, allow outbound traffic for the appliance management IP address.

Download the vSensor image

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Downloads.
  3. In the Virtual Network Appliances section, click the VMWare/Nutanix tab.
  4. Click Download.
    Tip:

    If your browser downloads the OVA file in .ovf format, rename the file to change the file extension to .ova.

Deploy the vSensor

  1. Sign in to your vSphere client.
  2. Right-click your resource pool, and then select Deploy OVF Template.
  3. On the Select an OVF template page:
    1. Select Local file.
    2. Click Upload Files.
    3. Select the downloaded OVA file, and then click Open.
    4. Click Next.
  4. On the Select a name and folder page:
    1. In the Virtual machine name field, enter a name for the virtual appliance.
    2. Select the location for the virtual machine, and then click Next.
    3. Click Next.
  5. On the Select a compute resource page:
    1. Select a destination compute resource.
    2. Click Next.
  6. On the Review details page, click Next.
  7. On the Configuration page, select one of these options:
    • AWNv100 Virtual Sensor
    • AWNv200 Virtual Sensor
    • AWNv1000 Virtual Sensor
    Note: To view your available vSensor models, sign in to the MDR Dashboard, and then click Data Collection > Sensors.
  8. On the Select storage page:
    1. Optional: Select Encrypt this virtual machine. See the VMware vSphere product documentation for steps to encrypt an existing virtual machine or virtual disk.
      Tip: While optional, Arctic Wolf recommends that you encrypt the virtual appliance to make sure all data stored and flowing through the appliance has an added layer of protection.
    2. Select the storage location for the configuration and disk files.
    3. Click Next.
  9. On the Select networks page:
    1. Select the appropriate Destination Network.
      Log traffic is sent to the virtual appliance across this network.
    2. Click Next.
  10. On the Ready to complete page, click Finish.
    Note: The OVA image can take some time to upload. In the vSphere Client, on the Recent Tasks tab, you can view the progress of the upload.

Verify that the vSensor deployed correctly

  1. If the virtual appliance power is off, right-click your VM in the vSphere Client, and then click Power > Power On.
  2. Verify that the virtual appliance VM power is on.
  3. Verify that the VM IP address appears in the VM summary.

Connect to the serial console

  1. In the vSphere web UI, right-click your VM, and then click Power > Power On.
  2. Right-click your VM, and then click Console > Open Console.

Configure the vSensor

Use the serial console to configure the vSensor. For more information on using the serial console, see Serial console.

  1. When prompted, press Enter three times to initiate the serial console session.
  2. At the Select an option to configure your management interface with prompt, select DHCP or enter a static IP address for the virtual appliance management interface.
    Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors.
  3. Select Next.
  4. At the Use a proxy? prompt, do one of these actions:
    Note: Only management interface traffic over OpenVPN is sent to the proxy server.
    • If your virtual appliance management traffic goes through a proxy server, select Yes, and then configure these settings:
      • Server IP address — Enter the proxy server IP address for your appliance.
      • Server port — Enter the proxy server port.
    • If your virtual appliance management traffic does not go through a proxy server, select No.
  5. Select Next.
  6. At the Do you want to verify your network connection? prompt, select one of these options:
    • Yes

      A series of connectivity tests run. If a connectivity check fails, edit your network settings as needed, and then complete the connectivity checks again.

    • No
  7. Select Next.
  8. At the Tell us about the application you are configuring prompt, configure these settings:
    1. In the Shorthand field, enter a shorthand name for the virtual appliance.
    2. Select Mirroring.
  9. Select Next.
  10. When prompted, do one of these actions to connect the virtual appliance to Arctic Wolf:
    Note: Make sure you have the appropriate Arctic Wolf permissions to install the vSensor. You can view the permissions in the Contacts page of the Unified Portal or contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
      Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
    • In a web browser — Enter the displayed URL into the URL field, and then follow the on-screen prompts.

    After the virtual appliance successfully connects to Arctic Wolf, a prompt replaces the QR code.

Activate the vSensor

Note: Only the user who configured the vSensor can activate the vSensor.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. If you are a Managed Service Provider (MSP), verify that you are viewing the correct customer organization.
  3. In the navigation menu, click Data Collection > Sensors.
  4. Find the virtual appliance that you want to activate, and then click View Sensor.
    Tip: Virtual appliances that are not activated have the Awaiting Activation status.
  5. Click Activate.
    The console displays Appliance activation in progress, please wait.
  6. If you are an MSP, select the same customer organization that you are currently viewing in the Unified Portal, and then Activate Virtual Appliance.
    Note: To activate the virtual appliance for a different customer, switch to that customer organization before completing this step.
    The serial console displays Appliance activation in progress, please wait.
  7. In the serial console, when prompted, press Enter three times to activate the console.

Configure optional layer 3 mirroring

You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).

Note:

For physical sensors, the management port IP address and lanID IP address cannot be on the same subnet.

This optional configuration requires assigning a static IP address to lanID for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your CST at security@arcticwolf.com to configure this option.