Deploy an AWN1000 Sensor with mirroring

You can deploy your AWN1000 Sensor with mirroring.

For more information about the network configuration of mirroring deployment, see Arctic Wolf Sensor mirroring deployment.

Note:
  • Some detections may not be available if sensors cannot see the relevant network traffic, including traffic flowing through different switches or unmonitored firewalls. Make sure that sensors are properly placed across all network egress points.
  • During connectivity tests, appliances may communicate with external IP addresses behind a cloud service that Arctic Wolf hosts.

These actions are required:

  • Verify that these items are in the box from Arctic Wolf®:
    • AWN1000 Sensor
      Note:

      Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact your Concierge Security® Team (CST) at security@arcticwolf.com if the asset ID is missing or was tampered with.

    • Three CAT6 RJ45 Ethernet cables, 2m
    • A crossover RJ45 Ethernet cable (red), 2m — Use only if needed
    • Two AC30 US power cords
      Note:
      • If you are in these countries, you are shipped country-specific power cords:
        • Australia
        • Brazil
        • China
        • European Union
        • India
        • Israel
        • Italy
        • Switzerland
        • United Kingdom
      • If you are outside of these countries, you are shipped AC30 US power cords.
    • A set of rack ears — Use only if needed
    • A set of rack rails
  • Add all necessary IP addresses, ports, and services to your allowlist for full appliance functionality.
    Tip: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  • If you rate-limit the appliance with Quality of Service (QoS), remove this for best performance.
  • If your firewall provides SSL/TLS inspection, do not do this inspection on the appliance management IP address.
  • If you use an application proxy or layer 7 filter on your firewall, allow outbound traffic for the appliance management IP address.

Install the hardware

  1. Install the sensor in the applicable rack location.

    If needed, use the provided rack ears or rails.

  2. Using a CAT6 RJ45 Ethernet cable, connect the management port on the sensor to the outbound connection on your network switch.
  3. Using the two AC30 US power cords, connect the power connectors on the sensor to a power source.
    Note:

    Arctic Wolf recommends that you use an uninterruptible power supply (UPS) to prevent interruptions from power surges.

  4. Turn on the sensor power.

    The power LED is green when the sensor power is on.

  5. Ping the management IP address that you provided to Arctic Wolf to verify network connectivity.
  6. Verify that the sensor is connected to the Arctic Wolf monitoring service:
    1. Connect to the serial console.

      See Connect to the serial console for more information.

    2. View the sensor connectivity status.

      See View the current configuration and connectivity status for more information.

  7. If you cannot successfully complete these steps, contact your CST at security@arcticwolf.com.

Connect the sensor for mirroring deployment

  1. Configure up to eight 1G ports as mirror ports on your switch.

    For more information, see Configure port mirroring for network devices.

  2. Create a 1G mirror connection. Using a CAT6 RJ45 Ethernet cable, connect LAN4 on the sensor to a mirror port on your network switch.
  3. Optional: Create additional 1G mirror port connections. Repeat the previous step with any of these ports:
    • LAN5
    • LAN6
    • LAN7
    • LAN8
    • LAN9
    • LAN10
    • LAN11
    Note:

    When connecting multiple RJ45 mirroring interfaces from the same switch to a sensor, make sure that the mirroring interfaces do not connect to the same bridge pair.

    The bridge pairs for this sensor are: LAN4 and LAN5, LAN6 and LAN7, LAN8 and LAN9, LAN10 and LAN11.

  4. If you are configuring optional layer 3 mirroring, contact your CST at security@arcticwolf.com. Include this information:
    • LANID, IP address, and netmask of the optional LAN interface.
    • TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
    • Confirmation that the management IP address and LANID IP address are not on the same subnet.
  5. Contact your CST at security@arcticwolf.com to make sure that Arctic Wolf can see your network traffic.

Configure optional layer 3 mirroring

You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).

Note:

For physical sensors, the management port IP address and lanID IP address cannot be on the same subnet.

This optional configuration requires assigning a static IP address to lanID for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your CST at security@arcticwolf.com to configure this option.

AWN1000 Sensor components

Use these diagrams to identify your sensor components:

Tip:

Orange callouts show mandatory connections.

Front of sensor

Front of sensor

Back of sensor

Back of sensor

Callout

Sensor component

Port configuration

Cable used

Connected to

A

Console port (RJ45)

-

-

-

B

Port 1: LAN0

10G mirror

-

-

C

Port 3: LAN1

10G mirror

-

-

D

Management port

-

CAT6 RJ45 Ethernet cable

Network switch

E

LAN4

1G mirror

CAT6 RJ45 Ethernet cable

Network switch

F

LAN5

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

G

LAN6

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

H

LAN7

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

I

Reset

-

-

-

J

Power LED

-

-

-

K

HDD activity LED

-

-

-

L

Status LED

-

-

-

M

USB 3.0 port (1 of 2)

-

-

-

N

Port 2: LAN2

10G mirror

-

-

O

Port 4: LAN3

10G mirror

-

-

P

Console port (mini USB)

-

-

-

Q

LAN8

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

R

LAN9

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

S

LAN10

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

T

LAN11

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

U

ESD jack

-

-

-

V

Grounding post

-

-

-

W

Alarm mute button

-

-

-

X

Power switch

-

-

-

Y

Power connector

-

AC30 US power cord

Power source

Z

Power connector

-

AC30 US power cord

Power source

*This cable is not provided by Arctic Wolf.