Deploy an AWN202 10G Sensor with mirroring

You can deploy your AWN202 10G Sensor with mirroring.

For more information about the network configuration of mirroring deployment, see Arctic Wolf Sensor mirroring deployment.

Note:
  • Some detections may not be available if sensors cannot see the relevant network traffic, including traffic flowing through different switches or unmonitored firewalls. Make sure that sensors are properly placed across all network egress points.
  • During connectivity tests, appliances may communicate with external IP addresses behind a cloud service that Arctic Wolf hosts.

These actions are required:

  • Verify that these items are in the box from Arctic Wolf®:
    • AWN202 Sensor with 10G card
      Note:

      Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact your Concierge Security® Team (CST) at security@arcticwolf.com if the asset ID is missing or was tampered with.

    • Three CAT6 RJ45 Ethernet cables, 2m
    • A crossover RJ45 Ethernet cable (red), 2m — Use only if needed
    • Two passive 10G Twinax cables with an SFP+ transceiver installed on each end, 2m — If 10G Twinax was ordered
    • Two LC-LC long range single-mode fiber cables, 1m — If 10G Fiber Long Range was ordered
    • Two LC-LC OM4 multi-mode fiber, duplex, jumper cables (aqua), 1m — If 10G Fiber Short Range was ordered
    • Two CAT6A Ethernet cables, 2m — If 10G Copper was ordered
    • Two SFP+ copper RJ45 30m optical transceiver modules — If 10G Copper was ordered
    • An AC30 US power cord
      Note:
      • If you are in these countries, you are shipped a country-specific power cord:
        • Australia
        • Brazil
        • China
        • European Union
        • India
        • Israel
        • Italy
        • Switzerland
        • United Kingdom
      • If you are outside of these countries, you are shipped an AC30 US power cord.
    • A set of rack ears — Use only if needed
  • Add all necessary IP addresses, ports, and services to your allowlist for full appliance functionality.
    Tip: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  • If you rate-limit the appliance with Quality of Service (QoS), remove this for best performance.
  • If your firewall provides SSL/TLS inspection, do not do this inspection on the appliance management IP address.
  • If you use an application proxy or layer 7 filter on your firewall, allow outbound traffic for the appliance management IP address.

Install the hardware

  1. Install the sensor in the applicable rack location.

    If needed, use the provided rack ears.

  2. Using a CAT6 RJ45 Ethernet cable, connect the management port (port 1) on the sensor to the outbound connection on your network switch.
  3. Using the AC30 US power cord, connect the power connector on the sensor to a power source.
    Note:

    Arctic Wolf recommends that you use an uninterruptible power supply (UPS) to prevent interruptions from power surges.

  4. Turn on the sensor power.

    The power LED is green when the sensor power is on.

  5. Ping the management IP address that you provided to Arctic Wolf to verify network connectivity.
  6. Wait 15 minutes, and then make sure the status LED is green. This shows that the sensor is connected to the Arctic Wolf monitoring service.
  7. If you cannot successfully complete these steps, contact your CST at security@arcticwolf.com.

Connect the sensor for mirroring deployment

  1. Configure up to two 10G and five 1G ports as mirror ports on your switch.

    For more information, see Configure port mirroring for network devices.

  2. Create a 10G mirror port connection. Using the appropriate cable for your sensor type, connect the LAN0 port on the sensor to a mirror port on your network switch:
    • 10G copper — Use a CAT6A Ethernet cable.
    • 10G Twinax — Use a passive 10G Twinax cables with an SFP+ transceiver installed on each end.
    • 10G fiber short range — Use an LC-LC short range multi-mode fiber cable.
    • 10G fiber long range — Use an LC-LC long range single-mode fiber cable.
  3. Optional: Create an additional 10G mirror port connection. Repeat the previous step using LAN1.
  4. Optional: Create one or more 1G mirror port connections. Using a CAT6 RJ45 Ethernet cable, connect any of these ports on the sensor to a mirror port on your network switch:
    • Port 6 (LAN2)
    • Port 5 (LAN3)
    • Port 4 (LAN4)
    • Port 3 (LAN5)
    • Port 2 (LAN6)
  5. If you are configuring optional layer 3 mirroring, contact your CST at security@arcticwolf.com. Include this information:
    • LANID, IP address, and netmask of the optional LAN interface.
    • TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
    • Confirmation that the management IP address and LANID IP address are not on the same subnet.
  6. Contact your CST at security@arcticwolf.com to make sure that Arctic Wolf can see your network traffic.

Configure optional layer 3 mirroring

You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).

Note:

For physical sensors, the management port IP address and lanID IP address cannot be on the same subnet.

This optional configuration requires assigning a static IP address to lanID for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your CST at security@arcticwolf.com to configure this option.

AWN202 10G Sensor components

Tip:

Orange callouts show mandatory connections.

Front of sensor - 10G copper or 10G Twinax

Front of sensor for 10G copper or 10G Twinax

Front of sensor - 10G fiber with bypass card

Front of sensor for 10G fiber with bypass card

Front of sensor - 10G fiber with mirroring card

Front of sensor for 10G fiber with mirroring card

Back of sensor

Back of sensor

Callout

Sensor component

Port configuration

Cable used

Connected to

A

Display screen

-

-

-

B

Console port

-

-

-

C

USB port (1 of 2)

-

-

-

D

Port 1: management port

-

CAT6 RJ45 Ethernet cable

Network switch

E

Port 2: LAN6

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

F

Port 3: LAN5

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

G

Port 4: LAN4

1G mirror

CAT6 RJ45 Ethernet cable*

(Optional) Network switch

H

Port 5: LAN3

1G mirror

CAT6 RJ45 Ethernet cable

(Optional) Network switch

I

Port 6: LAN2

1G mirror

CAT6 RJ45 Ethernet cable

(Optional) Network switch

J

Power LED

-

-

-

K

HDD activity LED

-

-

-

L

Status LED

-

-

-

M

Display screen navigation buttons

-

-

-

N

Reset

-

-

-

O

LAN0

10G mirror
  • If 10G copper, CAT6A Ethernet cable
  • If 10G Twinax, passive 10G Twinax cable with an SFP+ transceiver installed on each end
  • If 10G fiber short range, LC-LC short range multi-mode fiber cable
  • If 10G fiber long range, LC-LC long range single-mode fiber cable

Network switch

P

LAN1

10G mirror
  • If 10G copper, CAT6A Ethernet cable
  • If 10G Twinax, passive 10G Twinax cable with an SFP+ transceiver installed on each end
  • If 10G fiber short range, LC-LC short range multi-mode fiber cable
  • If 10G fiber long range, LC-LC long range single-mode fiber cable

(Optional) Network switch

Q

Power switch

-

-

-

R

Power connector

-

AC30 US power cord

Power source

*This cable is not provided by Arctic Wolf.