AWN1000 40G Sensor Mirroring Deployment

Updated Aug 11, 2023

Deploy an AWN1000 40G Sensor with port mirroring
- Before you begin
- Steps
Configure optional layer 3 mirroring
AWN1000 40G Sensor components

Deploy an AWN1000 40G Sensor with port mirroring

The AWN1000 40G Sensor is an external network device that allows you to monitor network traffic. When the sensor is deployed with port mirroring, a switch sends a copy of all network packets that are seen on one port to another port.

This image provides a simplified network map of a sensor with mirroring deployment:

Network with mirroring deployment

Callout	Description
A	AWN1000 40G Sensor with mirroring deployment
B	Management port network connection
C	Network switch
D	Firewall
E	Internet

Before you begin

Verify that you received the following items from Arctic Wolf:
- AWN1000 Sensor with 40G card
  
  Note: Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact security@arcticwolf.com if the asset ID is missing or was tampered with.
- Three CAT6 RJ45 Ethernet cables, 2m
- Crossover RJ45 Ethernet cable (red), 2m — Use only if needed
- Two passive 40G Twinax DAC cables with a QSFP+ transceiver installed on each end, 1m — If 40G Twinax was ordered
- Two LC-LC single-mode fiber cables — If 40G Fiber Long Range was ordered
- Two MPO OM3 multi-mode fiber cables — If 40G Fiber Short Range was ordered
- Two AC30 US power cords, 2m
- Set of rack ears — Use only if needed
- Set of rack rails
Add all necessary IP addresses, ports, and services to your allowlist for full AWN1000 40G Sensor functionality.

Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.
If you rate-limit the AWN1000 40G Sensor with Quality of Service (QoS), remove this for best performance.
If your firewall provides SSL/TLS inspection, do not perform this inspection on the AWN1000 40G Sensor management IP address.
If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the AWN1000 40G Sensor management IP address.

Steps

Set up a customer-configured appliance.
Install the hardware.
Connect the sensor for mirroring deployment.

Step 1: Set up a customer-configured appliance

Note: This step only applies if you selected customer-configured appliance on your onboarding form.

See Set up a customer-configured appliance for additional information.

Step 2: Install the hardware

Install the sensor in the applicable rack location.

If necessary, use the provided rack ears or rails.
Using a CAT6 RJ45 Ethernet cable, connect the management port on the sensor to the outbound connection on your network switch.
Using the two AC30 US power cords, connect the power connectors on the sensor to a power source.
Turn on the sensor power.

The Power LED is green when the sensor power is on.
Ping the management IP address that you provided to Arctic Wolf to check network connectivity.
Make sure the sensor is connected to the Arctic Wolf monitoring service:
1. Install the drivers for your sensor.
  
  See Console session drivers for all other appliances for more information.
2. Connect to the serial console.
  
  See Connect to the serial console for more information.
3. View the sensor connectivity status.
  
  See View the current configuration and connectivity status for more information.
If you cannot successfully complete these steps, email security@arcticwolf.com.

Step 3: Connect the sensor for mirroring deployment

Note: Make sure the ports are clean before connecting the cables. The ports are sensitive to dust.

Configure up to two 40G and eight 1G ports on your network switch as mirror ports.

See the setup instructions provided by your network switch manufacturer for more information:
Note: The aggregate throughput of all ports cannot exceed 10G.
Create a 40G mirror port connection. Using the appropriate cable and port for your sensor type, connect LAN12 on the sensor to a mirror port on your network switch:
- 40G Twinax — Passive Twinax 40G DAC cable with a QSFP+ transceiver installed on each end.
- 40G fiber long range — LC-LC single-mode fiber cable.
- 40G fiber short range — MPO OM3 multi-mode fiber cable.
(Optional) Create an additional 40G mirror port connection. Repeat the previous step using LAN13.
(Optional) Create 1G mirror port connections. Using a CAT6 RJ45 Ethernet cable, connect any of the following ports on the sensor to a mirror port on your network switch:
- LAN4
- LAN5
- LAN6
- LAN7
- LAN8
- LAN9
- LAN10
- LAN11
If you are configuring optional layer 3 mirroring, email security@arcticwolf.com with the following information:
- LAN<ID>, IP address, and netmask of the optional LAN interface.
- TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
- Confirmation that the management IP address and LAN<ID> IP address are not on the same subnet.
See Configure optional layer 3 mirroring for more information.
Email security@arcticwolf.com to confirm that Arctic Wolf is seeing your network traffic.

Configure optional layer 3 mirroring

You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).

Note: For physical sensors, the management port IP address and lan<ID> IP address cannot be on the same subnet.

This optional configuration requires assigning a static IP address to lan<ID> for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your Concierge Security Team® (CST) or security@arcticwolf.com to configure this option.

AWN1000 40G Sensor components

Use these diagrams to identify the components of the AWN1000 40G Sensor:

Tip: Orange callouts show mandatory connections.

Front of sensor

AWN1000 40G Sensor

Back of sensor

AWN1000 40G Sensor

Callout	Sensor component	Port configuration	Cable used	Connected to
A	Console port (RJ45)	-	-	-
B	Port 1: LAN0	10G mirror	-	-
C	Port 3: LAN1	10G mirror	-	-
D	Management port	-	CAT6 RJ45 Ethernet cable	Network switch
E	LAN4	1G mirror	CAT6 RJ45 Ethernet cable	(Optional) Network switch
F	LAN5	1G mirror	CAT6 RJ45 Ethernet cable	(Optional) Network switch
G	LAN6	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
H	LAN7	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
I	Reset	-	-	-
J	Power LED	-	-	-
K	HDD activity LED	-	-	-
L	Status LED	-	-	-
M	USB 3.0 port (1 of 2)	-	-	-
N	Port 2: LAN2	10G mirror	-	-
O	Port 4: LAN3	10G mirror	-	-
P	Console port (mini USB)	-	-	-
Q	LAN8	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
R	LAN9	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
S	LAN10	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
T	LAN11	1G mirror	CAT6 RJ45 Ethernet cable*	(Optional) Network switch
U	LAN12	40G mirror	If 40G Twinax, passive 40G Twinax DAC cable with a QSFP+ transceiver installed on each end If 40G fiber long range, LC-LC single-mode fiber cable If 40G fiber short range, MPO OM3 multi-mode fiber cable	Network switch
V	LAN13	40G mirror	If 40G Twinax, passive 40G Twinax DAC cable with a QSFP+ transceiver installed on each end If 40G fiber long range, LC-LC single-mode fiber cable If 40G fiber short range, MPO OM3 multi-mode fiber cable	(Optional) Network switch
W	ESD jack	-	-	-
X	Grounding post	-	-	-
Y	Alarm mute button	-	-	-
Z	Power switch	-	-	-
AA	Power connector	-	AC30 US power cord	Power source
AB	Power connector	-	AC30 US power cord	Power source

*This cable is not provided by Arctic Wolf.