AWN101 Sensor - Mirroring Deployment
Updated Nov 10, 2023Deploy an AWN101 Sensor with port mirroring
You can deploy an AWN101 Sensor with port mirroring.
The AWN101 Sensor is an external network device that allows you to monitor network traffic. When the sensor is deployed with port mirroring, a switch sends a copy of all network packets that are seen on one port to another port.
This image provides a simplified network map of a sensor with mirroring deployment:
| Callout | Description |
|---|---|
| A | AWN101 Sensor with mirroring deployment |
| B | Management port network connection |
| C | Network switch |
| D | Firewall |
| E | Internet |
Before you begin
-
Verify that these items are in the box from Arctic Wolf®:
-
An AWN101 Sensor
Note: Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact your Concierge Security® Team at security@arcticwolf.com if the asset ID is missing or was tampered with.
-
Three CAT6 RJ45 Ethernet cables, 2m
-
A crossover RJ45 Ethernet cable (red), 2m - Use only if needed
-
A mini USB to USB 2.0 adapter cable, 0.5m
-
An AC30 US power cord, 2m
-
A power supply
-
A set of rack ears - Use only if needed
-
-
Add all necessary IP addresses, ports, and services to your allowlist for full AWN101 Sensor functionality.
Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.
-
If you rate-limit the AWN101 Sensor with Quality of Service (QoS), remove this for best performance.
-
If your firewall provides SSL/TLS inspection, do not perform this inspection on the AWN101 Sensor management IP address.
-
If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the AWN101 Sensor management IP address.
Steps
- Set up a customer-configured appliance.
- Install the hardware.
- Connect the sensor for mirroring deployment.
Step 1: Set up a customer-configured appliance
Note: This step only applies if you selected customer-configured appliance on your onboarding form.
See Set up a customer-configured appliance for more information.
Step 2: Install the hardware
-
Install the sensor in the applicable rack location.
If needed, use the provided rack ears.
-
Using a CAT6 RJ45 Ethernet cable, connect the management port (port 4) on the sensor to the outbound connection on your network switch.
-
Connect the AC30 US power cord to the power supply.
-
Thread one end of the power supply to the AC-adapter connector on the sensor, and then plug the other end into a power source.
-
Turn on the sensor power.
The power LED is green when the sensor power is on.
-
Ping the management IP address that you provided to Arctic Wolf to check network connectivity.
-
Wait 15 minutes, and then make sure the status LED is green. This shows that the sensor is connected to the Arctic Wolf monitoring service.
-
If you cannot successfully complete these steps, contact your CST at security@arcticwolf.com.
Step 3: Connect the sensor for mirroring deployment
-
Configure up to three 1G ports on your network switch as mirror ports.
See the configuration instructions provided by your network switch manufacturer for more information:
-
Create a 1G mirror connection, using a CAT6 RJ45 Ethernet cable to connect port 3 (LAN2) on the sensor to a mirror port on your network switch.
-
(Optional) Create an additional 1G mirror connection, using a CAT6 RJ45 Ethernet cable to connect one of these sensor ports to a mirror port on your network switch:
- Port 1 (LAN0)
- Port 2 (LAN1)
Note: When connecting multiple RJ45 mirroring interfaces from the same switch to a sensor, make sure that the mirroring interfaces do not connect to the same bridge pair.
The bridge pairs for this sensor are port 1 and port 2.
-
If you are configuring optional layer 3 mirroring, contact your CST at security@arcticwolf.com. Include this information:
LAN<ID>, IP address, and netmask of the optional LAN interface.- TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
- Confirmation that the management IP address and
LAN<ID>IP address are not on the same subnet.
-
Contact your CST at security@arcticwolf.com to confirm that Arctic Wolf is seeing your network traffic.
Configure optional layer 3 mirroring
You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).
Note: For physical sensors, the management port IP address and lan<ID> IP address cannot be on the same subnet.
This optional configuration requires assigning a static IP address to lan<ID> for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your CST at security@arcticwolf.com to configure this option.
AWN101 Sensor components
Use these diagrams to identify the components of the AWN101 Sensor:
Tip: Orange callouts show mandatory connections.
Front of sensor
Back of sensor
| Callout | Sensor component | Port configuration | Cable used | Connected to |
|---|---|---|---|---|
| A | Console port | - | Mini USB to USB 2.0 adapter cable | Computer. Only connect when sensor configuration changes are necessary. See the Serial Console User Guide for more information. |
| B | USB 3.0 port (1 of 2) | - | - | - |
| C | Port 4: Management | - | CAT6 RJ45 Ethernet cable | Network switch |
| D | Port 3: LAN2 | 1G mirror | CAT6 RJ45 Ethernet cable* | (Optional) Network switch |
| E | Port 2: LAN1 | 1G mirror | CAT6 RJ45 Ethernet cable | (Optional) Network switch |
| F | Port 1: LAN0 | 1G mirror | CAT6 RJ45 Ethernet cable | Network switch |
| G | HDD activity LED | - | - | - |
| H | Power LED | - | - | - |
| I | Status LED | - | - | - |
| J | Power button | - | - | - |
| K | AC-adapter connector | - | Power supply, and AC30 US power cord | Power source |
*This cable is not provided by Arctic Wolf.