AWN301 Sensor Mirroring Deployment
Deploy an AWN301 Sensor with port mirroring Direct link to this section
The AWN301 Sensor is an external network device that allows you to monitor network traffic. When the sensor is deployed with port mirroring, a switch sends a copy of all network packets that are seen on one port to another port.
This image provides a simplified network map of a sensor with mirroring deployment:
Callout | Description |
---|---|
A | AWN301 Sensor with mirroring deployment |
B | Management port network connection |
C | Network switch |
D | Firewall |
E | Internet |
Before you begin Direct link to this section
-
Verify that you received the following items from Arctic Wolf:
-
AWN301 Sensor
Note: Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact security@arcticwolf.com if the asset ID is missing or was tampered with.
-
Two CAT6 RJ45 Ethernet cables, 2m
-
Two AC30 US power cords, 2m
-
Set of rack rails
-
-
For best performance, do not rate-limit the sensor with Quality of Service (QoS).
-
If your firewall does SSL/TLS inspection, AllowList the sensor management IP address, and then check that your firewall allows outbound access from that IP address over port 443 to the necessary IP addresses.
To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Portal, and then click Account > Arctic Wolf IP Addresses. The IP addresses that must be allowlisted are listed under If you are a Managed Detection and Response (MDR) customer.
Steps Direct link to this section
- Set up a customer-configured appliance.
- Install the hardware.
- Connect the sensor for mirroring deployment.
Step 1: Set up a customer-configured appliance Direct link to this section
Note: This step only applies if you selected customer-configured appliance on your onboarding form.
See Set up a customer-configured appliance for additional information.
Step 2: Install the hardware Direct link to this section
-
Install the sensor in the applicable rack location.
If necessary, use the provided rails.
-
Using a CAT6 RJ45 Ethernet cable, connect the management port on the sensor to the outbound connection on your network switch.
-
Using the two AC30 US power cords, connect the power connectors on the sensor to a power source.
-
Turn on the sensor power.
The system health and ID indicator is blue when the sensor power is on.
-
Ping the management IP address that you provided to Arctic Wolf to check network connectivity.
-
Wait 15 minutes, and then make sure the Status LED is green. This shows that the sensor is connected to the Arctic Wolf monitoring service.
-
If you cannot successfully complete these steps, email security@arcticwolf.com.
Step 3: Connect the sensor for mirroring deployment Direct link to this section
-
Configure up to five 1G ports on your network switch as mirror ports.
See the setup instructions provided by your network switch manufacturer for more information:
-
Create a 1G mirror connection. Using a CAT6 RJ45 Ethernet cable, connect LAN0 on the sensor to a mirror port on your network switch.
-
(Optional) Create additional 1G mirror port connections. Repeat the previous step with any of the following ports:
- LAN1
- LAN2
- LAN3
- LAN4
-
If you are configuring optional layer 3 mirroring, email security@arcticwolf.com with the following information:
LAN<ID>
, IP address, and netmask of the optional LAN interface.- TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
- Confirmation that the management IP address and
LAN<ID>
IP address are not on the same subnet.
See Configure optional layer 3 mirroring for more information.
-
Email security@arcticwolf.com to confirm that Arctic Wolf is seeing your network traffic.
Configure optional layer 3 mirroring Direct link to this section
You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).
Note: For physical sensors, the management port IP address and lan<ID>
IP address cannot be on the same subnet.
This optional configuration requires assigning a static IP address to lan<ID>
for a physical sensor or lan0
for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your Concierge Security Team® (CST) or security@arcticwolf.com to configure this option.
AWN301 Sensor components Direct link to this section
Use these diagrams to identify the components of the AWN301 Sensor:
Tip: Orange callouts show mandatory connections.
Front of sensor
Back of sensor
Callout | Sensor component | Port configuration | Cable used | Connected to |
---|---|---|---|---|
A | System health and ID indicator | - | - | - |
B | Lock | - | - | - |
C | LCD display and navigation buttons | - | - | - |
D | Power button | - | - | - |
E | USB port | - | - | - |
F | iDRAC direct Micro USB port | - | - | - |
G | Console port | - | - | - |
H | Management port | - | CAT6 RJ45 Ethernet cable | Network switch |
I | LAN4 | 1G mirror | CAT6 RJ45 Ethernet cable* | (Optional) Network switch |
J | LAN0 | 1G mirror | CAT6 RJ45 Ethernet cable | Network switch |
K | LAN1 | 1G mirror | CAT6 RJ45 Ethernet cable* | (Optional) Network switch |
L | LAN2 | 1G mirror | CAT6 RJ45 Ethernet cable* | (Optional) Network switch |
M | LAN3 | 1G mirror | CAT6 RJ45 Ethernet cable* | (Optional) Network switch |
N | Power connector | - | AC30 US power cord | Power source |
O | Power connector | - | AC30 US power cord | Power source |
P | DB-15 VGA port | - | - | - |
Q | iDRAC9 dedicated network port | - | - | - |
R | USB 3.0 port | - | - | - |
S | USB 3.0 port | - | - | - |
T | System identification connector | - | - | - |
U | System identification button | - | - | - |
*This cable is not provided by Arctic Wolf.