Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Arctic Wolf Appliances


vSensor Installation in an AWS Environment

Updated Apr 4, 2024

Install a vSensor in an AWS environment

Notes:

  • vSensor does not support auto-scaling in AWS.

  • An Amazon EC2 instance supports 10 mirror sessions for each vSensor. If you require more than 10 mirror sessions for each vSensor, contact your Concierge Security® Team at security@arcticwolf.com to discuss the implementation of an AWS Network Load Balancer.

    See Traffic Mirroring limitations and quotas for more information.

You can install an Arctic Wolf® Virtual Sensor (vSensor) using the Amazon Web Services (AWS)® web console.

Before you begin

Steps

  1. Provide your AWS account IDs to Arctic Wolf.
  2. Create a vSensor instance.
  3. Configure network settings for the vSensor instance.
  4. Configure security group rules for the vSensor instance.
  5. Configure a second network interface for the vSensor instance.
  6. Launch and verify the EC2 instance.
  7. Configure the vSensor.
  8. Activate the vSensor.
  9. Obtain the Elastic Network Interface ID.
  10. Create a target group for the network load balancer.
  11. Deploy a network load balancer.
  12. Add a vSensor to a network load balancer.
  13. Create the traffic mirror target.
  14. Create the traffic mirror filter.
  15. Create the traffic mirror session.

Step 1: Provide your AWS account IDs to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Search Services field, enter appliance.

  6. Click vSensor AMI.

  7. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.
    • Account ID — Enter the AWS account number.
  8. Click Test and Submit Credentials.

Note: It can take up to 24 hours for the vSensor AMI to become visible.

Step 2: Create a vSensor instance

  1. Sign in to the AWS console.

  2. In the Amazon Machine Images (AMI) section, click Arctic Wolf Appliance-<version>.

  3. Click Launch Instance from AMI.

  4. In the Name and tags section, enter a name for the instance.

  5. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.

  6. In the Key pair (login) section, click Proceed without a key pair.

  7. In the Configure storage section, keep the default settings, unless you require more storage.

  8. In the Advanced details section, for Termination Protection, select the Enable checkbox.

  9. Click Save.

  10. In the Instance Type section, based on the type of vSensor you are installing, configure the appropriate value:

    • AWNv100 sensor — r5.large
    • AWNv200 sensor — c5n.2xlarge
    • AWNv1000 sensor — c5n.9xlarge

Step 3: Configure network settings for the vSensor instance

  1. In the AWS console, in the Network settings section, click Edit.
  2. Select one of these options:
    • VPC — The VPC to deploy the instance on.

    • Subnet — The subnet to deploy the instance on.

      Notes:

      • The private or public subnet option depends on your network. Arctic Wolf recommends that you use a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:

      • Enable
      • Disable — If you use a private subnet or if your environment requires you to enter a specific IP address.

Step 4: Configure security group rules for the vSensor instance

Note: vSensor does not support deployments that receive mirrored traffic from other VPCs. For example, using a Gateway Load Balancer. See the official AWS documentation for more information.

  1. Find the Firewall (security groups) section.

  2. Do one of these actions:

    • To use an existing security group — Select Select an existing security group, select the appropriate security group, and then continue to Configure a second network interface for the vSensor instance.

      Tip: Arctic Wolf recommends that you create a new security group to avoid having more permissions than necessary. But, you can use an existing security group if it has the required rules configured.

    • To create a new security group — Select Create a new security group, and then continue to the next step.

  3. Remove default security rules.

  4. In the Security group name section, enter a name for the security group.

  5. In the Description section, enter a description for the security group.

  6. Add rules to enable:

    • All outgoing traffic

      Note: There could be a rule allowing all outgoing traffic by default.

    • Incoming traffic from the addresses or subnets of the log sources to be ingested by the vSensor on these network ports, as applicable for the environment:

      • UDP port 514 for plaintext syslogs over UDP
      • TCP port 514 for plaintext syslogs over TCP
      • TCP port 6514 for TLS-encrypted syslogs
      • TCP port 9081 for logs in the Bluecoat SG format
    • UDP port 4789 for VXLAN protocol, with these traffic mirror targets:

      • EC2 network interface
      • AWS Network Load Balancer

Step 5: Configure a second network interface for the vSensor instance

To receive mirrored traffic, you must configure your vSensor with a second network interface. Based on your network, the subnet of the second network interface can be the same or different than the primary network interface.

  1. Click Network Settings > Advanced network configuration.

    Note: The Advanced network configuration section might not appear unless you choose a non-default VPC and subnet.

  2. Click Add network interface.
  3. Enter a name for the new network interface. For example, Mirroring.
  4. Keep all other settings as the default.

Step 6: Launch and verify the EC2 instance

  1. Click Launch Instance.

  2. Click the instance ID, where the ID value is i-<hexadecimals>.

  3. Click the instance ID to view details.

    Note: If the instance ID does not appear, refresh the page.

  4. Verify that the Instance state is Running.

Step 7: Configure the vSensor

Tip: During this procedure, see the Serial Console User Guide for more information.

  1. If you have not used the serial console before, complete these steps to configure serial console access:

    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. In the EC2 management console, select Instances, and then enter the vSensor instance ID.

  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

  4. When prompted, or if the screen is blank, press the Enter key three times.

    Note: If you selected an unsupported EC2 instance type, an error message displays. To continue, terminate the vSensor and create a new one with a supported EC2 instance type.

  5. Click Next.

    A series of connectivity checks begin.

  6. If a connectivity check fails, edit the VPC, subnet, or security group as needed, and then complete the connectivity checks again.

  7. When the connectivity check passes, click Next.

  8. In the Shorthand section, enter a name for the vSensor in the MDR Dashboard.

  9. Select the Mirroring deployment type.

  10. Click Next.

  11. When prompted, do one of these actions to connect the virtual appliance to the Arctic Wolf Platform:

    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.

      Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    • In a web browser — Enter the displayed URL into the URL field, and then follow the on-screen prompts.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to sign in to the MDR Dashboard, and then click Accounts > Arctic Wolf Appliance Management.

Step 8: Activate the vSensor

Note: Only the user who completed Configure the vSensor can activate the vSensor.

  1. Sign in to the MDR Dashboard.

  2. Click Account > Arctic Wolf Appliance Management.

  3. Find the appliance that you want to activate.

  4. In the Actions column, click Activate <appliance>, and then click Activate <appliance> when prompted.

    The console displays Appliance activation in progress, please wait.

  5. When prompted, press Enter three times to activate the console.

Step 9: Obtain the Elastic Network Interface ID

  1. In the Amazon EC2 console, click the Networking tab for the interface that you created in Configure a second network interface for the vSensor instance.
  2. Copy the Elastic Network Interface ID (ENI), and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

See Get started with Traffic Mirroring for more information.

Step 10: Create a target group for the network load balancer

Note: If you have more than 10 mirrored sessions, you must add a network load balancer.

  1. Sign in to the EC2 management console.
  2. In the Load Balancing section, click Target Groups.
  3. Click Create target group.
  4. In the Basic configuration section, configure these settings:
    • Choose a target type — Select IP addresses.
    • Target group name — Enter the name of your vSensor EC2 instance name. For example, Mirroring.
    • Protocol — Select UDP.
    • Port — Enter 4789.
    • IP address type — Select IPv4.
    • VPC — Select the VPC your vSensor is deployed in.
    • Health check protocol — Select TCP.
  5. In the Advanced health check settings section, configure these settings:
    • Health check port — Select Override, and then enter 514.
    • Healthy threshold — Enter 2.
    • Keep the rest of the settings as default.
  6. Click Next.
  7. In the IP addresses section, configure these settings:
    • Network — Select the VPC that the vSensor is deployed in.
    • IPv4 — Enter the IP address of the ENI interface on the vSensor you want to mirror traffic to.
    • Ports — Enter 4789.
  8. Select Include as pending below.
  9. Verify that the information you entered is correct, and then click Create target group.

Step 11: Deploy a network load balancer

  1. Sign in to the EC2 management console.
  2. In the Load Balancing section, click Load Balancers.
  3. Click Create load balancer.
  4. In the Network Load Balancer section, click Create.
  5. In the Basic configuration section, configure these settings:
    • Load balancer name — Enter a name for the load balancer.
    • Scheme — Select Internal.
    • IP address type — Select IPv4.
  6. In the Network mapping section, configure these settings:
    • VPC — Select the VPC that the vSensor is deployed to.
    • Mappings — Select the availability zones of the networks you want to mirror.
  7. In the Listeners and routing section, configure these settings:
    • Protocol — Select UDP.
    • Port — Enter 4789.
    • Default action — Select the target created in Create a target group for the network load balancer.
    • Attributes — (Optional) If you have subnets in different zones, enable Cross-zone load balancing
    • Keep the remaining fields as default.
  8. Click Create load balancer.

Step 12: Add a vSensor to a network load balancer

  1. Sign in to the EC2 management console.
  2. In the Load Balancing section, click Target Groups.
  3. Select the checkbox beside the target group.
  4. Click the Targets tab.
  5. Click Register Targets, and then configure these settings:
    • Network — Select the VPC that your vSensor is in.
    • IPv4 address — Enter the IP address of the mirrored interface of the vSensor.
  6. Click Include as pending below.
  7. Click Register pending targets.

Step 13: Create the traffic mirror target

  1. Sign in to the Amazon VPC console.
  2. In the Region section, select the AWS region that you used when you created the VPCs.
  3. In the navigation menu, click Traffic Mirroring > Mirror targets.
  4. Click Create traffic mirror target.
  5. In the Name tag field, enter a name for the traffic mirror target. For example, AWN vSensor.
  6. (Optional) In the Description field, enter a description for the traffic mirror target.
  7. If you created a load balancer in Deploy a network load balancer, configure these settings:
    • Target type — Select load balancer.
    • Target — Select the load balancer you created.
  8. If you did not create a load balancer in Deploy a network load balancer:
    • Target type — Select Network Interface.
    • Target — Enter the ENI of the mirroring interface.
  9. (Optional) For each tag that you want to add, click Add new tag, and then enter the tag key and tag value.
  10. Click Create.

Step 14: Create the traffic mirror filter

  1. In the navigation menu, click Traffic Mirroring > Mirror filters.
  2. Click Create traffic mirror filter.
  3. In the Name tag field, enter a name for the traffic mirror filter.
  4. (Optional) In the Description field, enter a description for the traffic mirror filter.
  5. (Optional) If you are using Route53 or have DNS requests routed through a local Amazon resolver, select the Network services checkbox for amazon-dns.
  6. (Optional) For each inbound rule, click Inbound rules > Add rule, and then configure these settings:
    • Number — Enter a priority to assign to the rule.
    • Rule action — Select Accept.
    • Protocol — Select All Protocols.
    • Source port range — (Optional) Enter the source port range.
    • Destination port range — (Optional) Enter the destination port range.
    • Source CIDR block — Enter 0.0.0.0/0.
    • Destination CIDR block — Enter 0.0.0.0/0.
    • Description — Enter a description for the rule.
  7. (Optional) For each outbound rule, click Outbound rules > Add rule, and then configure these settings:
    • Number — Enter a priority to assign to the rule.
    • Rule action — Select Accept.
    • Protocol — Select All Protocols.
    • Source port range — (Optional) Enter the source port range.
    • Destination port range — (Optional) Enter the destination port range.
    • Source CIDR block — Enter 0.0.0.0/0.
    • Destination CIDR block — Enter 0.0.0.0/0.
    • Description — Enter a description for the rule.
  8. (Optional) For each tag that you want to add, click Add new tag, and then enter the tag key and tag value.
  9. Click Create.

Step 15: Create the traffic mirror session

For each EC2 instance that you want to collect traffic from, complete these steps:

  1. In the navigation menu, click Traffic Mirroring > Mirror sessions.
  2. Click Create traffic mirror session, and then configure these settings:
    • Name tag — (Optional) Enter a name for the traffic mirror session.
    • Description — (Optional) Enter a description for the traffic mirror session.
    • Mirror source — Select the network interface of the instance that you want to monitor.
    • Mirror target — Select the traffic mirror target that you created in Create the traffic mirror target.
    • Session number — Enter the session number. The valid values are 1 to 32,766, where 1 is the highest priority.

      Note: The session number determines the order that traffic mirror sessions are evaluated when:

      • An interface is used by multiple sessions.
      • An interface is used by different traffic mirror targets and traffic mirror filters. Traffic is only mirrored one time, during the first session with a matching filter.
    • VNI — Keep this field empty. AWS assigns a random unused number.
    • Packet Length — Keep this field empty.
    • Filter — Select the traffic mirror filter that you created in Create the traffic mirror filter.
  3. (Optional) For each tag that you want to add, click Add new tag, and then enter the tag key and tag value.
  4. Click Create.

See also