Virtual Sensor Installation in a VMware vSphere Environment
Updated Sep 13, 2023Install a vSensor using VMware vSphere
The Arctic Wolf® Virtual Sensor (vSensor) is a virtual appliance that performs passive network inspection and collects security-relevant data for analysis. Arctic Wolf Managed Detection and Response (MDR) uses one or more sensor deployments to monitor events in your network and identify potential threats.
Each vSensor virtual machine (VM) supports one network interface. If you need additional network interfaces, you must deploy additional vSensor VMs.
If you are deploying multiple vSensor instances, we recommend reusing the OVA file. However, you must repeat the installation and activation process for each vSensor.
Cloning a vSensor instance is not supported, because this method introduces operational errors in both the original vSensor and the cloned instance.
Requirements
-
vSphere with vCenter 6.5 or newer
-
The appropriate Arctic Wolf permissions to complete the virtual scanner deployment. Contact your Concierge Security® Team (CST) to confirm who in your organization has these permissions.
-
The appropriate Arctic Wolf permissions to complete the virtual scanner deployment. Contact your Concierge Security® Team (CST) to confirm who in your organization has these permissions.
-
The following resources requirements:
Note: Reducing or limiting resource allocations below the specified requirements impacts vSensor performance.
Model Number of vCPUs RAM Storage AWNv100 2 8 GB 40 GB AWNv200 8 16 GB 40 GB AWNv1000 24 48 GB 40 GB
Before you begin
- Make sure you have the appropriate Arctic Wolf permissions to complete the vSensor deployment. Contact your Concierge Security Team© (CST) to confirm who in your organization has these permissions.
- Add all necessary IP addresses, ports, and services to your allowlist for full vSensor functionality.
Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.
- If you rate-limit the vSensor with Quality of Service (QoS), remove this for best performance.
- If your firewall provides SSL/TLS inspection, do not perform this inspection on the vSensor management IP address.
- If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the vSensor management IP address.
Steps
- Download the vSensor image.
- Deploy the vSensor.
- Verify that the vSensor deployed correctly.
- Configure the vSensor.
- Activate the vSensor.
Step 1: Download the vSensor image
Note: The virtual appliance image file must be downloaded on or after June 14, 2023. For appliance images downloaded prior to June 14, 2023, see Legacy vSensor Installation.
- Sign in to the Arctic Wolf Portal.
- Click Account > Downloads.
- In the Virtual Network Appliances section, click Download Virtual Network Appliance to start the OVA file download.
Tip: If your browser downloads the OVA file in
.ovf
format, rename the file to change the file extension to.ova
.
Step 2: Deploy the vSensor
-
Sign in to your vSphere client.
-
Right-click your resource pool, and then click Deploy OVF Template.
-
On the Select an OVF template page:
- Select Local file.
- Click UPLOAD FILES.
- Select the downloaded OVA file, and then click Open.
- Click Next.
-
On the Select a name and folder page:
- In the Virtual machine name field, enter a name for the vSensor.
- Select the location for the virtual machine, and then click Next.
- Click Next.
-
On the Select a compute resource page:
- Select a destination compute resource.
- Click Next.
-
On the Review details page, click Next.
-
On the Configuration page, select one of the following:
- AWNv100 Virtual Sensor
- AWNv200 Virtual Sensor
- AWNv1000 Virtual Sensor
Note: You can view your available vSensor models in the Arctic Wolf Portal under Arctic Wolf Appliance Management.
-
On the Select storage page:
-
(Optional) Select Encrypt this virtual machine. See the VMware vSphere product documentation for steps to encrypt an existing virtual machine or virtual disk.
Tip: While optional, Arctic Wolf strongly recommends that you encrypt the vSensor to ensure that all data stored and flowing through the appliance has an additional layer of protection.
-
Select the storage location for the configuration and disk files, and then click Next.
-
-
On the Select networks page:
-
Select the appropriate Destination Network.
Log traffic is sent to the vSensor over this network.
-
Click Next.
-
-
On the Ready to complete page, click Finish.
Note: The OVA image may take some time to upload. In the vSphere Client, you can check the progress of the upload on the Recent Tasks tab.
Step 3: Verify that the vSensor deployed correctly
- If the vSensor power is off, right-click your virtual machine in the vSphere Client, and then click Power > Power On.
- Check if the vSensor VM power is on.
- Verify that the VM IP address is reported in the VM summary.
Step 4: Configure the vSensor
-
In the vSphere web UI, right-click your virtual machine, and then click Power > Power On.
-
Right-click your virtual machine, and then click Console > Open Console.
-
When prompted, press Enter three times to initiate the serial console session.
-
At the Select an option to configure your management interface with prompt, select DHCP or enter a static IP address for the vSensor management interface.
Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors.
-
Click Next.
-
At the Use a proxy? prompt, do one of these actions:
- If your vSensor traffic needs to go through a proxy server, select Yes, and then configure these fields:
- Server IP address — Enter the proxy server IP address for your appliance.
- Server port — Enter the proxy server port.
- If your vSensor traffic does not need to go through a proxy server, select No.
- If your vSensor traffic needs to go through a proxy server, select Yes, and then configure these fields:
-
Click Next.
-
At the Do you want to verify your network connection? prompt, select one of these options:
-
Yes
A series of connectivity tests run.
-
No
-
-
Click Next.
-
At the Tell us about the application you are configuring prompt, configure these settings:
-
In the Shorthand field, enter the shorthand name for the vSensor.
-
Select Mirroring.
-
-
Click Next.
-
When prompted, do one of these actions to connect the vSensor to the Arctic Wolf Platform:
- Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
- Using a web browser — Enter the displayed URL into a web browser, and then follow the on-screen prompts.
Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
After the vSensor successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to go to the Arctic Wolf Appliance Management.
Step 5: Activate the vSensor
Note: Only the user who performed the steps to activate the vSensor can activate the vSensor.
-
In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.
-
Locate the name or the serial number of the vSensor you want to activate.
-
In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.
The console displays Appliance activation in progress, please wait.
-
When prompted, press Enter three times to activate the console.
Configure vSensor in a mirroring deployment
To configure vSensor in a mirroring deployment, follow the instructions to create a port mirroring session in the VMware documentation.
Optional layer 3 mirroring configuration
Reconfigure a vSensor using VMware vSphere
- In the vSphere web UI, right-click your virtual machine, and then click Console > Open Console.
- When prompted, press Enter three times to initiate the serial console session.
- Change the required settings.
Uninstall a vSensor using VMware vSphere
- Decommission the vSensor:
-
Sign in to the Arctic Wolf Portal.
-
Click Account > Arctic Wolf Appliance Management
A list of deployed virtual appliances appear on the Arctic Wolf Appliance Management page.
-
Locate the short name or serial number of the vSensor that you want to decommission.
-
Under Actions, click Decommission Virtual Appliance, and then select Decommission Virtual Appliance when prompted.
-
- Turn off the vSensor VM power.
- In the vSphere Client, select the vSensor, and then click Delete from Disk.