AlienVault® USM Anywhere™

Configuring VMware ESX Virtual Switches for Port Monitoring

For USM Anywhere to monitor traffic from your physical network, you need to allocate a spare NIC (Network Interface Card) on your VMware server to pass the SPAN portMethod of monitoring network traffic where you mirror or tap into the ports used by another network device and monitor and analyze a copy of the network traffic sent over those ports. traffic to the virtual network. AlienVault recommends that you SPAN your internal firewall ports, connect the SPAN port to the spare NIC, and then associate the spare NIC with a vSwitch.

Important: USM Anywhere provides multiple network interfaces to monitor your network. You should not connect them all to the same vSwitch. Instead, you can connect each interface to a different vSwitch that mirrors a different subnet within your network.

Note: The following procedure is based on the ESXi 6.5 Web Client. If you are using a different client or an earlier version of VMware products, please consult the vendor documentation accordingly.

To monitor network traffic through a vSwitch

  1. Direct traffic from your physical network to the virtual network.

    1. Enable port mirroring on the network you want USM Anywhere to monitor.
    2. Allocate a spare NIC on your VMware server to receive the mirrored traffic.
    3. Associate your spare NIC with the vSwitch.
  2. In the ESXi 6.5 Web Client, click Networking in the Navigator and select the Port groups tab.

    Note: In VMware terminology, a port group acts like a network hub, making the network traffic undergoing the vSwitch visible to all interfaces connected to this port group.

  3. Click Add port group.

    Add a new port group in a vSwitch

    1. Enter a name for the port group.
    2. In VLAN ID, select 4095 for the VGT (Virtual Guest Tagging) mode.

      See VLAN Configuration in the VMware documentation for more information about VLAN tagging modes.

    3. In Virtual switch, select the vSwitch associated with the spare NIC configured in Step 1.
    4. Expand the Security section and set Promiscuous mode to Accept.

      This setting assures any virtual interface connected to this port group will be able to enter promiscuous mode and capture traffic from any other virtual interfaces connected to the vSwitch.

  4. Click Add to create the port group.
  5. Next, you need to make sure that the USM Anywhere Sensor is connected to one or more interfaces in the port group.

    See Configuring Network Interfaces for On-Premises Sensors for more information about network interface configuration.

Repeat the steps for every vSwitch you want to monitor.

Related Video Content

To view other related training videos, click here.