AlienVault® USM Anywhere™

Configuring Network Interfaces for On-Premises Sensors

A USM Anywhere Sensor deployed on VMware or Hyper-V uses five network interfaces. These network interfaces have a predefined role that cannot be changed. The USM Anywhere Management Interface is required for many essential functions, including the following:

This interface needs an IP address with permissions to access:

The other interfaces passively monitor network traffic in promiscuous modeMode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats.; the system does allow the configuration of an IP address on them. These interfaces should be plugged into a port in the switch where port mirroring is configured.

Network Interfaces
Interface Name Network Configuration Required
Management Interface

Internet connectivity and IP address routed to provide the access to USM Anywhere

This IP address also allows connections to assets in a monitored network for log collection and asset scans.

Network Monitoring Interface 1

Interface connected to a mirrored port in the network switch 1
Network Monitoring Interface 2 Interface connected to a mirrored port in the network switch 2
Network Monitoring Interface 3 Interface connected to a mirrored port in the network switch 3
Network Monitoring Interface 4 Interface connected to a mirrored port in the network switch 4

Warning: The VMware Sensor and Hyper-V Sensor require all five Network Interface Cards (NICs) to be enabled. The USM Anywhere update will fail if not all five NICs are associated to some network (active or inactive).

You should connect each of the additional NICs to any additional network you want to monitor, or to a dead or inactive network. Do not configure the additional NICs to the same Switched Port Analyzer (SPAN) port, because this causes duplicated events.

Use the functions provided by the sensor console to configure the management interface and DNS.