A USM Anywhere Sensor deployed on VMware or Hyper-V uses five network interfaces. These network interfaces have a predefined role that cannot be changed. The USM Anywhere Management Interface is required for many essential functions.
- Connection to USM Anywhere
- Updates to the system
- Log collection within the monitored network
- VulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. scans
- AssetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. discovery
This interface needs an IP address with permissions to access
- Inbound packets containing syslogAn industry standard message logging system that is used on many devices and platforms. data sent from other hosts on that network
- Outbound connections made to perform authenticated scansAuthenticated scans are performed from inside the machine using a user account with appropriate privileges.
The other interfaces passively monitor network traffic in promiscuous modeMode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats.; the system does allow the configuration of an IP address on them. These interfaces should be plugged into a port in the switch where port mirroring is configured.
|Interface Name||Network Configuration Required|
Internet connectivity and IP address routed to provide the access to USM Anywhere
This IP address also allows connections to assets in a monitored network for log collection and asset scans.
Network Monitoring Interface 1
|Interface connected to a mirrored port in the network switch|
|Network Monitoring Interface 2||Interface connected to a mirrored port in the network switch|
|Network Monitoring Interface 3||Interface connected to a mirrored port in the network switch|
|Network Monitoring Interface 4||Interface connected to a mirrored port in the network switch|
Important: The VMware sensor and Hyper-V sensor require all five NICs to be enabled.
Use the functions provided by the sensor console to configure the management interface and DNS.
USM Anywhere has, by default, DHCPNetwork protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services. and Log Collection enabled.
Configuring the Interface Automatically Using DHCP
During the installation, your system sets an IP address assigned by a DHCP Server.
Note: Check your settings on Network Configuration > View Network Configuration.
Configuring the Interface Manually
- Connect to the USM Anywhere Sensor console.
- Navigate to the Network Configuration > Configure Management Interface > Set a Static Management IP Address option.
- Enter the IP Address.
- Press Enter (<OK>).
The DNS nameserver is part of the Domain Name System (DNS) that maintains a directory of domain names and translates them to IP addresses.
Important: If you specify two servers for DNS resolution, USM Anywhere determines their priority by their order. Configure your local DNS in the first position to have DNS name resolution in your internal network.
To define the DNS Nameservers
- Connect to the USM Anywhere Sensor console.
- Navigate to Network Configuration > Configure DNS.
Enter the primary DNS and press Enter (<OK>).
A confirmation screen appears to apply changes.
- Select Yes.
Optionally, you can provide the secondary DNS and press Enter (<OK>).
When the confirmation screen appears to apply changes, select Yes.
USM Anywhere is hosted as a cloud service with an IP address that is not statically assigned and may change periodically. For this reason, you must set up a firewall rule that uses the DNS of the cloud service to allow incoming / outgoing traffic between the USM Sensor and the cloud service.
In this example, the DNS for the USM Anywhere instance is displayed within the green box.
You can verify your network settings in the USM Anywhere Sensor Setup wizard or through the sensor console.
Sensor Configuration Tools
To verify the network settings in the USM Anywhere web UI
Select DATA SOURCES > SENSORS and click the sensor name. At the bottom of the sensor page, click the Network IDS tab, where you can view the traffic in your network over various interfaces. You can configure a new interface as well as port mirroring here. See Device Port Mirroring Configuration for more information.
The Network IDS tab also allows you to configure your CIDRClassless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses. blocks by clicking the Configure CIDR Blocks button. Your CIDR blocks are automatically populated by the setup wizard during the initial sensor deployment. By default, the system will scan all internal IPv4 addresses and assign their names based on those designated in your asset groupsAsset groups are administratively created objects that group similar assets for specific purposes.. If you want to remove a block or change the subnet range of the block, click the x button next to the CIDR block to remove it, and click Add Another CIDR Block to input a new CIDR block with the desired subnet range. Be aware, however, that removing part of a subnet range or deleting a block completely will result in the sensor no longer monitoring that portion of your internal network.
To verify the network settings in the USM Anywhere Sensor console
- Connect to the sensor console.
- Navigate to the option Network Configuration > View Network Configuration.