Documentation Center
AlienVault® USM Anywhere™

Configuring Network Interfaces for On-Premises Sensors

A USM Anywhere Sensor deployed on VMware or Hyper-V uses five network interfaces. These network interfaces have a predefined role that cannot be changed. The USM Anywhere Management Interface is required for many essential functions, including the following:

This interface needs an IP address with permissions to access:

The other interfaces passively monitor network traffic in promiscuous modeMode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats.; the system does allow the configuration of an IP address on them. These interfaces should be plugged into a port in the switch where port mirroring is configured.

Network Interfaces
Interface Name Network Configuration Required
Management Interface

Internet connectivity and IP address routed to provide the access to USM Anywhere

This IP address also allows connections to assets in a monitored network for log collection and asset scans.

Network Monitoring Interface 1

Interface connected to a mirrored port in the network switch 1
Network Monitoring Interface 2 Interface connected to a mirrored port in the network switch 2
Network Monitoring Interface 3 Interface connected to a mirrored port in the network switch 3
Network Monitoring Interface 4 Interface connected to a mirrored port in the network switch 4

Important: The VMware sensor and Hyper-V sensor require all five NICs to be enabled.

You should connect each of the additional NICs to any additional network you want to monitor, or to a dead/inactive network. All five NICs must be associated to some network (active or inactive) to allow successful update of the sensor. Do not configure the additional NICs to the same SPAN port, because this will cause duplicated events.

Use the functions provided by the sensor console to configure the management interface and DNS.