AlienVault® USM Anywhere™

Getting Traffic from Your Physical Network to the Virtual USM Anywhere Network

This topic describes how to move traffic from your VMware Sensor and other physical network artifacts to the USM Anywhere virtual network.

This procedure assumes that you have:

  • Allocated a spare NIC on your VMware host to pass the SPAN port traffic from the physical network to the virtual network
  • Plugged the spare NIC into a SPAN (mirror) port on your switch

Important: We recommend that you SPAN all internal and DMZ firewall ports. This includes all switch ports to which the firewall internal interfaces connect and the port used by the NIC, to which the VMware host connects.

To configure your virtual network and USM Anywhere

  1. Configure a new standard vSwitch specifically for the Switched Port Analyzer (SPAN) target:

  2. Configure the vSwitch to allow promiscuous modeMode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats.:

    • Click Properties, located next to the new vSwitch.
    • Select the vSwitch and click Edit.
    • Set Promiscuous Mode to Accept,and click OK.
    • Select the SPAN Target port group and make sure that the default security policy permits promiscuous mode there as well.

  3. Select the Network Adapters tab and make sure that your spare NIC is associated with the vSwitch.

  4. Click Close in the dialog box.
  5. Edit the USM Anywhere Sensor virtual machine and add a new Ethernet adapter.
  6. Associate the adapter with the SPAN Target network and save your changes.
  7. Connect to the USM Anywhere Sensor VM to open the console.
  8. Select Restart from the system menu.

  9. Press Enter.