Deploy additional AutoDiscovery sensors
The AutoDiscovery server contains a sensor that captures data from across your network.
You may need to add additional sensors if you want to capture traffic from other networks or to separate your AutoDiscovery server and sensor machines.
For more details about traffic collection using remote sensors, see Traffic collection options.
This topic describes how to deploy additional sensors as needed, directly on a customer-owned Windows or Linux machine, or on a repurposed ASMS machine.
Sensor installation options
The following table describes the supported configurations for installing additional sensors, and the high-level steps required for each configuration:
ESX with port mirroring |
Do the following:
|
Physical server with port mirroring |
Do the following:
|
Local mode with direct capture |
Install a sensor on any server from which you want to capture traffic. |
For more details, see on this page Deploy remote AutoDiscovery sensors.
Note: To configure statistical traffic collection with NetFlow/SFlow, we recommend using the sensor installed together with the AutoDiscovery server.
For more details, see Deploy AutoDiscovery .
AutoDiscovery sensor system requirements
Additional AutoDiscovery sensors must be installed on a Linux or Windows server with the following minimum specifications:
CPU |
Standard: 4-core CPU, if expected traffic load has a maximum of 2 Gbps Large: 8-core CPU, if expected traffic load is 2 - 4 Gbps |
Memory |
Standard: 4 GB Large: 8 GB |
Disk space | 1 GB free disk space |
Network adapters |
At least 2 network adapters:
|
Software (Windows only) |
When deploying a Windows sensor, make sure you have the following software installed on the AutoDiscovery sensor machine:
|
Note: You can adjust the load of traffic to a sensor by setting the NetFlow frequency filter
When deploying on a virtual machine, network cards must be physically connected to the switch / router.
Deploy remote AutoDiscovery sensors
This procedure describes how to deploy additional AutoDiscovery sensors.
Note: If you are deploying additional sensors, each additional sensor must be deployed on its own machine. Use different machines than the ones you are using for the AutoDiscovery server and the ASMS installation.
Do the following:
Do the following:
-
Verify that your AutoDiscovery sensor machine complies with the system requirements. For details, see on this page AutoDiscovery sensor system requirements.
- Go to the AutoDiscovery Welcome page.
-
Click to download the required installation file for Windows Remote Sensor. A .msi file is downloaded for your Windows sensor deployment.
- Run the extracted AutoDiscoverySensor-Windows-x64.msi file.
-
Click Next to start the wizard.
Accept the EULA, and continue through the wizard as instructed.
-
The installation notifies you that a reboot will be required after the installation is complete.
Verify that all other files are saved and that your system can be rebooted safely when ready, and click OK.
The wizard confirms when the installation is complete.
Your sensor is installed and ready to use with AutoDiscovery.
Do the following:
-
Verify that your AutoDiscovery sensor machine complies with the system requirements. For details, see on this page AutoDiscovery sensor system requirements.
- Go to the AutoDiscovery Welcome page.
-
Click to download the required installation file for Linux Remote Sensor. A .run file is downloaded for your Linux sensor installation
Note: This option does not install the local sensor installed on your AutoDiscovery server.
Tip: You can download the file directly to the Linux remote sensor by running the following code:
wget --no-check-certificate https://<server IP>/AutoDiscovery/WebServices/api/v1/webGui/sensorInstallationFileDownload?fileType=Linux
-
Deploy the downloaded file on your sensor machine. Run in installation:
./AutoDiscovery-Linux-x64.run
-
After installation is completed, exit by pressing CTRL+C.
Your sensor is deployed and ready to use with AutoDiscovery.
This procedure describes how to repurpose an ASMS machine to run as an AutoDiscovery sensor.
Important: When you repurpose an ASMS machine to be an AutoDiscovery sensor, the process is irreversible.
-
The machine cannot be used for other purposes in the future.
-
The algosec_conf menu will not be accessible.
-
For security updates, upgrade of appliance build is run manually.
Do the following:
-
Deploy a new ASMS machine.
-
Run this script (Note: the operation is irreversible!):
/usr/share/algosec_toolbox/convert-to-network-sensor-machine.sh
-
After installation is completed, exit by pressing CTRL+C.
Your sensor is installed and ready to use with AutoDiscovery.
This procedure describes how to deploy an AutoDiscovery sensor on a VMware machine.
Do the following:
-
Navigate to https://portal.algosec.com/en/downloads/software?get=autodiscovery&switch=sensor to install the OVF via the portal.
-
Choose VMware and A32.20 from the New Installation dropdowns. Then click Next.
-
Click Download to save the installation software to your computer.
-
Install OVF.
-
If you need to change the IP address you must use ifconfig (see Change IP address using ifconfig).
Important: algosec_conf must not be used to change the IP address.
Change IP address using ifconfig
Do the following:
-
Open the terminal application.
-
List the current IP addresses for all network interfaces with command:
ifconfig -a
-
Take the network interface down with command:
ifconfig <interface> down
-
Change the IP address with command:
ifconfig <interface> <ip address> <netmask>
-
Press Enter to run the command.
-
Verify that the new IP address is correct with command:
ifconfig -a
-
Take the interface up with command:
ifconfig <interface> up
-
Upgrade remote AutoDiscovery sensors
For Windows and Linux machines
Important: For security updates for a VMware machine, reinstall OVF manually.
Do the following:
-
On the AutoDiscovery web console, go to the Sensors tab.
-
Select the checkboxes of the sensors you want to install from the list.
- Click Upgrade.
Additional AutoDiscovery requirements based on network traffic collection method
Note: The number of sensors to install and where to install them depends on your network's load and topology.
For example, if you have packet brokers or standalone sniffers already collecting traffic on your network, you can send the traffic they collect to a single sensor. This avoids the need to thoroughly cover your network with sensors.
Configure one of the following:
Configure full capture by connecting an AutoDiscovery sensor to a mirrored switch port or a TAP device.
In both cases, the output rate must match the AlgoSec appliance collector rate and interface.
System requirements for full capture include the following:
Collection rates |
Supported collection rates are 250,000 packets(s) for an AlgoSec 2062 appliance-based collector and 1,000,000 packet(s) for an AlgoSec 2322 appliance. These are recommended collection rates, since AlgoSec AutoDiscovery is statistical in nature and a loss of a few packets has no adverse effect. |
ESX infrastructure |
In order to enable port mirroring for a Sensor is installed on an ESX server, the server must be configured in promiscuous mode and the traffic must be mirrored to a port group. Adding a Sensor to that port group will enable the Sensor to capture all of the traffic. |
Log formats |
From version 2.4.3, the Sensor can optionally receive traffic in the following log formats:
|
Port mirroring hardware requirements |
When installed in port mirroring mode, memory and CPU requirements depend on the amount of traffic monitored. Estimated minimum requirements include:
|
Note: For information on how to configure mirroring for a port, see your Switch/Router/Firewall documentation.
TCPReplay enables full traffic capture by simulating the traffic in collected PCAP files and sending that traffic to the AutoDiscovery sensor.
For example, use TCPReplay to collect PCAP files as follows:
- By Packet Brokers, such as VSS or Fluke
- By open source tools, such as Ethereal or TCPdump
Tip: Multiple PCAP files can be merged and played back simultaneously. This requires timing synchronization of better than 1 ms when collecting data.