The AutoDiscovery server contains a sensor that captures data from across your network.
You may need to add additional sensors if you want to capture traffic from other networks or to separate your AutoDiscovery server and sensor machines.
This topic describes how to deploy additional sensors as needed, directly on a customer-owned Windows or Linux machine, or on a repurposed ASMS machine.
The following table describes the supported configurations for installing additional sensors, and the high-level steps required for each configuration:
ESX with port mirroring
Do the following:
Deploy an AutoDiscovery sensor to each ESX server.
Configure each sensor to view traffic in promiscuous mode.
Physical server with port mirroring
Do the following:
Prepare a separate server for the AutoDiscovery sensor. The server can be physical or virtual, and Windows or Linux.
Direct mirrored traffic to the sensor.
Local mode with direct capture
Install a sensor on any server from which you want to capture traffic.
This procedure describes how to deploy additional AutoDiscovery sensors.
Note: If you are deploying additional sensors, each additional sensor must be deployed on its own machine. Use different machines than the ones you are using for the AutoDiscovery server and the ASMS installation.
Important: For security updates for a VMware machine, reinstall OVF manually.
Do the following:
On the AutoDiscovery web console, go to the Sensors tab.
Select the checkboxes of the sensors you want to install from the list.
Click Upgrade.
Additional AutoDiscovery requirements based on network traffic collection method
Note: The number of sensors to install and where to install them depends on your network's load and topology.
For example, if you have packet brokers or standalone sniffers already collecting traffic on your network, you can send the traffic they collect to a single sensor. This avoids the need to thoroughly cover your network with sensors.
Configure full capture by connecting an AutoDiscovery sensor to a mirrored switch port or a TAP device.
In both cases, the output rate must match the AlgoSec appliance collector rate and interface.
System requirements for full capture include the following:
Collection rates
Supported collection rates are 250,000 packets(s) for an AlgoSec 2062 appliance-based collector and 1,000,000 packet(s) for an AlgoSec 2322 appliance.
These are recommended collection rates, since AlgoSec AutoDiscovery is statistical in nature and a loss of a few packets has no adverse effect.
ESX infrastructure
In order to enable port mirroring for a Sensor is installed on an ESX server, the server must be configured in promiscuous mode and the traffic must be mirrored to a port group.
Adding a Sensor to that port group will enable the Sensor to capture all of the traffic.
Log formats
From version 2.4.3, the Sensor can optionally receive traffic in the following log formats:
ERSPAN (type 2 and 3)
GRE (IP 800 and Transparent Ethernet Bridging 6558)
Encapsulated Remote Mirroring in VMware environments (on VDS from VSphere 7 and up)
Port mirroring hardware requirements
When installed in port mirroring mode, memory and CPU requirements depend on the amount of traffic monitored.
Estimated minimum requirements include:
Dual CPU/dual core
2GB RAM
10MB free disk space
2 Network Adapters - one connected to the mirror port, the other connected to the LAN.
Note: For information on how to configure mirroring for a port, see your Switch/Router/Firewall documentation.
Deploy an 
Yes 
No 
