Follow

Booting and Pairing Hyper-V Virtual Sensors (vSensors)

About Virtual Sensor Hyper-V Images

Vectra Brain appliances may be paired both with physical Sensors and with vSensors - virtual Sensors.  The appliances make a Hyper-V VHD image (in a .zip archive) available for download and subsequent use for provisioning vSensors.

Vectra appliances typically operate with updates enabled.  Regular updates ensure that the appliances are running the very latest version.  Deployed Sensors and vSensors also update regularly.  

When a Brain updates, the corresponding VHD which it makes available for download and use on vSensors is updated as well.  As such, it is recommended to ensure to download and use the very latest available VHD from your Brain any time you deploy a new vSensor.  

Once a vSensor has been deployed, it will update itself as needed, staying current with its Brain.


Hyper-V vSensor Requirements and Throughput

Hyper-V Version Supported Windows Server 2016 w/ HW v8 or higher
Cores Required 2 (500 Mbps) or 4 (1 Gbps)
Ram Required 8 GB
Disk Space Required 100 GB (500 Mbps) or 150 GB (1 Gbps)
Virtual Switch Type Supported External
Capture Interfaces Supported 1
Management Interface 1 (can be shared with capture interface)
Traffic that can be captured Physical or Virtual

Please note that Hyper-V vSensors do not support dynamic configuration adjustment.  Once deployed, if you wish to change the configuration you should un-pair/delete the vSensor from the Brain, shut it down, remove it from Hyper-V and redeploy with the new configuration.

Vectra may add additional configuration options and capture interface support in the future.  Please check release notes or this article for future updates to supported configurations

Downloading the latest Virtual Sensor Hyper-V VHD image

The current vSensor image (VHD) for use on new vSensors can be downloaded from the Brain by clicking the blue button “Download Virtual Image” from the UI: Manage - Sensors page and then selecting the Hyper-V vSensor (VHD) image. 

mceclip0.png


Deploying the VHD

  • Once downloaded, the VHD image will need to be unzipped.  Use the archive utility of your choice to unzip the image.
  • Launch Powershell as an administrator

mceclip1.png

  • As a ONE-TIME SETUP step, Run "Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser" to allow running of the installer

mceclip3.png

  • CD to your directory, which should contain "Vectra vSensor.ps1"
  • You can use the PowerShell get-help command to see current options for the script
    • "get-help '.\Vectra vSensor.ps1'"
  • PLEASE NOTE
    • To specify a the storage path for the VM you must use the "-path" option or your installation will occur in the current directory
    • Remote hosts are also supported, for guidance in specifying remote paths, refer to the "get-help" option
    • The "-setupmirror" option will setup port mirroring on the capture switch and should be used unless mirroring is already enabled on the switch you intend to use for capture traffic
      • This will cause all traffic passing on the external network NIC of the capture switch to be mirrored to any VM whose port monitoring mode has been set to "Destination"
  • Execute the PowerShell script to begin the installation
    • "& '.\Vectra vSensor.ps1' -setupmirror"
    • You will need to specify the management switch, capture switch, and configuration
    • The script will then create the vSensor and start it up

mceclip4.png

  • Once the script has finished you can rename your VM in they Hyper-V manager if desired

mceclip5.png

  • Important guidance regarding physical network capture, virtual guest network capture, and VLAN tagging
    • Only 1 interface can be set for capture
    • This can be the same as the management switch if your server does not have a dedicated capture switch
    • If you have physical network traffic directed at a switch that is not being used by your guests running on the server, you will need to deploy two vSensors to the same physical host to capture both types of traffic
    • Capturing Physical Network Traffic coming into the Hyper-V server
      • The -setupmirror option specified above will enable MonitorMode 2 which is essentially the same as source mode for port mirroring on the capture switch
        • MonitorMode 2 = Source, MonitorMode 1 = Destination, MonitorMode 0 = None
      • You will still need to ensure that the virtual network adapter being used for the capture switch has its port mirroring set to "Destination"
        • This can be done via PowerShell or via the GUI
        • Set vsensor port as destination, were MyVM is the VM name and XXXX is the MAC address of the port:
        • Get-VMNetworkAdapter MyVM | ? MacAddress -eq 'xxxxxxxx' | Set-VMNetworkAdapter MyVM -PortMirroring Destination
        • Note that this screenshot is an example, you will likely need to do this on the 2nd interface if using a separate management and capture interface

mceclip0.png

    • Capturing virtual network traffic from other guests
      • Set the ports on the VMs you wish to mirror as Source
      • This can be done in the GUI by going to each host or in a similar fashion from the PowerShell by getting the relevant VM name and MAC address for the source ports and setting as "Source" instead of "Destination"
      • Get-VMNetworkAdapter MyOtherVM | ? MacAddress -eq 'xxxxxxxx' | Set-VMNetworkAdapter MyOtherVM -PortMirroring Source
    • Capturing traffic that is over multiple VLANs will require the Destination host (vSensor in this case) to allow all relevant VLANs and be set for Trunking
      • Set-VMNetworkAdapterVlan -VMName MyVM -VMNetworkAdapterName "mirror" -trunk -allowedvlanidlist <VLAN-ID-Range> -nativevlanid <VLAN-ID-Range>
      • Here a a couple of examples that show example syntax
        • The NativeVlanID parameter tells Hyper-V that if there is no VLAN specified in the packet, to treat the packet as if it was from VLAN 0 or 10 in the below example
        • Set-VMNetworkAdapterVlan -VMName MyVM -Trunk -AllowedVlanIdList "100,101" -NativeVlanId 0
          Set-VMNetworkAdapterVlan –VMName MyVM –Trunk –AllowedVlanIdList 1-100 –NativeVlanId 10
  • Additional guidance for virtual switch options in Hyper-V
    • Microsoft NDIS Capture must be enabled on the Capture Switch
    • This can be set per the screenshot below in your Virtual Switch Extensions for the capture switch if it is not already enabled

mceclip1.png

    • Other virtual switch hardware acceleration or advanced features can set as desired and should not impact vSensor function

Initial Configuration of the vSensor at the Console

  • Connect to your vSensor console using the "Connect..." button (two above the "Start" button in the above graphic and change the password and set the IP configuration for the management interface
    • Login using the "vectra" user with an initial password of "changethispassword"
    • Use the "set password" function to set a new password
    • Use the "set interface" command to configure the management interface
      • Please note that because Hyper-V does not have interfaces on the PCI bus we cannot rename them.  Normally in physical or VMware vSensors this command would be using mgt1 as an interface name

mceclip6.png

mceclip9.png

Pairing the vSensor

  • vSensors do not have a distinct web UI, however they do have a CLI interface available via ssh as the "vectra" user after initial configuration in the console is done
  • Once the interface configuration is set, the vSensor will announce itself to the Brain
    • This can take a couple of minutes
  • If the announce is successful, the vSensor will appear in the UI at the "Manage > Sensors" page
  • If Auto Pairing is enabled, the Pairing process will also being
  • Navigate to the Brain GUI and the Manage > Sensors page to see the process
    • Initially you will see the Status on the right as "Pairing" once the vSensor has announced itself to the Brain (which can take a couple min)
    • Finally the Status will change to Forwarding once either Auto Pairing or Manual Pairing has completed
  • Please note
    • vSensors, like physical Sensors, will update themselves at boot if needed, to stay current with their Brain.  vSensor CLI functions and traffic functions will become available only after the vSensor has ensured it is up-to-date.  Depending on the specific version of the vSensor, you may see errors or warnings when running CLI functions during the period of time when the vSensor is still updating.

mceclip11.png

  • The vSensor can be renamed as desired by clicking on the pencil icon on the right

mceclip12.png

  • Check to see that traffic is being seen at the capture interface
    • You can see this immediately at the command line using the "show traffic stats" command
      • Execute the command a few times to see increasing packet counts
    • After a few min, you can also see interface graphs appear in the UI (if traffic is above 1 Mbps)
      • Navigate to Network Stats > Ingested Traffic

mceclip13.png

mceclip15.png

Auto Pairing and Other Pairing Guidance

Auto Pairing is configurable in the UI: Settings – System – Sensors page.  

If Auto Pairing is enabled, the vSensor will automatically complete the Pairing process.
If Auto Pairing is disabled, the vSensor will appear in UI: Settings – System – Sensors page, but must be manually Paired by clicking on the vSensor name and clicking the “Pair” button.

Notes about Pairing with new or changed Brains:

  • If you have a backup of your Brain and restore it to a new Brain with the same configuration (IP or hostname), previously paired Sensors (including vSensors) will connect to the new Brain automatically as the Sensor state is saved in the backup.
  • If the Brain IP has changed but otherwise remains the same, the vSensors may be updated to the new IP address using the "set brain" command.
  • Existing tunnels have to terminate to re-establish connection to a new Brain.  This can be accomplished a few different ways.
    • Naturally because the original Brain is no longer reachable due to firewall change, hardware or software failure, etc.
    • Using the "del brain" command on the vSensor you wish to Pair to the new Brain.
    • Unpairing from the original Brain and having the vSensor attempting communication to the original Brain.

Notes about vSensors and Pairing by Hostname vs IP

  • The vSensor VHD downloaded from the Brain will use, by default, the Brain’s IP address for Pairing.
  • You will need to set the “Settings > General > Sensors > Pair using DNS name” option to generate the VHD that points at a hostname. 
    • When this setting is change, it does not affect any previously Paired (either by IP or Hostname) vSensors.
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.