Configure Network Interfaces for On-Premises Sensors

A USM Anywhere Sensor deployed on VMware or Hyper-V uses five network interfaces. These network interfaces have a predefined role that cannot be changed. The USM Anywhere management interface is required for many essential functions, including the following:

The management interface needs an IP address with permissions to access the following:

The other interfaces passively monitor network traffic in promiscuous mode Mode in which network IDS monitoring operates in passive listening mode, checking all IP packet traffic passing through it for threats.; the system does allow the configuration of an IP address on them. These interfaces should be plugged into a port in the switch where port mirroring is configured. The following table summarizes each interface's usage.

Network Interfaces Available in On-Premises Sensors
Interface Name Network Configuration Required
Management Interface

Internet connectivity and IP address routed to provide the access to USM Anywhere.

This IP address also allows connections to assets in a monitored network for log collection and asset scans.

Network Monitoring Interface 1

 Interface connected to a mirrored port in the network switch 1.
Network Monitoring Interface 2 Interface connected to a mirrored port in the network switch 2.
Network Monitoring Interface 3 Interface connected to a mirrored port in the network switch 3.
Network Monitoring Interface 4 Interface connected to a mirrored port in the network switch 4.

Warning: The VMware Sensor and Hyper-V Sensor require all five network interface cards (NICs) to be enabled; otherwise, the USM Anywhere update will fail. The NICs can remain disconnected.

You should only connect the other NICs to any additional network you want to monitor. Don't connect the NICs to the same Switched Port Analyzer (SPAN) port because it'll produce duplicate events in USM Anywhere.

Use the functions provided by the sensor console to configure the management interface and your Domain Name System (DNS).

By default, USM Anywhere has Dynamic Host Configuration Protocol (DHCP Network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services.) and log collection enabled.

To configure the management interface automatically using DHCP

During the installation, your system sets an IP address assigned by a DHCP server. You can check the IP address afterwards:

  1. Connect to the USM Anywhere Sensor console.
  2. Go to Network Configuration > View Network Configuration.

To manually configure the management interface

  1. Connect to the USM Anywhere Sensor console.

  2. Go to Network Configuration > Configure Management Interface > Set a Static Management IP Address.

    Note: The Configure Management Interface option is only available on VMware and Hyper-V Sensors.

  3. Enter the IP address.
  4. Press Enter.

The DNS nameserver is part of the DNS that maintains a directory of domain names and translates them to IP addresses.

Important: If you specify two servers for DNS resolution, USM Anywhere determines their priority by their order. Configure your local DNS in the first position to have DNS name resolution in your internal network.

To define the DNS Nameservers

  1. Connect to the USM Anywhere Sensor console.

  2. Go to Network Configuration > Configure DNS.

    Note: The Configure DNS option is only available on VMware and Hyper-V Sensors.

  3. Enter the primary DNS, and then press Enter.

    A confirmation screen opens to apply changes.

  4. Select Yes.

  5. (Optional.) You can provide the secondary DNS, and then press Enter.

    When the confirmation screen appears to apply changes, select Yes.

USM Anywhere is hosted as a cloud service with an IP address that is not statically assigned and may change periodically. For this reason, you must set up a firewall rule that uses the URL of the cloud service to allow incoming and outgoing traffic between the USM Anywhere Sensor and the cloud service.

In this example, the URL for the USM Anywhere instance is displayed within the green box.

You can verify your network settings in the USM Anywhere Sensor Setup wizard or through the sensor console.

To verify the network settings in the USM Anywhere web user interface (UI)

  1. Go to Data Sources > Sensors, and then click the USM Anywhere Sensor name.

    At the bottom of the USM Anywhere Sensor page, click the Network IDS tab. Here you can view the traffic in your network over various interfaces.

    Important: The interface will only show as receiving data if it is receiving more than 1000 packets over a 30-second period.

    You can configure a new interface as well as port mirroring here. See the following documentation for more information:

The Network IDS tab also allows you to configure your Classless Inter-Domain Routing (CIDR Classless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses.) blocks by clicking the Configure CIDR Blocks button. Your CIDR blocks are automatically populated by the setup wizard during the initial USM Anywhere Sensor deployment. By default, the system will scan all internal IPv4 addresses and assign their names based on those designated in your asset groups Asset groups are administratively created objects that group similar assets for specific purposes..

If you want to remove a block or change the subnet range of the block, click the x button next to the CIDR block to remove it, and then click Add Another CIDR Block to input a new CIDR block with the desired subnet range. Be aware, however, that removing part of a subnet range or deleting a block completely will result in the sensor no longer monitoring that portion of your internal network.

To verify the network settings in the USM Anywhere Sensor console

  1. Connect to the USM Anywhere Sensor console.
  2. Go to Network Configuration > View Network Configuration.