USM Anywhere™

Requirements for VMware Sensor Deployment

Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware.

Minimum Requirements

These are the minimum requirements needed to set up and configure the USM Anywhere Sensor on VMware:

  • Access to VMware ESXi 5.1 or later

    Important: If you are using VMware ESXi 5.1 through 6.0, the VMware vSphere Desktop Client is required for deployment of the USM Anywhere Sensor OVF. You cannot use the VMware vSphere Web Client interface for the sensor deployment.

    If you are using VMware ESX 6.5, you must have build 7388607 or later. Earlier builds have an issue with the OVF tools that will cause the sensor OVF deployment to fail.

    If the OVF package is invalid and can't be deployed, and you get a SHA256 Error message, see The OVF Package Is Invalid and Cannot Be Deployed - SHA256 Error for more information.

  • Dedicated 4 CPUs and 12 GB of reserved memory
  • Dedicated 150 GB of disk space (100 GB data device and 50 GB root device)
  • Internet connectivity to the network where you plan to install the VMware Sensor

Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process will vary.

Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.

Recommended Requirements

These are the minimum requirements needed to set up and configure the USM Anywhere Sensor on VMware:

  • A vSphere or vCenter user account to use for USM Anywhere Sensor configuration with an assigned role that has permissions equivalent to the read only default role.

    Note: The read only role allows a user limited read access to the system without any other privileges. Credentials with this assigned role allow the deployed USM Anywhere Sensor to collect vCenter and vSphere events and run asset discovery.

  • Installed VMware Tools for hosts in your vSphere or vCenter environment.

    With configured vSphere or vCenter credentials, the VMware Sensor uses the VMware APIs to run asset discovery. For hosts that do not have VMware Tools installed, the asset does not have an assigned IP address and this can result in the asset being missed from asset discovery or in duplicate assets created during subsequent discoveries. These tools also enable the sensor to collect more detailed information about the asset.

  • If DHCPNetwork protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services. is not available, a configured static IP for the management interface and local DNS information.

    Important: AT&T Cybersecurity strongly recommends assigning a static IP to deploy the USM Anywhere Sensor. If DHCP changes the IP address of the sensor, you must update all the IP addresses on all the devices that are forwarding logs to the sensor through syslog.

  • Port mirroringMethod of network monitoring in which a system passively collects network traffic on the same ports as other network devices. set up for network monitoring (see Direct Traffic from Your Physical Network to the VMware Sensor).
  • Administrative credentials for devices that require configuration to forward logs to the VMware Sensor.
  • Administrative credentials for remote hosts to support authenticated asset scans.
  • Configuration on firewall or other security device to send UDP or TCP syslog (if it is capable of exporting security logs through UDP or TCP syslog).
  • Network topology information to run asset discovery.
  • To access NIDS functionality on the sensor, an ethernet port on the host must be available to receive data from a SPAN or TAP port.

Sensor Ports and Connectivity

Before you deploy a USM Anywhere Sensor, you must configure your firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.

Note: To launch the USM Anywhere Sensor web user interface (UI) during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

The table below includes the outbound ports.

Sensor Ports and Connectivity (Outbound Ports)
Type Ports Endpoints Purpose
TCP 443 update.alienvault.cloud Communication with AT&T Cybersecurity for initial setup and future updates of the sensor.
TCP 443 reputation.alienvault.com Ongoing communication with Open Threat Exchange® (OTX™).
TCP 443 otx.alienvault.com Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended.
TCP 443 your USM Anywhere subdomain
.alienvault.cloud
Ongoing communication with USM Anywhere.
TCP 9443 vCenter Server Authenticate sensor to VMware ESXi.
SSL / TCP 7100 your USM Anywhere subdomain
.alienvault.cloud
Ongoing communication with USM Anywhere.
UDP 53 DNS Servers (Google Default) Ongoing communication with USM Anywhere.
UDP 123

0.amazon.pool.ntp.org

1.amazon.pool.ntp.org

2.amazon.pool.ntp.org

3.amazon.pool.ntp.org

Sync with network time protocol (NTP) services in the AT&T Cybersecurity Secure Cloud.
TCP 22 and 443 prod-usm-saas-tractorbeam.alienvault.cloud

SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.

The table below includes the inbound ports.

Sensor Ports and Connectivity (Inbound Ports)
Type Ports Purpose
SSH 22 Inbound method for secure remote login from a computer to USM Anywhere.
HTTP 80 Inbound communication for HTTP traffic.
UDP (RFC 3164) 514 USM Anywhere collects data through syslog over UDP on port 514 by default.
TCP (RFC 3164) 601 Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.
TCP (RFC 5424) 602 USM Anywhere collects data through syslog over TCP on port 602 by default.
Traffic Mirroring 4789 Inbound communication for virtual extensible local area network (VXLAN).
TLS/TCP (RFC 3164) 6514 USM Anywhere collects Transport Layer Security (TLS)-encrypted data through syslog over TCP on port 6514 by default.
TLS (RFC 5424) 6515 USM Anywhere collects data through syslog over TLS on port 6515 by default.
GrayLog 12201 Inbound communication for Graylog Extended Log Format (GELF).

Next...

See Creating the VMware Virtual Machine