Install AutoDiscovery sensors

By default, each AutoDiscovery server installation comes pre-installed with a single sensor, used to capture data from across your network.

You may need additional sensors if you want to use direct traffic collection, full traffic capture, or if you want to separate your AutoDiscovery server and sensor machines. For more details, see Traffic collection options.

This topic describes how to install additional sensors as needed, either directly on a Windows or Linux machine, or as a VMWare OVF.

Sensor installation options

The following table describes the supported configurations for installing additional sensors, and the high-level steps required for each configuration:

ESX with port mirroring

Do the following:

  1. Deploy an AutoDiscovery sensor to each ESX server.
  2. Configure each sensor to view traffic in promiscuous mode.
Physical server with port mirroring

Do the following:

  1. Prepare a separate server for the AutoDiscovery sensor. The server can be physical or virtual, and Windows or Linux.
  2. Direct mirrored traffic to the sensor.
Local mode with direct capture

Install a sensor on any server from which you want to capture traffic.

For more details, see Install additional AutoDiscovery sensors.

Note: To configure statistical traffic collection with NetFlow/SFlow, we recommend using the sensor installed together with the AutoDiscovery server.

For more details, see Install AutoDiscovery.

Back to top

AutoDiscovery sensor system requirements

Additional AutoDiscovery sensors must be installed on a Linux or Windows server with the following minimum specifications:

CPU

4-core CPU, if expected traffic load has a maximum of 2 Gbps

8-core CPU if expected traffic load is more than 2 Gbps

Memory 8 GB
Disk space 1 GB free disk space
Network adapters

At least 2 network adapters:

  • 1 adapter connected to each source mirror port or LAN
  • 1 adapter connected to the LAN, for communication with the AutoDiscovery server

Software

(Windows only)

When installing a Windows sensor, make sure you have the following software installed on the AutoDiscovery sensor machine:

  • OpenSSL, version 1.0.2. Download and install this from slproweb.com.
  • Visual C++ Redistributable Packages for Visual Studio 2013. Download and install these from https://www.microsoft.com/.

When deploying on a virtual machine, network cards must be physically connected to the switch / router.

Back to top

Install additional AutoDiscovery sensors

This procedure describes how to install additional AutoDiscovery sensors.

Do the following:

  1. Verify that your AutoDiscovery sensor machine complies with the system requirements. For details, see AutoDiscovery sensor system requirements.

    Note: If you are installing additional sensors, you must do so using different machines than the ones you are using for the AutoDiscovery server and the ASMS installation. Each additional sensor must be installed on its own machine.

  2. On the AlgoSec portal, navigate to DownloadsSoftware > AlgoSec AutoDiscovery.

  3. Do one of the following:

    1. Select New Installation - Select Deployment Type.

    2. Select your installation type, either a VMWare OVF, or a Windows or Linux installation file.

    3. Select A30.10 to install the AutoDiscovery sensor version relevant for AutoDiscovery Server A30.10.

    4. Click Next, and then click the Download button next to the AutoDiscovery Sensor option for the selected installation type.

      A .zip file is downloaded for your installation.

    1. Select Upgrade (All Deployments).

    2. Select A30.10 to upgrade to AutoDiscovery A30.10.

    3. Click Next, and then click the Download button next to one of the following options:

      AutoDiscovery Upgrade for Sensor for Windows x64 Upgrades your separate Windows sensor installation
      AutoDiscovery Upgrade for Linux Sensor

      Upgrades your separate Linux sensor installation.

      Note: This option does not upgrade the local sensor installed on your AutoDiscovery server.

      A .zip file is downloaded for your upgrade.

  4. Deploy the downloaded file on your sensor machine, depending on your OS type. For example:

    Deploy your downloaded OVF file to a virtual machine with the required specifications.

    This procedure describes how to run an AutoDiscovery sensor installation on Linux.

    Do the following:

    1. Extract the contents of the AutoDiscoverySensor-3000.10.0-40-Linux.zip file.

    2. Run in installation:

      ./AutoDiscovery-Linux-x64.run

    3. Create a directory for the AAD sensor service files. Run:

      mkdir /opt/autodiscovery

      Note: If the /opt/autodiscovery directory already exists, delete the networksensor sub-directory. Run:

      rm -rf /opt/autodiscovery /networksensor

    4. If the networksensor directory does not yet exist, create it for the network sensor logs. Run:

      mkdir /var/log/autodiscovery

    5. Place the AAD sensor files in the correct directory. Run:

      mv AutoDiscovery-Linux-x64/networksensor /opt/autodiscovery

    6. Enable the AAD sensor service. Run:

      systemctl enable /opt/autodiscovery/networksensor/networksensor.service

      If an error occurs, run:

      systemctl link /opt/autodiscovery/networksensor/networksensor.service

    7. Stop the firewalld service to open the sensor up to Netflow, SFlow and AAD server communication. Run:

      systemctl stop firewalld

    8. Start the networksensor service. Run:

      systemctl start networksensor

    9. Verify that the networksensor is alive by tailing its log and seeing that new lines are added. Run:

      tail -f /var/log/autodiscovery/networksensor.log

    10. Exit by pressing CTRL+C.

    Your sensor is installed and ready to use with AutoDiscovery.

    Do the following:

    1. Extract the contents of the downloaded AutoDiscoverySensor-3000.10.0-40-Windows-x64.zip file.
    2. Run the extracted AutoDiscoverySensor-Windows-x64.msi file.

    3. Click Next to start the wizard.

      Accept the EULA, and continue through the wizard as instructed.

    4. The installation notifies you that a reboot will be required after the installation is complete.

      Verify that all other files are saved and that your system can be rebooted safely when ready, and click OK.

      The wizard confirms when the installation is complete.

    Your sensor is installed and ready to use with AutoDiscovery.

Back to top

AutoDiscovery sensor system requirements

This section describes system requirements for AutoDiscovery sensors installed in addition to the one provided by the AutoDiscovery installation. Additional sensors are most often configured for full traffic capture.

Note: The number of sensors to install and where to install them depends on your network's load and topology.

For example, if you have packet brokers or standalone sniffers already collecting traffic on your network, you can send the traffic they collect to a single sensor. This avoids the need to thoroughly cover your network with sensors.

Configure one of the following:

Configure full capture by connecting an AutoDiscovery sensor to a mirrored switch port or a TAP device.

In both cases, the output rate must match the AlgoSec appliance collector rate and interface.

System requirements for full capture include the following:

Collection rates

Supported collection rates are 250,000 packets(s) for an AlgoSec 2062 appliance-based collector and 1,000,000 packet(s) for an AlgoSec 2322 appliance.

These are recommended collection rates, since AlgoSec AutoDiscovery is statistical in nature and a loss of a few packets has no adverse effect.
ESX infrastructure

In order to enable port mirroring for a Sensor is installed on an ESX server, the server must be configured in promiscuous mode and the traffic must be mirrored to a port group.

Adding a Sensor to that port group will enable the Sensor to capture all of the traffic.
Log formats

From version 2.4.3, the Sensor can optionally receive traffic in the following log formats:

  • ERSPAN (type 2 and 3)
  • GRE (IP 800 and Transparent Ethernet Bridging 6558)
  • Encapsulated Remote Mirroring in VMware environments (on VDS from VSphere 3.5.1 and up)

Port mirroring hardware requirements

When installed in port mirroring mode, memory and CPU requirements depend on the amount of traffic monitored.

Estimated minimum requirements include:

  • Dual CPU/dual core
  • 2GB RAM
  • 10MB free disk space
  • 2 Network Adapters - one connected to the mirror port, the other connected to the LAN.

Note: For information on how to configure mirroring for a port, see your Switch/Router/Firewall documentation.

TCPReplay enables full traffic capture by simulating the traffic in collected PCAP files and sending that traffic to the AutoDiscovery sensor.

For example, use TCPReplay to collect PCAP files as follows:

  • By Packet Brokers, such as VSS or Fluke
  • By open source tools, such as Ethereal or TCPdump

Tip: Multiple PCAP files can be merged and played back simultaneously. This requires timing synchronization of better than 1 ms when collecting data.

Back to top