Deploy appliances

On your ESXi host, do as follows:

1. Select Virtual Machines.

2. Click Create/Register VM.

   

3. In Select creation type, select Deploy a virtual machine from an OVF or OVA file. Click Next.

   

4. In Select OVF and VMDK files, do as follows:

   1. Enter the VM name.
   2. Click the page to select files. Select the OVA file you've downloaded.
   3. Click Next.

   

5. In Select storage, select Standard storage. Then select the datastore where you want to put your VM. Click Next.

   

6. In Deployment options, enter settings as follows.

   1. SPAN1 and SPAN2. You don't need these for integrations. Select any port group as a placeholder and disconnect it in the VM settings later.
   2. In SYSLOG, select the port that will receive syslog data from your third-party product.

   3. In MGMT, select the management interface for the appliance. This interface lets the appliance send data to the Sophos Data Lake.

      You set up this interface earlier in Sophos Central in Internet-facing network port settings.

      If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

   4. In Disk Provisioning, make sure Thin is selected.

   5. Make sure Power on automatically is selected.
   6. Click Next.

   

7. Skip the Additional settings step.

8. Click Finish. Wait for the new VM to appear in the VMs list. This can take a few minutes.

   

9. Power on the VM and wait for installation to complete.

   The VM boots for the first time and checks that it can connect to the correct port groups and to the internet. Then it reboots. This can take up to 10 minutes.

10. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

11. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    

Now configure your third-party product to send data to the appliance. Go back to the integration instructions for that product to see how.

The Zip file you downloaded in Sophos Central contains the files you need to deploy your VM: virtual drives, seed.iso, and a Powershell script.

To deploy the VM, do as follows:

1. Extract the Zip file to a folder on your hard drive.
2. Go to the folder, right-click the ndr-sensor.ps1 file, and select Run with PowerShell.

3. If you see a Security Warning message, click Open to allow the file to run.

   You're prompted to answer a series of questions.

4. Give the VM a name.

5. The script shows the folder where the VM files will be stored. This is a new folder in your default installation location for virtual drives. Enter C to allow the script to create it.
6. Enter the number of processors (CPUs) to use for the VM.
7. Enter the amount of memory to use in GB.

8. The script shows a numbered list of all your current vSwitches.

   Select the vSwitch you want to attach the management interface to and enter its number. This interface lets the appliance send data to the Sophos Data Lake.

   You set up this interface earlier in Sophos Central in Internet-facing network port settings.

   If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

   

9. Enter the vSwitch you want to attach to the syslog interface.

   This is the vSwitch that will receive syslog data from your third-party product.

10. You don't need to specify vSwitches for capturing network traffic. These settings are only relevant if you have Sophos NDR. Select any vSwitch as a placeholder and disconnect it in the VM settings later.

    The PowerShell script sets up the VM in Hyper-V. You'll see an Installation Completed Successfully message.

11. Use any key to exit.

12. Open the Hyper-V Manager to see the VM added to the list of virtual machines. If you need to change any settings, you can. Then power it on.

    The VM boots for the first time and checks that it can connect to the correct vSwitches and the internet. Then it reboots. This can take up to 10 minutes.

13. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

14. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    

Now configure your third-party product to send data to the appliance. Go back to the integration instructions for that product to see how.

Upload image files

To upload the disk image files and seed ISO to the Nutanix system, do as follows:

1. From a web browser, sign in to the Nutanix web console on port 9440.

2. Go to Home > Settings.

   

3. Select Image Configuration.

   

Upload root image file

1. Click Upload Image
2. Enter a name. We recommend that you include the word "root" in the name.
3. (Optional) Add an Annotation.

4. Select Upload a file, click Browse, and select your file.

   When you select your file, Image type is automatically selected.

   

5. Click Save.

   The file upload starts. Wait for the upload to finish before you continue the setup.

Upload seed ISO image file

1. Click Upload Image.
2. Enter a name. We recommend that you include the word "ISO" in the name.
3. (Optional) Add an Annotation.

4. Select Upload a file, click Browse, and select your file.

   When you select your file, Image type is automatically selected.

5. Click Save.

   The file upload starts. Wait for the upload to finish before you continue the setup.

The three uploaded files will appear in the Image Configuration page.

Upload the installation script

A script named ndr-sensor.sh is also included in the zip file. To upload to the Nutanix AHV VM controller, use secure file transfer protocol (SCP), as follows:

1. For Windows, open a command prompt, or on MacOS or Linux, open a terminal.
2. Change to the directory where the unzipped files are located.

3. Run the following command: scp ndr-sensor.sh admin@<ip-address>:~/.

   

4. Enter the admin password.

Run the installation script

1. Open the Nutanix AHV VM.
2. Use the following command to sign in and connect via SSH: ssh admin@<ip-address>.
3. To run the installation script, run the following command: bash ndr-sensor.sh.

4. Enter a name for the appliance VM. The default name is ndr-sensor.

   

   Note

   For items that list a default value, you can press Enter to accept the default value.

5. Enter the number of CPU cores to assign to the VM. The default is 4.

6. Enter the amount of memory to assign to the VM. The default is 16(GB).

You'll see the following message: Created vm <name> UUID <UUID>.

Select the VM disk image files

To select the VM disk image files, do as follows:

1. Enter the image name for the seed ISO you uploaded.

   

2. Enter the image name for the root disk image file you uploaded.

3. Enter the image name for the data disk image file you uploaded.

Network Configuration

The script creates the following network interfaces for the VM:

• Management network
• Syslog network
• ERSPAN for tunneled capture data
• SPAN for mirrored network to receive capture data from other VM on this VM server

The script will list the available virtual subnets that can be used by the management, syslog, and tunneled Remote Switched Port Analyzer (RSPAN) capture data.

A single subnet can be used for all three networks.

To assign subnets to the networks, do as follows:

1. Enter the number corresponding to the subnet to use for the management network.

   

2. Enter the number corresponding to the virtual subnet to use for the syslog reception network.

3. The configuration for the SPAN network is automatically created using the configuration parameters. It's set as type=kSpanDestinationNic.
4. Enter the number corresponding to the virtual subnet to use for the tunneled RSPAN capture network.

When the script has completed, it provides some example acli commands to enable a Nutanix SPAN session. The MAC address listed in the example commands is the MAC address of the SPAN interface created by the script.

The example commands can be used for the following types of SPAN session:

• SPAN data from all VMs on the VM host.
• SPAN data from a single VM on the VM host.

For more information, see Traffic Mirroring on AHV Hosts.

Start the VM

After completing the script, return to the Nutanix web console and go to the VM page, then power your VM on.

In Sophos Central, go to the Integrations page for the product you're integrating and refresh it. The VM's status is now Connected.