Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=NDR-Nutanix

Sophos NDR on Nutanix

You must have the Sophos Network Detection and Response integration license pack to use this feature.

You can set up Sophos NDR on Nutanix so that NDR can detect malicious behavior on your network.

Note

The instructions below apply to Nutanix version 6.8. If you're on an earlier or later version, there may be some differences.

Setup video

Watch the setup video to guide you through the setup process:

Set up NDR sensor in Nutanix AHV

Requirements

The VM that runs the appliance has system and network access requirements. For details, see Appliance requirements.

For details about the required CPU microarchitecture and CPU flags, see CPU requirements.

Note

If you use both SPAN interfaces, your virtual machine must have 8 CPU cores.

For information about resizing the VM for the best performance, see Sophos NDR appliance size guide.

Create an NDR appliance image

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Find and click Sophos Network Detection and Response (NDR).

  3. On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.

    Integration setup steps appears.

  4. In Step 1, enter a name and description for the integration.

    Integration steps.

  5. In Step 2, click Create new appliance.

  6. To create the new appliance, do as follows:

    1. Enter the appliance name and description.
    2. In Virtual platform, select Nutanix.

    3. Specify the internet-facing network ports.

      • Select DHCP to assign the IP address automatically.

        Note

        If you select DHCP, you must reserve the IP address.

      • Select Manual to specify network settings. For example:

        • IP address: 10.0.252.5
        • Subnet mask: 255.255.255.0
        • Gateway address: 10.0.252.1
        • DNS 1: 8.8.8.8
        • DNS 2: 8.8.4.4

  7. In Step 3, exclude specific domains and protocols from checking. For example, you might do this if you have a domain that causes false positives.

    You can set up your exclusions later, but you must enter an exclusion list name now.

    1. Enter a name in Exclusion list name.
    2. To exclude a domain, click Domain exclusions. Enter the domain name, for example, sophos.com, and click Add.

    3. To exclude a protocol, click Protocol exclusions.

      You can enter information in either or both of the fields, as follows:

      • In the first field, enter a top-level protocol. For example, TCP or UDP.
      • In the second field, enter a sub-protocol (website). For example, Facebook.

      If you enter information in both fields, we assemble them into one string with a single dot separator.

      We don't recommend excluding a top-level protocol completely. Only do this if a high-traffic protocol that isn't usually risky, like a routing protocol, generates too much data.

      The screenshot shows example information.

    4. Click Add.

    You can export your exclusions as a JSON file. You can also upload exclusions from a JSON file you've exported previously to the list.

    Integration step 3 Exclusions.

  8. Go to the top of the page, and click Save.

    You see your Appliance Credentials. Copy them, and store them securely.

    Note

    They're only shown once.

  9. Click OK.

    Your Nutanix installer is generated. This may take a few minutes.

On the NDR page, under Configured NDR integrations, you see the new integration. If it doesn't show, click the Refresh icon. Refresh icon.

Download the VM image

Now, you download the NDR image you need to deploy and power on the new VM.

  1. Next to the new integration, click Three dots icon. in the Actions column, and select Download image.

    The Nutanix deployment file is a zip file that contains disk image files, a seed ISO containing the authorization key, and an installation script.

  2. Unzip the file so the contents can be used.

  3. (Optional) You can hover over the icon to the left of the integration name. You now see "Waiting for deployment".

    Integration status.

Upload image files

To upload the disk image files and seed ISO to the Nutanix system, do as follows:

  1. From a web browser, sign in to the Nutanix web console on port 9440.

  2. Go to Home > Settings.

    Nutanix web console.

  3. Select Image Configuration.

    Nutanix configuration.

Upload root image file

  1. Click Upload Image.
  2. Enter a name. We recommend that you include the word "root" in the name.
  3. (Optional) You can add an Annotation.
  4. For Image type, select DISK.
  5. Select Upload a file, click Browse, and select and open the ndr-root.qcow2 file.

  6. Click Save.

    Upload a file.

    The file upload starts. This may take a few minutes. Wait for the upload to finish before you continue the setup.

Upload data image file

  1. Click Upload Image.
  2. Enter a name. We recommend that you include the word "data" in the name.
  3. (Optional) You can add an Annotation.
  4. For Image type, select DISK.
  5. Select Upload a file, click Browse, and select and open the ndr-data.qcow2 file.

  6. Click Save.

    The file upload starts. This may take a few minutes. Wait for the upload to finish before you continue the setup.

Upload seed ISO image file

  1. Click Upload Image.
  2. Enter a name. We recommend that you include the word "ISO" in the name.
  3. (Optional) You can add an Annotation.
  4. For Image type, select ISO.
  5. Select Upload a file, click Browse, and select and open the seed.iso file.

  6. Click Save.

    The file upload starts. This may take a few minutes. Wait for the upload to finish before you continue the setup.

The three uploaded files appear on the Image Configuration page.

Uploaded images.

Upload the installation script

A script named ndr-sensor.sh is also included in the zip file. To upload the script to the Nutanix Controller VM (CVM), use Secure Copy Protocol (SCP), as follows:

  1. For Windows, open a command prompt. For macOS or Linux, open a terminal.
  2. Change to the directory where the unzipped files are located.

  3. Run the following command: scp ndr-sensor.sh admin@<ip-address>:~/.

    Command prompt.

    Note

    If you're using an earlier version of Nutanix, you may need to add the -O flag to the command, as follows: scp -O ndr-sensor.sh admin@<ip-address>:~/

  4. Enter the admin password.

    The script is securely copied to the admin user's home folder on the Nutanix CVM.

Run the installation script

  1. Use the following command to sign in and connect to the Nutanix CVM via SSH: ssh admin@<ip-address>.
  2. Enter the admin password.
  3. To run the installation script, run the following command: bash ndr-sensor.sh.

  4. Enter a name for the appliance VM. The default name is ndr-sensor.

    Enter appliance name.

  5. Enter the number of CPU cores and the amount of memory to use.

    For items that list a default value, you can press Enter to accept the default value.

    1. Enter the number of CPU cores to assign to the VM. The default is 4.
    2. Enter the amount of memory to assign to the VM. The default is 16(GB).

You'll see the following message: Created vm <name> UUID <UUID>.

Select the VM disk image files

Note

For all the disk selection steps, you can enter 'L' to list the images stored on the system.

To select the VM disk image files, do as follows:

  1. Enter the image name for the seed ISO you uploaded.

    Enter seed ISO name.

  2. Enter the image name for the root disk image file you uploaded.

  3. Enter the image name for the data disk image file you uploaded.

Network Configuration

The script creates the following network interfaces for the VM:

  • Management network
  • Syslog network
  • ERSPAN for tunneled capture data
  • SPAN for the mirrored network to receive capture data from other VMs on this VM server

The script will list the available virtual subnets that can be used by the management, syslog, and tunneled Remote Switched Port Analyzer (RSPAN) capture data.

A single subnet can be used for all three networks.

To assign subnets to the networks, do as follows:

  1. Enter the number corresponding to the subnet to use for the management network.

    Enter network number.

  2. Enter the number corresponding to the virtual subnet to use for the syslog reception network.

  3. The configuration for the SPAN network is automatically created using the configuration parameters. The type is set as type=kSpanDestinationNic.

  4. Enter the number corresponding to the virtual subnet to use for the tunneled ERSPAN capture network.

    When the script has completed, it provides some example acli commands to enable a Nutanix SPAN session. The MAC address listed in the example commands is the MAC address of the SPAN interface created by the script.

    The traffic mirroring examples shown are for the following scenarios:

    • To enable traffic mirroring for all VMs located on a host
    • To enable traffic mirroring for one NIC on a specific VM

    Traffic mirror examples.

  5. Copy the example commands. You'll need them later.

For more information, see Traffic Mirroring on AHV Hosts.

Edit example command

  1. Use the following command to list your host UUIDs: acli host.list.
  2. Copy your host UUID.

  3. Replace the host UUID placeholder in the "Enable traffic mirror for all VMs located on a host" command with your host UUID.

    The identifier is the network interface that will be monitored. In the example command, it's br0-up, which is two physical interfaces connected with a bridge, such as an active-active or active-passive configuration.

  4. (Optional) If needed, replace the identifier with a different network interface, such as eth0.

Enable CPU passthrough

These steps are only needed for Nutanix version 6.8 and later.

  1. Check whether cpu-passthrough is enabled, as follows:

    1. Use the acli vm.list command to list your VMs.
    2. Copy the UUID for the VM you created.
    3. Enter acli vm.get <UUID> to see information about the VM.
    4. Scroll up, and check whether cpu-passthrough is shown as True or False.

  2. If cpu-passthrough is False, do as follows:

    1. Run the following command: acli vm.update <UUID> cpu-passthrough=true.
    2. Enter acli vm.get <UUID> to see information about the VM.
    3. Scroll up, and check whether cpu-passthrough is now shown as True.

Start the VM

  1. On the Nutanix web console, click Settings, then click VM.

  2. Right-click the VM name, then click Power on.

    Power on VM.

  3. Right-click the VM name, then click Launch Console.

    You can monitor the progress of the first boot process.

    Note

    This process can take up to ten minutes.

  4. In Sophos Central, click Threat Analysis Center, and under Integrations, go to Configured > Integration Appliances.

    The VM's status is now Connected.

Enable traffic mirror for all VMs located on a host

  1. Go back to the command prompt that's running the Nutanix host's command-line interface, and paste and run the command you edited earlier.

    The SPAN session is created.

Test the traffic flow

  1. Open an SSH session in an SSH client, such as PuTTY.
  2. Connect to the IP address of the NDR appliance, and log in as the zadmin user with the password you saved earlier from Sophos Central. See Create an NDR appliance image.
  3. Run the following command: sudo kubectl logs -f deploy/dragonfly.

  4. Enter the zadmin password.

    Check that the SPAN interface is being monitored by checking the packets for the SPAN interface.

  5. Type exit.

Set up ERSPAN

To monitor traffic from the rest of the network outside of the Nutanix environment, you must use ERSPAN.

To set up ERSPAN, see the "Encapsulated Remote SPAN traffic section" in Sophos Appliance Manager for MDR and NDR: SPAN.

When the changes are applied, the VM will restart, and you're signed out of the appliance manager. You can monitor the progress from the console.

Note

Make sure that ERSPAN is set up on the network device from which you're sending the traffic, and that you're using the same settings you configured in the appliance manager.

Test the traffic flow

  1. Open an SSH session in an SSH client, such as PuTTY.
  2. Connect to the IP address of the NDR appliance, and log in as the zadmin user with the password you saved earlier from Sophos Central. See Create an NDR appliance image.
  3. Run the following command: sudo kubectl logs -f deploy/dragonfly.
  4. Check that the SPAN interface is being monitored by checking the packets for the SPAN interfaces.

View appliance details

  1. In Sophos Central, go back to Integration Appliances, and expand the arrow on the left of your appliance name. In the example below, the appliance is connected and healthy.

    Appliance details.

  2. Click the three dots on the right-hand side of your appliance information Three dots icon., and click Open Appliance Manager.

  3. Click Open.
  4. On the warnings page, accept the warning for the self-signed certificate.

  5. Sign in with the zadmin username and password.

    In the example below, you can see that traffic is received on each interface.

    Appliance manager NDR tab.