Skip to content

Sophos NDR

You must join the EAP to use this feature.

Sophos Network Detection and Response (NDR) detects malicious behavior on your network.

You can integrate Sophos NDR with Sophos Central so that its detections are available for investigation in the Threat Analysis Center.

To integrate NDR, you set up an NDR virtual appliance that connects to Sophos Central and sends data to it. The main steps are as follows:

  • Add an integration.
  • Configure your switches so NDR can see traffic.
  • Download the NDR VM image.
  • Deploy the new VM.

Add an integration

To add the integration, do as follows:

  1. Sign in to Sophos Central.
  2. Go to Threat Analysis Center > Integrations.
  3. Click Sophos Network Detection and Response (NDR).

  4. In Integrations, click Add instance.

    NDR integrations

  5. In Integration steps, in Step 1 enter the Alias name and Alias description.

    Integration steps

  6. In Step 2, select the VM that will run the NDR appliance.

    If you need a new VM, click Create new VM.

    If you want to use an existing VM, select it from the drop-down list and skip to step 8.

    Integration step 2

  7. To create a new VM, do as follows:

    1. Enter VM name.

    2. Enter VM description.

    3. Select the virtual platform. (Currently we only support VMware).

    4. Specify the internet-facing network ports.

      • Select DHCP to assign the IP address automatically.

      • Select Manual to specify the IP address settings and optionally internal DNS server settings yourself. For example:

        • IP address:
        • Subnet mask:
        • Gateway address:
        • DNS 1:
        • DNS 2:

    Integration step 2 VM settings

  8. In Step 3, exclude traffic from specific domains, as follows:

    1. Enter Exclusion list name.

    2. Enter the Domain, for example, and click Add.

    Integration step 3 Exclusions

  9. Click Save.

In the Integrations page, you see the new integration.

Next configure your switches so that the NDR appliance will be able to monitor your network traffic.

Configure your switches

Before you download and deploy the Sophos NDR VM, you must set up port mirroring, also known as Switched Port Analyzer (SPAN). This forwards a copy of incoming and outgoing traffic from a switch's ports or VLANs to another switch port for analysis.

You must configure port mirroring for both virtual internal and physical external network traffic.

When you deploy your NDR VM appliance later, you’ll be able to connect it to your SPAN ports so that NDR can monitor network traffic.

To set up port mirroring, do as follows:

  1. In ESXi, go to Networking. On the Virtual switches tab, select a switch to use for port mirroring.

    If you don’t already have a switch to use, click Add standard virtual switch to add a new one and add port groups to it.

    Virtual switches

  2. On the Port groups tab, click Add port group.

    New port group

  3. In the settings for the new port group, do as follows:

    1. Enter a name.
    2. Set the VLAN ID to 4095. This allows all other port groups already on the switch to forward traffic to the new port group.
    3. Click Security and set Promiscuous mode to Accept.
    4. Click Add.

    You've set up forwarding for your virtual internal network traffic. Next do the same for physical external traffic, as described in the steps that follow.

  4. In ESXi, select or create another virtual switch that will handle physical external traffic sent to it by a physical switch on your network.

  5. Configure the switch as follows:

    1. Go to Port groups and click Add port group.
    2. Enter a name.
    3. Set VLAN ID to 4095.
    4. Click Security and set Promiscuous mode to Accept.

    Next you connect your virtual switch to your physical network so that it can receive external traffic.

  6. In the ESXi left menu, go to Networking and select the switch you want to use for external traffic.

    vSwitch selected

  7. In the switch details, look for vSwitch topology. You can see “No physical adapters”.

    vSwitch topology

  8. Click Add uplink.

    Add uplink button

  9. In Uplink 1, select a NIC (Network Interface Card) that's available. This connects the virtual switch to a port on your ESXi server.

    Uplink 1

  10. In Network topology, check that you can see a physical adapter connected.

    Physical adapter

  11. Go to your physical switch and use a cable to connect directly to the port on your ESXi server.

    The way you do this depends on your physical switch type and configuration.

You've set up forwarding of virtual internal and physical external traffic to SPAN ports. Later you'll configure Sophos NDR to monitor it.

Next you download the NDR VM image.

Download the VM image

Now you download the NDR image (the OVA file) you need to deploy and boot the new VM.

  1. Next to the new integration, click Three dots icon in the Actions column, and select Download OVA file.

    You see the download start.

    Download menu

  2. Hover over the icon to the left of the integration name. You now see "Waiting for deployment".

    Integration status

You're ready to deploy the VM.

Deploy the VM

  1. Go into your ESXi host.

  2. Select Virtual Machines and click Create/Register VM.

    Create/Register VM tab

  3. In Select creation type, select Deploy a virtual machine from an OVF or OVA file. Click Next.

    Select creation type

  4. In Select OVF and VMDK files, enter a VM name.

    Click the page to select files. Select the OVA file ndr-sensor.ova. Click Next.

    Select OVA file

  5. In Select storage, select Standard. Click Next.

    Select storage

  6. In Deployment options, select the Network mappings. In our example, all are set to SPAN (the ports you're forwarding traffic to), except MGMT, which is set to VM Network. Click Next.

    Deployment options

  7. Skip the Additional settings step.

  8. Click Finish. Wait for the new VM to appear in the VMs list. This can take a few minutes.

    Ready to complete

  9. Power on the VM and wait for the installation process to complete. This can take up to 10 minutes.


    Don't interrupt this process.

  10. In Sophos Central, go to the NDR Integrations page and refresh it. The VM's status is now Connected.

    Integration status