Views:

Configure your Virtual Network Sensor instance to receive mirrored traffic.

For more information about traffic mirroring in AWS, see https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html.
If you are deploying your Virtual Network Sensor behind a network load balancer (NLB), you must create the load balancer before setting up traffic mirroring.
Note
Note
The steps contained in these instructions are valid as of January 2024.

Procedure

  1. Sign in to the AWS Management Console.
  2. Find the Interface ID for the mirror source and the Virtual Network Sensor data port.
    Note
    Note
    If you are deploying a Virtual Network Sensor behind a network load balancer, the network load balancer you created is the mirror source. You do not need to locate the Interface ID for the network load balancer.
    1. Access the EC2 dashboard.
    2. Go to InstancesInstances.
    3. Locate the instance you want to use as the mirror source and click the instance ID.
    4. Go to Networking.
    5. On the Network Interfaces list, copy the Interface ID for the network interface you want to use as the mirror source.
    6. Go to InstancesInstances.
    7. Locate the Virtual Network Sensor instance you created and click the Instance ID.
    8. Go to Networking.
    9. On the Network Interfaces list, copy the Interface ID for the Virtual Network Sensor data port (eth0).
      Tip
      Tip
      If you provided a description when setting up the instance, you can use the description instead of the Interface ID to locate the network interface.
  3. Access the VPC dashboard.
  4. In the top navigation bar, select the Region the VPC your instance is deployed to is located.
  5. Go to Traffic MirroringMirror filters.
  6. Click Create traffic mirror filter.
  7. Configure the Filter settings.
    • Name tag: Specify a unique name for the filter.
      Use a name that is descriptive and easy to find, such as VirtualNetworkSensor-TrafficMirrorFilter.
    • Description: Specify a description for the filter.
      Use a description that clearly explains the purpose of the filter, such as Virtual Network Sensor Traffic Mirror Filter.
    • Network services: Select amazon-dns.
  8. In the Inbound rules section, click Add rule.
  9. Configure the new rule.
    Trend Micro recommends using a permissible rule set as detailed below. Adding additional rules to limit traffic might interfere with the visibility of the Virtual Network Sensor into your environment.

    Inbound rules for Data Port traffic mirror filter

    Option
    Setting
    Description
    Number
    100
    The rule priority
    Lower rule numbers have priority and are applied first.
    Rule action
    accept
    What action to take for a rule match
    Protocol
    All protocols
    The protocol to apply the rule
    Source CIDR block
    0.0.0.0/0
    The source IP address range in CIDR format to apply the rule
    Destination CIDR block
    0.0.0.0/0
    The destination IP address range in CIDR format to apply the rule
    Description
    Mirror all inbound traffic.
    A description of what the rule does
  10. In the Outbound rules section, click Add rule.
  11. Configure the new rule.
    Trend Micro recommends using a permissible rule set as detailed below. Adding additional rules to limit traffic might interfere with the visibility of the Virtual Network Sensor into your environment.

    Outbound rules for Data Port traffic mirror filter

    Option
    Setting
    Description
    Number
    100
    The rule priority
    Lower rule numbers have priority and are applied first.
    Rule action
    accept
    What action to take for a rule match
    Protocol
    All protocols
    The protocol to apply the rule
    Source CIDR block
    0.0.0.0/0
    The source IP address range in CIDR format to apply the rule
    Destination CIDR block
    0.0.0.0/0
    The destination IP address range in CIDR format to apply the rule
    Description
    Mirror all outbound traffic.
    A description of what the rule does
  12. Click Create.
    Creating the mirror filter takes a moment to complete. Once finished, click Close.
  13. Go to Traffic MirroringMirror targets.
  14. Click Create traffic mirror target.
  15. Configure Target settings.
    • Name tag: Specify a unique name for the target settings.
      Use a name that is descriptive and easy to find, such as VirtualNetworkSensor-TrafficMirrorTarget.
    • Description: Specify a description for the target.
      Use a description that clearly explains the purpose of the filter, such as Virtual Network Sensor Traffic Mirror Target.
  16. Configure Choose target.
    • For normal deployments, use the following configurations:
      1. For Target type, select Network Interface.
      2. For Target specify the data port Interface ID or search by the network interface description.
    • For deploying behind a Network Load Balancer, use the following configurations:
      1. For Target type, select Network Load Balancer.
      2. For Target specify the network load balancer you created.
  17. Click Create.
    Creating the mirror target takes a moment to complete. Once finished, click Close.
  18. Go to Traffic MirroringMirror session.
  19. Click Create traffic mirror session.
  20. Configure Session settings.
    • Name tag: Specify a unique name for the mirror session.
      Use a name that is descriptive and easy to find, such as VirtualNetworkSensor-TrafficMirrorSession.
    • Description: Specify a description for the mirror session.
      Use a description that clearly explains the purpose of the session, such as Virtual Network Sensor Traffic Mirror Session.
    • Mirror source: Specify the mirror source Interface ID.
    • Mirror target: Specify the name of the mirror target you created.
  21. Configure Additional settings.
    For best results, Trend Micro recommends using the following settings. You can adjust these settings to best fit the needs of your security environment.

    Additional settings for traffic mirror session

    Option
    Setting
    Description
    Session number
    1
    The session priority
    The session number determines the order traffic mirror sessions are evaluated in the following situations:
    • When an interface is used by multiple sessions
      When an interface is used by different traffic mirror targets and traffic mirror filters
    Traffic is only mirrored one time, so use the recommended setting to ensure the highest priority.
    VNI
    Leave blank
    The unique VXLAN network identifier
    Leave blank to allow AWS to assign a random number.
    If you prefer to designate the VXLAN manually, see https://tools.ietf.org/html/rfc7348.
    Packet length
    Leave blank
    The number of bytes in each packet to mirror
    Leave blank to allow mirroring of the entire packet.
    Specifying a number limits the packet length to the specified number of bytes. For example, setting to 100 only transfers the first 100 bytes of a packet after the VXLAN header.
    Filter
    Select the traffic mirror filter you created
    The traffic mirror filter to use for the mirror session
  22. Click Create.
    Creating the mirror session takes a moment to complete. Once finished, the Virtual Network Sensor starts monitoring the mirrored traffic.