Preparing for sensor and agent deployment

A. We will need a span port set up on the same switch as the firewall. The source port of the span will be the LAN interface of the firewall so we see internet traffic in and out of the building. The destination port of the span session is an empty port on the switch. The empty port will get plugged in directly to the extra NIC on the VMware/HyperV server. This allows the sensor to get a copy of all the internet traffic for analysis. The Span port should span both directions of traffic TX and RX

Follow the cable from the LAN port of the firewall to the switch and make a note of the port number, this will be the source of our data for the NIDS.
Pick an empty port on your switch, make a note of it (this is the destination of the span) and run a cable from this port into the dedicated currently unused physical NIC in your physical VMware/Hyper V host

Login to your switch and create the span port

The span port configuration on your switch should be as follows:

Example for a Cisco switch.

#Check for existing span port
Switch(config)# show monitor session 1

#After review, clear the existing configuration
Switch(config)# no monitor session 1

#Tell the switch what physical switch port to use for the source of the span
Switch(config)# monitor session 1 source interface fastEthernet0/1 **USE the port where your LAN interface of the firewall is plugged in**

#Tell the switch which physical switch port to send the now copied data to for analysis by the USM system
Switch(config)# monitor session 1 destination interface fastEthernet0/10 **USE the port where the sniff interface on the sensor is plugged into

#Review the configuration
Switch(config)# show monitor session 1

Session 1
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/10
Encapsulation : Native
Ingress : Disabled

Switch(config)# end

Your span port should now be configured.

Do not forget to save the config

B. The VMware/HyperV server needs a new virtual switch and port group with only the extra NIC in it. The switch should allow promiscuous mode configured via the security tab.

We need to assign the added physical NIC to a new virtual switch in VMWare and then add the new virtual switch to a new port group.

Also, open the properties of the newly created virtual switch and go to the security tab. Allow Promiscuous mode and click save

C. Create new windows service account for us to use to connect to resources and scan them. This should be an admin account.

D. Turn on windows remote management on all machines in the domain and Open the Windows firewall port for Windows RM using the following instructions

Note: These instructions are written for Windows Server 2012 R2. If you’re using an older version of Windows Server, your steps and the labels you see may vary.

First, we need to create a Group Policy object for your domain.

  1. From the start menu, open Control Panel.
  2. Select Administrative Tools.
  3. Select Group Policy Management.
  4. From the menu tree, click Domains> [your domain’s name].
  5. Right-click and select Create a GPO in this domain and Link it here.
  6. Input Enable WinRM.
  7. Click OK.

Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:

  • Allow remote server management through WinRM
  1. Right-click on the new Enable WinRM Group Policy Object and select Edit.
  2. From the menu tree, click Computer ConfigurationPolicies Administrative Templates: Policy definitionsWindows Components > Windows Remote Management (WinRM) WinRM Service.
  3. Right-click on Allow remote server management through WinRM and click Edit.
  4. Select Enabled to allow remote server management through WinRM.
  5. Enter an asterisk (*) into each field.
  6. Click OK.

Now that Windows Remote Management has been enabled on the Group Policy, you need to enable the service that goes with it.

  1. From the Group Policy Management Editor window, click PreferencesControl Panel Settings > Services.
  2. Right-click on Services and select New > Service.
  3. Select Automatic as the startup.
  4. Enter WinRM as the service name.
  5. Select Start service as the service action.
  6. All remaining details can stay on the defaults. Click OK.

Now you must allow for inbound remote administration by updating the firewall rules. When you’re done, there will be two rules enabled:

  • Windows Firewall: Allow inbound remote administration exception
  • Windows Firewall: Allow ICMP exception
  1. Using the Group Policy Management Editor, from the menu tree, click Computer ConfigurationPolicies Administrative Templates: Policy definitions > Network > Network Connections > Windows Firewall > Domain Profile.
  2. Right-click on Windows Firewall: Allow inbound remote administration exception and click Edit.
  3. Select Enabled.
  4. Enter the IP address into the field called Allow unsolicited incoming messages from these IP addresses. To allow messages from any IP address, enter an asterisk (*) into each field. Enter a comma-separated list that contains a combination of IP addresses (, subnet descriptions (, or strings (localsubnet) for the set of devices that will have access for remote administration.
  5. Click OK.
  6. Right-click on Windows Firewall: Allow ICMP exception and click Edit.
  7. Select Enabled.
  8. Check Allow inbound echo request.
  9. Click OK.

Almost done! The final steps is to create a new inbound firewall rule and update the network list manager for unidentified networks.

  1. From the menu tree, click Computer Configuration> Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  2. Right-click on Inbound Rules and click New Rule.
  3. Select Predefined.
  4. Select Windows Remote Management from the list of services.
  5. Click Next.
  6. Uncheck the Public Leave the Domain, Private rule checked.
  7. Click Next.
  8. Leaving the defaults, click Finish.
  9. Right-click on the new rule and click Properties.
  10. Click the Advanced
  11. Uncheck Private.
  12. Click OK.
  13. From the menu tree, click Computer ConfigurationPoliciesWindows Settings > Security Settings > Network List Manager Policies.
  14. Right-click Unidentified Networks and click Properties.
  15. Change the location type from Not configured to Private.
  16. Click OK.
  17. Close the Local Group Policy Editor window.

All the Windows machines on your network are now WMI-enabled

E. Push out the new policy with this command –  gpupdate /force


F.   Preparing machines for Agents

Start Windows PowerShell with the “Run as Administrator” option. Only members of the Administrators group on the computer can change the execution policy.

Type Get-ExecutionPolicy  to view how it is currently set

Enable running remote signed scripts by entering:    set-executionpolicy remotesigned

This setting allows the machine to download remote scripts that have been signed by Trusted Publisher.


Questions?   Give us a call, 800-463-7920 x2