Darktrace vSensors and Google Cloud Platform

Packet Mirroring
vSensor v5.1

Last Updated: April 1 2021

DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 2

Integrating vSensors with GCP Packet Mirroring

The Darktrace vSensor is a lightweight virtual probe intended for deployment in cloud-based networks or environments
where it is not feasible to deploy a physical probe, such as virtualized networks. vSensors can be deployed as a
standalone virtual machine receiving packets from a virtual switch, in a public cloud VPC traffic-mirroring scenario, or by
collecting packets from osSensor agents deployed on VMs to be monitored.

Darktrace vSensors can integrate with Google Cloud Platform (GCP) packet mirroring to receive a copy of inter-cloud
traffic without the implementation of osSensors. The vSensor supports this functionality by ingesting network traffic on the
primary management interface - this setting is available in version 4.0.7 and above.

Considerations
• All services configured in Google Cloud Platform will incur additional costs including the elements required
for these processes such as network load balancers and virtual machines. These costs will be proportional
to the infrastructure and level of traffic mirrored.

• Google Cloud Platform restricts the protocols available for mirroring to TCP, UDP, and ICMP traffic.

• In VPC traffic mirroring scenarios, osSensors are required to take autonomous Antigena actions.

Requirements
• vSensors require an Update Key; this can be found on the “Product Updates and Documentation” page of the
Darktrace Customer Portal alongside the vSensor download. If you do not have access to the Customer
Portal, the UpdateKey can be supplied by your Darktrace representative or a member of Darktrace support.

• The vSensor instance must be able to contact the Darktrace master instance on port 443 inbound or
outbound, depending on the selected communication mode. It must also have access to
packages.darktrace.com to install the relevant software and for updates.

If you require further information about vSensor networking requirements, please refer to the vSensor guide

• The following steps must be performed by a user with access to Google Cloud Platform and permission to
do the following:

◦ Create and Access Virtual Machine Instances

◦ Create and Modify Subnets within a VPC
◦ Create and Modify Healthchecks
◦ Create and Modify Network Load Balancers
◦ Assign a network tag to a new instance
◦ Add or remove network tags for existing instances
◦ Add, remove, or edit firewall rules
◦ Create and Modify Packet Mirroring Policies:
▪ compute.packetMirroringAdmin
▪ compute.packetMirroringUser
DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 3

Creating the Subnet, VM and Group in GCP

Create a New Subnet
It is highly recommended that the vSensor instance be located in a separate subnet, however, this is not essential if a
suitable alternate subnet configuration is available.

1. Open Google Cloud Platform. Ensure you have selected the project that contains the instances for mirroring.

2. In the search bar, search for “VPC network” and select it from the dropdown.

A list of VPC networks and subnets should appear.

3. Select the VPC you wish to monitor by clicking the name of the VPC in the Name column.

4. The VPC network details should open, displaying a list of all subnets.

Click “Add Subnet”.

5. Name the subnet, for example: vsensor-subnet-1

6. Select the same region as subnets or devices to be mirrored.

7. Select an IP address range for the subnet.

8. Click Add.

Create the vSensor Instance

Example Instance Sizes

Example sizing for vSensor instances are as follows. Instance size is dependent on the type and volume of ingested
traffic.

E2-STANDARD-2 E2-STANDARD-4 E2-STANDARD-8 E2-STANDARD-16 N2-STANDARD-32

CPUs 2 4 8 16 32

Ram 8GB 16 32 64 128

Hard Drive 50GB 100GB 200GB 400GB 800GB

Estimated Devices 50 100 200 400 800

Traffic 100 Mbps 250 Mbps 500 Mbps 1000 Mbps 2000 Mbps

Configuration

1. Return to the Compute Engine and select VM instances from the left-hand menu.

2. Click Create instance.

3. Enter a name for the instance, for example vsensor-1

4. Locate the instance in the same Region as the instances intended for mirroring.

5. Select an appropriate instance for the vSensor - at a minimum, we suggest e2-standard-2 .

6. In the Boot disk section, click Change. Modify the instance operating system from Debian (default) to Ubuntu
20.04 (for vSensor v4.0.8 and below, Ubuntu 16.04 LTS).

7. Click Save to confirm your boot disk options.

DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 4

8. Expand the Management, security, disks… section. Select the Networking tab.

Under Network interface, set the Network to the same VPC as the instances intended for monitoring and
select the Subnetwork configured above for the vSensor.

Add a Network tag (for example, darktrace-vsensor ) to simplify the implementation of firewall rules.

9. Click the Create button to create and start the instance.

Create the Instance Group

1. Remaining within the Compute Engine, select Instance groups from the left-hand menu.

2. Click “Create an instance group”

3. Click “New unmanaged instance group”.

4. Select a name for the group, for example - vsensor-group-1.

5. Select the same Region as the instances to be mirrored.

6. Select the same Network as the instances to be mirrored, then select the Subnet created above.

7. Under “VM instances”, select the vSensor instance.

8. Click Create to create the new group.

DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 5

Allowing Communication at the Firewall

Network connectivity is required between the vSensor and the instances intended for monitoring, from the vSensor to
packages.darktrace.com and between the vSensor instance and the Darktrace master instance. The following firewall
rules are required, if not already covered by existing GCP firewall policies:

• Ingress rule allowing all subnets in the VPC intended for monitoring to send traffic to the vSensor (on all Ports
and Protocols).

• Ingress rule from the GCP Healthcheck probes to the vSensor instance for the Load Balancer Healthcheck.

• Egress rule allowing outbound 443/HTTPS access to packages.darktrace.com for software and updates.

• One of the following, depending on configuration mode:

◦ Egress rule allowing outbound 443/HTTPS access from the vSensor to the master instance when
intended for Push Token mode.
◦ Ingress rule allowing inbound 443/HTTPS access from the master instance to the vSensor when
intended for Pull mode.
• Inbound (ingress) 22/TCP access is required for administration from the public IP addresses (for example,
your office) expected to administer the vSensor instance over SSH.

Create the Firewall Rules

1. Remaining in the Google Cloud Platform console, search for “Firewall” in the search bar and select it from the
results.

2. Click Create Firewall Rule. A configuration page will appear.

3. First, create a rule with the following information to allow traffic from the instances intended for mirroring to
the vSensor instance:

◦ Name: “fw-packet-mirror-darktrace” (example)

◦ Network: The VPC the vSensor and instances are located within
◦ Direction of traffic: ingress
◦ Action on match: allow
◦ Targets: Network tag applied to vSensor instance during creation, e.g.  darktrace-vsensor
◦ Source filter: IP ranges
◦ Source IP ranges: Subnets containing instances intended for monitoring in CIDR format
◦ Protocols and ports: Allow All

Click “Create” to finalize the rule creation.

4. Now, repeat the process (click Create Firewall Rule) to allow GCP Healthcheck probes to monitor the health
of the vSensor instance:

◦ Name: “fw-allow-health-check” (example)

◦ Network: The VPC the vSensor and instances are located within
◦ Direction of traffic: ingress
◦ Action on match: allow
◦ Targets: Network tag applied to vSensor instance during creation, e.g.  darktrace-vsensor
◦ Source filter: IP ranges
◦ Source IP ranges: 130.211.0.0/22 and 35.191.0.0/16
◦ Protocols and ports: Allow All

Click “Create” to finalize the rule creation. More information on GCP Healthcheck probe IPs can be found
within the GCP documentation.
DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 6

5. Again, repeat the process (click Create Firewall Rule) to allow the vSensor instance to download software
and updates from Darktrace:

◦ Name: “fw-packages-darktrace” (example)

◦ Network: The VPC the vSensor is located within
◦ Direction of traffic: egress
◦ Action on match: allow
◦ Targets: Network tag applied to vSensor instance during creation, e.g.  darktrace-vsensor
◦ Destination filter: IP ranges
◦ Destination IP ranges: 52.48.65.69 (packages.darktrace.com)
◦ Protocols and ports: tcp:443

Click “Create” to finalize the rule creation.

6. Finally, configure a firewall rule allowing inbound 22/TCP to the vSensor instance from your organizational
public IP(s) for administration over SSH.

Allow Communication with the Darktrace Master instance

The most suitable mode of communication between the vSensor instance and your Darktrace instance is dependent on
the environment and availability of public IPs. Select the most appropriate mode for your environment and configure one
of the following rules accordingly.

Pull Mode

1. Click Create Firewall Rule and enter the following configuration:

◦ Name: “fw-darktrace-eis-inbound” (example)

◦ Network: The VPC the vSensor and instances are located within
◦ Direction of traffic: ingress
◦ Action on match: allow
◦ Targets: Network tag applied to vSensor instance during creation, e.g.  darktrace-vsensor
◦ Source filter: IP ranges
◦ Source IP ranges: On-Prem-Master-IP/32
◦ Protocols and ports: tcp:443

2. Click “Create” to finalize the rule creation.

Push Token Mode

1. Click Create Firewall Rule and enter the following configuration:

◦ Name: “fw-darktrace-eis-outbound” (example)

◦ Network: The VPC the vSensor is located within
◦ Direction of traffic: egress
◦ Action on match: allow
◦ Targets: Network tag applied to vSensor instance during creation, e.g.  darktrace-vsensor
◦ Destination filter: IP ranges
◦ Destination IP ranges: Appropriate range for the location of your virtualized master, for example
52.51.139.68/32 (Ireland)
◦ Protocols and ports: tcp:443

Please see Cloud Masters for a full list of regions and their associated IP addresses.

2. Click “Create” to finalize the rule creation.

DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 7

Configuring the vSensor for GCP Packet Ingestion

Configure the vSensor
1. Navigate to the Compute Engine once again and select VM Instances from the left-hand menu.

2. Locate the vSensor instance and access it via SSH using your preferred client.

3. Run the install script from https://packages.darktrace.com/install .

bash -c "$(wget -O - https://packages.darktrace.com/install)"

You will be prompted to enter your Update Key.

This key can be found on the “Product Updates and Documentation” page of the Darktrace Customer Portal
alongside the vSensor download. If you do not have access to the Customer Portal, the Update Key can be
supplied by your Darktrace representative or a member of Darktrace support.

4. After the download and install have completed, reboot the instance.

5. If the vSensor detects that it is running in a GCP environment, it will automatically enable the SniffPrimary
setting which is required for packet mirroring. Where the vSensor does not automatically enable this setting,
it can be enabled via two methods:

◦ Interactive: Access the instance via SSH and run sudo confconsole to bring up the configuration
console. From the main menu, select “Setup” and then “SniffPrimary” from the available options.
Enable this mode to begin ingesting traffic on the primary interface.

◦ CLI: Access the instance via SSH and run set_sniff_primary_interface.sh 1 .

Communication Mode

The vSensor must now be configured to communicate with the Master instance in an approved mode. Pull mode and Push
Token mode use an extra layer of symmetric encryption using a shared token and are appropriate for use over untrusted
networks such as the internet.

The following guide will configure Push Token Mode to a virtualized Enterprise Immune System deployment which has a
highly available public IP. Customers with on-premises Enterprise Immune System deployments may prefer to use Pull
mode as it does not require the Darktrace instance to have a public IP - alternative modes can be found in the
vSensor guide.

The mode selected must have been allowed at a firewall level during configuration in the previous section -
Allowing Communication at the Firewall.

Interactive

1. Log into the Darktrace Master instance UI and navigate to the System Config page from the main menu. Locate
the Push Probe Tokens section.

2. Enter a label for the vSensor and click Add - a token will generate in the form of [label:string] . This
token will be shown only once and must be entered into the vSensor. A unique token must be generated for
each vSensor.

The vSensor label is part of the token - to change the label, the token must be fully regenerated.

3. Return to the vSensor console and select the Master option from Setup sub menu. Choose Push Token
mode from the available options.

4. Enter the token in full, and enter the IP or hostname of the Darktrace Master instance. For cloud-hosted
master deployments, the hostname should be used.
DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 8

5. The new vSensor IP should be listed in the probe section. Verify the IP is correct and confirm the new
vSensor

CLI

Follow steps 1 and 2 of the interactive guide above to generate a push token.

SSH into the vSensor and run:

/usr/sbin/set_pushtoken.sh [pushtoken] [master-hostname] [proxy]

Where [push-token] is the token generated on the Darktrace Master instance, [master-hostname] is the hostname or
IP of the Darktrace Master instance (hostname required for Cloud Masters) and [proxy] is an optional parameter
available if a proxy is required for the vSensor to access the Master.
DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 9

Configuring the GCP Network Load Balancer

Create the Health Check
1. Return to the Compute Engine and select Health Checks from the left-hand menu.

2. Click “Create Health Check”.

3. Name the health check - for example, vsensor-healthcheck.

4. Select “HTTPS” from the protocol dropdown. The port should automatically populate as 443.

5. Leave other settings as default and click “Create” to create the health check.

Create the Load Balancer

1. Remaining in the Google Cloud Platform console, search for “Network Services” in the search bar and select
it from the results.

Select Load Balancing from the left-hand menu.

2. Click “Create Load Balancer” and select TCP Load balancer from the available options.

3. For “Internet facing or internal only”, select “Only between my VMs”. “Multiple regions or single region”
should now be limited to “Single region only”. Click Continue.

4. Name the load balancer, for example - vsensor-loadbalancer.

5. Select Backend Configuration. A series of configuration fields should appear on the right.

From the dropdown, select the same Region as the vSensor and instances to be mirrored. For “Network”,
select the VPC the instances are located within.

6. Under Backends, in the “New Item” section choose the Instance group created for the vSensor.

7. For “Health Check”, select the health check created above.

8. Now select Frontend Configuration. A series of new configuration fields should appear on the right.

9. Optionally name the frontend configuration, for example vsensor-frontend

10. Under Subnetwork, select the subnet that contains the instances to be mirrored.

11. For Internal IP, select “Non-shared” and configure a static IP address for the load balancer.

12. Under “Ports”, select “All”.

13. Click “Advanced Configuration” to show an additional setting “Packet Mirroring”. Tick the box to enable the
load balancer for mirroring.

14. Select “Review and finalize” to confirm that all configuration settings are correct, then click “Create” to create
the load balancer.
DARKTRACE VSENSORS AND GOOGLE CLOUD PLATFORM PACKET MIRRORING 10

Creating the GCP Packet Mirroring Policy

1. Still within the Google Cloud Platform console, in the search bar search for “VPC network” and select it from
the dropdown.

2. Select “Packet mirroring” from the left-hand menu.

Click “Create Policy”.

3. Name the policy, for example - vsensor-mirror-1.

4. From the dropdown, select the same Region as the instances to be mirrored. Leave additional settings as
default and click “Continue”.

5. Ensure that “Mirrored source and collector destination are in the same VPC network” is selected, then
choose the VPC network that the vSensor and instances are located within from the dropdown.

Click “Continue”.

6. Under Mirrored Source, choose “Select one or more subnetworks” - a dropdown will appear. From the
available options, select the subnet that contains the instances to be monitored.

Do not select the vSensor subnet.

Click “Continue”.

7. For the “Collector destination”, select the load balancer created during configuration. Click “Continue”.

8. On the final stage, select the traffic that you wish to be mirrored. Whether you wish to mirror all traffic or only
certain protocols is defined by your organizational policies and the desired coverage for the mirroring.

Select your desired option and click “Submit”

Traffic mirroring configuration is now complete. More information of troubleshooting vSensor communications can be
found in the vSensor configuration guide.
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com