Views:

Deployment verification

  1. Check the status of the Virtual Network Sensor.
    1. (CLI mode) Execute the commands in the Virtual Network Sensor.
      1. Connect to VMware ESXi (either directly or through SSH) or VMware vCenter and open the Virtual Network Sensor. To sign on with the default admin account, type “admin” for the username.
      2. Execute the “enable” and “connect” command to do the test connection to Trend Vision One. Below are the expected return results:
        - Trend Vision One: good
        - Virtual Network Sensor: good
        - Network Analytics: good
    2. Check the status of the Virtual Network Sensor in Trend Vision One web console.
      1. Log on to Trend Vision One console: https://portal.xdr.trendmicro.com, and go to NETWORK SECURITY OPERATIONS > Network Inventory > Virtual Network Sensor Appliances tab.
      2. Hover the mouse on the “Connection Status” of your Virtual Network Sensor. Below are the expected results:
        - Appliance (connection status to Network Inventory): green point
        - Network activity data (connection status to Trend Vision One, Network Analytics): green point

        Module state

  2. If you cannot get the expected result in any of the verification steps mentioned in the above steps, wait 15 minutes, and check again.
  3. If the results for the above verification steps fail partially, check the firewall setting. Refer to Trend Vision One Online Help: Ports and URLs Used by Virtual Network Sensor and Firewall Exception Requirements for Trend Vision One.
  4. If all the results fail, check the network connectivity and configurations.
    1. (Connectivity) Execute the “ping trendmicro.com” command in the Virtual Network Sensor to check if it can make a connection to the network outside (you can change the target of the ping). If ping fails, check the following:
      1. IP setting
        Execute the “exit” and “show network management” commands to check if the network related information is configured correctly. If any of those are incorrect, configure them again using the “configure network primary ipv4.static” command. For the detailed steps, refer to the Trend Vision One Online Help: Virtual Network Sensor CLI Commands.
      2. Firewall setting
        Refer to the Trend Vision One Online Help: Ports and URLs Used by Virtual Network Sensor and Firewall Exception Requirements for Trend Vision One to check if the necessary ports and URLs are allowed in the network.
    2. (Configurations) Check if the Company ID is registered correctly.
      1. Log on to the Trend Vision One console, click the account icon (upper right corner of the console) > Business Profile. Check the value of “Business ID:”.
      2. Execute the “show system” command (check the head of the command line, if it is "#", execute the "exit" command first) in the Virtual Network Sensor.
      3. Make sure the value of “Business ID” in Trend Vision One console and the value of “Company ID” in the Virtual Network Sensor are same.
      4. If you cannot find the Company ID in the Virtual Network Sensor, contact Trend Micro Technical Support to get a registration token.
  5. After solving all other problems, register Virtual Network Sensor.
    • Execute the “register” command (If your Company ID is not empty initially).
    • Execute the “register <registration token>” command (If your Company ID is empty initially).

Traffic verification

Follow these steps to check if Virtual Network Sensor monitors your network and sends the data to Trend Vision One.

  1. After the deployment verification, execute the “show traffic” command.
    1. Expected result: you can see the average throughput monitored recently.
    2. If average throughput holds a very low value,
      1. Check whether Virtual Network Sensor data port (second NIC) exists and monitors any device.
      2. Check whether the monitored devices do any network-related action or not.
      3. Check the network setting of traffic mirroring.
  2. Choose an endpoint monitored by Virtual Network Sensor and go to http://wrs81.winshipway.com/ddi_detection_test using curl, Wget command, or a browser in the endpoint machine.
  3. Wait a few minutes.
  4. On the Trend Vision One console, go to NETWORK SECURITY OPERATIONS > Network Inventory > Virtual Network Sensor tab, and make sure the connection status of your appliance is Healthy.
  5. Copy the value of the appliance’s GUID.
  6. Go to XDR THREAT INVESTIGATION > Search app and search for the following keywords:
    1. Detection log
      Select Detections in the Search Method column, type this as query strings:

      deviceGUID: AAAAAAAAAAAA-BBBBBBBB-CCCC-DDDD-EEEE AND wrs81

    2. Network Activity Data
      Select Network Activity Data in the Search Method column, type this as query strings:

      deviceGUID: AAAAAAAAAAAA-BBBBBBBB-CCCC-DDDD-EEEE AND wrs81

  7. If Trend Vision One and the Virtual Network Sensor are connected, the search results for the Detection log will return ruleId: 2246 and ruleName: DEMO RULE - HTTP (Request). You can see them by expanding the log matched to the query.

    Module state

Keywords: Virtual Network Sensor,connection status.troubleshoot,deplopying network