# Introduction and general requirements

## Introduction

This guide is intended to help customers or partners deploy vSensors in KVM environments and pair them to your Vectra Brain. It will cover basic background information, connectivity requirements (firewall rules that may be needed in your environment), deployment of the vSensor in KVM, and pairing.

vSensors behave much in the same way that physical Sensors do. One advantage is that there is no cost to deploy a vSensor other than your own costs to provide and maintain the infrastructure they run in. vSensors also allow you to capture and analyze traffic that only exists in the virtual environment. You can even use vSensors in place of physical Sensors to capture physical network traffic.

KVM vSensors can be used in both Respond UX and Quadrant UX deployments. For more detail on Respond UX vs Quadrant UX please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux). One of the below guides should be the starting point for your overall Vectra deployment:

* [Vectra Respond UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide)
* [Vectra Quadrant UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/quadrant-ux-deployment)

## About KVM vSensor Images

The Brain makes an image available in QCOW2 format for download and subsequent use for deploying KVM vSensors. Vectra appliances typically operate with updates enabled. Regular updates ensure that the appliances are running the very latest version. Deployed Sensors and vSensors also update regularly from the Brain. Once a vSensor has been deployed, it will update itself as needed, staying current with its Brain.

{% hint style="info" %}
**Please Note:**

As your Vectra Brain is updated, the image for the Hyper-V vSensor is also updated.

* If you deploy additional Hyper-V vSensors in the future, always download a fresh copy of the image from an up-to-date Brain to ensure you are working with the latest code.
* vSensor images are retrieved from the Brain when using either the Respond UX and Quadrant UX.
  * The RUX UI is delivered from Vectra's cloud but the download link still retrieves the image from the Brain itself.
    {% endhint %}

## KVM vSensor Requirements and Throughput

Vectra supports KVM for customers deploying virtual Sensors (vSensors) to capture virtual traffic or physical traffic. Brain or mixed mode deployment is NOT supported in KVM.

**KVM vSensor Configurations:**

<table data-header-hidden><thead><tr><th width="273.140625" align="center"></th><th width="74.3046875" align="center"></th><th width="91.88671875" align="center"></th><th width="87.96875" align="center"></th><th width="146.1953125" align="center"></th></tr></thead><tbody><tr><td align="center"><strong>VM Type</strong></td><td align="center"><strong>Cores</strong></td><td align="center"><strong>Memory</strong></td><td align="center"><strong>Storage</strong></td><td align="center"><strong>Performance </strong><sup><strong>1</strong></sup></td></tr><tr><td align="center">Standard PC (Q35 + ICH9, 2009)</td><td align="center">2</td><td align="center">8 GB</td><td align="center">100 GB</td><td align="center">500 / 250 Mbps</td></tr><tr><td align="center">Standard PC (Q35 + ICH9, 2009)</td><td align="center">4</td><td align="center">8 GB</td><td align="center">150 GB</td><td align="center">1 / .5 Gbps</td></tr><tr><td align="center">Standard PC (Q35 + ICH9, 2009)</td><td align="center">8</td><td align="center">16GB</td><td align="center">150 GB</td><td align="center">2 / 1 Gbps</td></tr><tr><td align="center">Standard PC (Q35 + ICH9, 2009)</td><td align="center">16</td><td align="center">64 GB</td><td align="center">500 GB</td><td align="center">5 / 2.5 Gbps</td></tr></tbody></table>

<sup>1</sup> The first number represents NDR/Detect only performance while the second number represents performance with [Match](https://docs.vectra.ai/deployment/match/deployment) and/or [Suspect Protocol Activity Detections](https://docs.vectra.ai/operations/general/suspect-protocol-activity-detections-feature-overview) enabled.

KVM vSensors also require a management port that is separate from the capture port.

* All KVM vSensors support a single capure port.&#x20;

Vectra recommends that Sensors are configured to use storage local to the hypervisor and are not stored on a SAN. Vectra vSensors require extremely high throughput from their disk storage and this throughput cannot normally be sustained by SAN systems without impact to other SAN users.

## Connectivity Requirements

The [Vectra Respond UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide) or [Vectra Quadrant UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/quadrant-ux-deployment) detail basic connectivity requirements for initial platform deployment. It also gives guidance on firewall/proxy SSL inspection, Internet access to and from the Brain, and guidance for air-gapped environments. For full detail on all possible firewall rules that might be required in your environment, please see [Firewall Requirements](https://docs.vectra.ai/deployment/getting-started/firewall-requirements). KVM vSensor specific requirements are listed below:

**Connectivity Requirements for KVM vSensors**

| **Source**  | **Destination** | **Protocol/Port**                         | **Description**                                       |
| ----------- | --------------- | ----------------------------------------- | ----------------------------------------------------- |
| Admin Hosts | vSensors        | TCP/22 (SSH)                              | CLI access to vSensor                                 |
| Brain       | vSensors        | TCP/22 (SSH)                              | Remote management and troubleshooting                 |
| vSensors    | Brain           | <p>TCP/22 (SSH)</p><p>TCP/443 (HTTPS)</p> | Pairing, metadata transfer, and ongoing communication |

{% hint style="info" %}
**Please Note:**

* vSensors do not communicate with the Vectra Cloud.
  * All communication sessions with vSensors are initiated from the vSensor to the Brain.
  * Updates for vSensors are downloaded to the Vectra Brain, and the vSensor retrieves them from the Brain.
* Command Line (CLI) access can also be obtained via the console in your hypervisor if you wish to login to the vSensor CLI after deployment.  Please [SSH login process for CLI](https://docs.vectra.ai/deployment/appliance-operations/ssh-login-process-for-cli) for more details.
  {% endhint %}

## Preparing to Deploy KVM vSensors

Some information will need to be gathered or known prior to beginning deployment of a KVM vSensor.

* IP address and subnet mask for the Management interface of the vSensor.
* IP address or hostname of the Vectra Brain that you will be pairing with.
  * This will be built into the downloaded VM image and will point to the Brain that served the download.
  * Whether this points to the IP of the Brain or the hostname depends on what you have set in your UI under Configuration → COVERAGE → *Data Sources > Network > Sensors > Sensor Configuration > Sensor Pairing and Registration* for **Pair using the Detect Brain**.
    * Editing this area gives a radio button to choose **DNS Name** or **Management IP Address**.
* DNS server addresses.
* To configure your vSensor, you will need access to the vSensor Command Line Interface (CLI) either via the console in your hypervisor or via SSH.
  * DHCP is enabled by default upon vSensor initial boot.
  * You must know the IP that was assigned via DHCP to SSH to the CLI, otherwise you will need to use the hypervisor console.
* For production monitoring, ensure that the vSensor VM is kept running 24x7, and ensure that the hypervisor does not overcommit resources or otherwise misrepresent the resources it is providing to the vSensor.