Deploy the Virtual Network Sensor on your Google Cloud environment.
If your security environment uses a hybrid deployment, or you do not have VMware or
Microsoft Hyper-V in your environment, you can leverage your Google Cloud projects
to deploy a Virtual Network Sensor instance.
NoteThe steps contained in these instructions are valid as of July 2024.
|
Before you begin, make sure you have completed the following tasks:
-
Choose or create a VPC and subnet for the Virtual Network Sensor management port.
-
Choose or create a VPC and subnet for the Virtual Network Sensor data port.Trend Micro recommends assigning the Virtual Network Sensor data port to a different VPC than the mirror source VM.
ImportantThe Virtual Network Sensor data port and management port must be on separate
VPCs. Assigning the ports to the same VPC causes deployment to fail.
Additionally, the subnets must have different IP ranges and CIDR address.
|
Procedure
- Sign in to Google Cloud.
- In a separate tab, access the Trend Vision One console and go to .
- Click Deploy Virtual Network Sensor.The Virtual Network Sensor Deployment panel appears.
- Select Google Cloud for the platform.
- Set the Admin password and confirm the password.The password must contain the following:
-
12 to 32 characters
-
Both uppercase and lowercase characters
-
At least one number (0-9)
-
At least one special character: ~!`@#$%^&*()/_+=[]{}-\|<>',.?:;" or space
Note
This step is used to set the default admin password to access the Virtual Network Sensor command line interface after deployment. -
- Select the Connection method.
-
Direct connection: the Virtual Network Sensor connects to Trend Vision One directly. Make sure the Virtual Network Sensor is able to connect to the internet when using this configuration.
-
Connect using a custom proxy: the Virtual Network Sensor connects to Trend Vision One through a third-party proxy. After choosing this method, configure the following fields:
-
Proxy address: Specify the IP address of the proxy.
-
Proxy port: Specify the connecting port of the proxy.
-
Proxy server requires authentication: (Optional) Select if the proxy requires authentication credentials.
-
User name: Specify the user name for the proxy credentials.
-
Password: Specify the password for the proxy credentials.
-
-
Connect using a Service Gateway as proxy: the Virtual Network Sensor connects to Trend Vision One through a Service Gateway. Select a Service Gateway to use for this method.
Important
The Virtual Network Sensor must be able to connect to a Service Gateway with the Forward Proxy Service configured and enabled. For more information, see Managing services in Service Gateway.
-
- Click Generate Metadata Token.The metadata token contains important information for the Virtual Network Sensor including the configured admin password and information that allows the Virtual Network Sensor to connect and on-board with Network Inventory automatically.
- Click the copy icon () to copy the metadata token.
Important
Trend Vision One does not save your password information or the metadata token. Once you close the deployment panel, the information is discarded and cannot be retrieved. If you lose the password or metadata token, you must generate a new one. - Click Go to Google Cloud Marketplace.The Google Cloud Marketplace opens in a new tab with the Trend Vision One™ XDR for Networks page displayed.If the tab does not open, access the Google Cloud Marketplace from your Google Cloud account and search for Trend Vision One™ XDR for Networks.
- Click Launch.The deployment screen appears with the Terraform tab open.
- Specify a unique Deployment name.
- Select the Deployment Service Account.
- Choose whether you want to use an existing
account or create a new account
to deploy the Virtual Network Sensor.
Important
The deployment service account must have the following roles:-
roles/config.agent
-
roles/compute.admin
-
roles/iam.serviceAccountUser
If you select Existing account, a list of available Service Accounts which have the required roles appears. Select the Service Account you want to use. -
- Select Zonal or Regional.
- Select the Service Account Location.
Important
The selected location for the Service Account must be the same as the selected Zone in the Machine Type settings.
- Choose whether you want to use an existing
account or create a new account
to deploy the Virtual Network Sensor.
- Configure the Machine Type.The follow steps detail the configuration Trend Micro recommends. If you wish to use an alternative setup, review the system requirements to ensure adequate system performance.
- Select General purpose.
- For Series, select N2.
- Select the Machine type.The Virtual Network Sensor has been tested with the following recommended instance types. For more information, see Virtual Network Sensor system requirements.
Virtual Network Sensor Sizing Table for Google Cloud
Throughput (Mbps)Machine TypeVirtual Disk (GB)100n2-standard-250500n2-standard-4501000n2-standard-8502000n2-standard-81005000n2-standard-1615010000n2-standard-32200 - Select the Zone to deploy the machine.This must be the same location you selected for the Service Account.
- Configure the Boot Disk.
- Select the Disk Size according to the sizing table in the previous step.
- For Disk Type, select SSD Persistent Disk.
- Configure the Networking settings.
Important
The Virtual Network Sensor data port and management port must be on separate VPCs. Assigning the ports to the same VPC causes deployment to fail.Additionally, the subnets must have different IP ranges and CIDR address.- Click the first Network interfaces field to edit settings for the data port.
- For Network, select the VPC you want to assign to the Virtual Network Sensor data port.
- Select the Subnetwork.
- Click Done.
- Click the second Network interfaces field to edit settings for the management port.
- For Network, select the VPC you want to assign to the Virtual Network Sensor management port.
- Select the Subnetwork.
- For External IP, choose whether you want the
management port to have an external facing IP address.
Important
The Virtual Network Sensor uses the management port to connect to Trend Vision One. If you choose not to use an external IP address, you must set up Network Services/Cloud NAT to allow the management port to connect to the internet. - Click Done.
- Paste the metadata token you copied into the Metadata field.
- Click Deploy.The Virtual Network Sensor begins the deployment process. Deployment may take a few minutes. After deployment successfully finishes, the Virtual Network Sensor automatically connects and registers to Trend Vision One. You can verify the connection by going toAfter deployment successfully finishes, you must set up traffic mirroring in your Google Cloud environment. You can use your own mirroring solution, or, to follow the steps recommended by Trend Micro, see Configuring traffic mirroring on Google Cloud.