Introduction

This article walks through the appliance deployment process at a high-level. We also have Configuration Guides with diagrams specific to each appliance. The following items from the contents of the shipped appliance are requirements for this process: 

• Ethernet cables 
• Appliance power cable
• 1 USB YubiKey (NOTE: this is not required or included for Compact series appliances)

Table of contents

• Deploying The Appliance
  • Preparing Your Network for the Appliance
  • Installing the Hardware
• Preparing the Traffic Connections
  • Port-Mirrored Configuration 
  • Inline Configuration
• Making the Traffic Connections
  • Mirrored Configuration
  • Inline Configuration
• Verifying Your Deployment

Deploying The Appliance

Preparing Your Network for the Appliance

You will need to set the following configurations within your network before you install the appliance.  

1. The appliance will need one IP address used for the Management IP connection. 
   • We recommend a standard Dynamic Host Configuration Protocol (DHCP) address for the simplest installation. The appliance also requires a working DNS, which is normally provided by the DHCP. 
2. The appliance will need to be able to communicate to an outbound cloud-based relay over port UDP/443. 
   • More information on that outbound domain will be described in a later step.

Installing the Hardware

The following instructions outline the process of installing your physical appliance into your organization's IT infrastructure. 

1. Physically install the appliance in your environment. 
   • This must be a location that allows for the appropriate airflow and in an orientation that keep the fans unobstructed for proper cooling.
2. Using the provided GREEN ethernet cable, connect it to the GREEN port on the appliance and to a LAN port on your network switch.
3. If your appliance shipped with a USB YubiKey, ensure it is securely plugged in to a USB port on the appliance.
4. Connect the power cable and power on the appliance.
5. Wait 15 minutes, then check the connectivity of your appliance by browsing to appliance's local IP address and accessing the management interface at https://<local_ip_address>/appliance_status/status/. 
   • See Verifying Your Deployment below for more on connecting to an appliance's status page.

Preparing the Traffic Connections

The appliance monitors traffic passively and does not actively block or interfere with traffic. For optimum monitoring, all external internet nodes must be covered. So, the appliance should have access to all public<->private traffic that is inbound and outbound from your network (north-south traffic).

Choosing Your Traffic Monitoring Configuration

The appliance can be deployed in either a mirrored or inline configuration, outlined below. The monitoring configuration for appliances is determined during your organization's scoping phase with our Sales and Sales Engineering teams.      

Port-Mirrored Configuration 

This configuration is recommended if you have multiple internal networks subtended from your network switch, as there is typically no single point where the networks may be accessed inline before the NAT.

In a port-mirrored configuration, the appliance is connected, out-of-band, to one or more LAN interfaces off your network device. Your network device (firewall or switch) must be configured for port mirroring (also called port spanning), as this is the method used to copy and send traffic from your mirrored port(s) to a single destination port for monitoring. 

The process to configure port mirroring will vary by device manufacturer. Please refer to device manufacturer's documentation for more information.

Inline Configuration

The inline configuration is not available for the Compact series appliances.

The appliance requires access to traffic before it is NATed; therefore, the appliance must be connected in your network behind the NAT device. The recommended connection is between the firewall (NAT device) and network switch. 

With this configuration, the appliance is connected in between the firewall or ISP router and the internal switch. This placement allows the appliance to monitor all traffic traveling over the wire from the internal network to the internet, since it is inline on that connection. 

To minimize risk of network outage in the inline configuration, the appliance's network card has a built-in mechanism that automatically reroutes traffic directly between the network ports, bypassing the appliance if it is reset or powered off. When using this configuration, the deployment of the appliance will require a network outage for the period of the installation. 

Making the Traffic Connections

The following sections describe the cable connections for our appliances, based on your chosen monitoring configuration. Be sure that you have prepared your network for the appliance and made the necessary configurations for your deployment.  

Mirrored Configuration

Before performing this procedure, you need to configure your switch or firewall to mirror north-south traffic ports to a destination port for monitoring.

1. Ensure that you have configured a port mirror on your network device that replicates traffic from all LAN ports to a single mirror port destination.
   1. (Optional) To confirm that port mirroring is sending traffic, connect a laptop running Wireshark on the network device's destination port and verify that Wireshark captures the traffic being mirrored.
2. Using the provided yellow or red ethernet cable, connect it to the appliance's yellow or red interface and then to your network device's port mirrored destination port.
   1. (Optional) Repeat steps 1-3 as many times as necessary by configuring mirror ports on your remaining switches/firewalls and connecting them to additional yellow appliance ports.
3. Wait 15 minutes, then check the connectivity of your appliance by browsing to appliance's local IP address and accessing the management interface at https://<local_ip_address>/appliance_status/status/. 
   • See Verifying Your Deployment below for more on connecting to an appliance's status page.

Inline Configuration

For ease of maintenance, we recommend replacing your preexisting network cables with our color-coded network cables.

This process will create a temporary network outage while deploying the appliance, so we recommend scheduling this procedure with your organization's IT team.

1. Break the existing connection between your firewall or LAN interface and your switch's WAN interface. 
   • This action will cause a network outage, but it will be reconnected through connections running through the appliance.
2. Using the provided blue ethernet cable, connect it to the appliance's blue interface and to your network switch's WAN interface.
3. Using the provided yellow ethernet cable, connect it to the appliance's yellow interface and to your firewall's LAN/inside interface.
   1. (Optional) If your appliance is configured with additional yellow and interfaces, repeat steps 2&3 to connect the additional inline connection(s).
4. Wait 15 minutes, then check the connectivity of your appliance by browsing to appliance's local IP address and accessing the management interface at https://<local_ip_address>/appliance_status/status/. 
   • See Verifying Your Deployment below for more on connecting to an appliance's status page.

Verifying Your Deployment

You can check the status of your appliance deployment by browsing to the local IP address of the management interface at:

    https://<appliance's local_ip_address>/appliance_status/status/

This page is hosted locally on each network appliance, which means it can only be accessed from within the network. When trying to access this page, make sure that your device is connected to the same network as the appliance.