Introduction
If your organization has a Hyper-V environment in place, you can deploy a virtual appliance on a machine in the environment. Once deployed, it will monitor capture traffic within the environment for analysis by Field Effect MDR.
This procedure, and documentation, is still in development and should be used for testing purposes only as we fine tune the requirements and procedure for this deployment type.
Limitations
Single Host Limitations
Port mirroring operates within the boundaries of a single Hyper-V host. You can't mirror traffic across different physical machines in a cluster.
Migrations and Failovers
If a VM is migrated to a different host or if failover occurs, port mirroring on the original host won't automatically capture the traffic on the new host
Procedure
To do this, you will need to perform the following tasks:
- Download the Virtual Appliance ISO from the MDR Portal
- Create a New Virtual Machine
- Add a disk for packet capture
- Disable Secure Boot
- Configure Management and Capture Interfaces
- Configure the CPU Count
- Open the Console and Install the OS
- Configure the Capture Port
- Virtual Switches and VLANs
This article uses the Hyper-V Manager and PowerShell to install our virtual appliance for Hyper-V. Some steps, such as renaming interfaces, are not supported in the Hyper-V Manager and require PowerShell. Your organization may manage your virtual environment with other tools (Windows Admin Center, etc.) that can install and configuring virtual machines. If you prefer using tools outside of the scope of this document, use this as a reference guide when creating the virtual machine and installing the virtual appliance.
Download the Virtual Appliance ISO from the MDR Portal
If a virtualized appliance for Hyper-V was scoped by your Sales Engineer when onboarding Field Effect MDR, the iso file for your virtual appliance will be located on the MDR Portal's Downloads page.
Download the installer and copy it to an accessible place on the virtual machine that will be hosting the virtual appliance.
Create a New Virtual Machine
Our virtual appliance needs to be installed on a virtual machine within your environment. The following sections outline the process of creating a virtual machine, using PowerShell or the Hyper-V Manager, that will host the appliance.
Using PowerShell
This process can be accomplished in PowerShell with the following commands:
New-VM -Name FE-MDR -Generation 2 -MemoryStartupBytes 32GB -SwitchName external-vswitch1 -Path "F:\Hyper-v"
New-VHD -Path "F:\Hyper-v\FE-MDR\Virtual Hard Disks\FE-MDR.vhdx" -SizeBytes 512GB -Dynamic
Add-VMHardDiskDrive -VMName FE-MDR -path "F:\hyper-v\FE-MDR\Virtual Hard Disks\FE-MDR.vhdx" -ControllerType SCSI -ControllerNumber 0 -ControllerLocation 0
Add-VMDvdDrive -VMName FE-MDR -ControllerNumber 0 -Controllerlocation 1 -Path "F:\20250522_2016-001-tb-may22.iso"
Using the Hyper-V Manager
Begin by clicking Virtual Machine in the Action Pane's New flyout menu.
The New Virtual Machine Wizard will open. Click Next to get started.
On the next step, give the virtual machine a memorable name signifying that this machine hosts the Field Effect MDR virtual appliance (example: FE-MDR).
On the next page, select Generation 2 and click Next.
Assign the virtual machine with 32768 MB of startup memory and click Next.
Configure this virtual machine with a virtual switch and continue. This will be used later for the management and capture interfaces used to monitor traffic and communicate with Field Effect.
When connecting a virtual hard disk for this machine:
- Give it a memorable and easily identifiable name,
- Place it in a location that aligns with your organization's best practices,
- Suggestion: \Hyper-V\FE-MDR\Virtual Hard Disks
- Give it 512 GB storage
After you create your hard disk, click Next.
The final step of the wizard is to install our virtual appliance .iso file that you downloaded earlier. Select Image File and browse to the location you stored the iso. Click Next.
The final page of the wizard will give you an opportunity to review your new machine. When ready, click Finish to create your new virtual machine.
Add a disk for packet capture
This virtual hard disk used to store the traffic being sent to the appliance for analysis.
Using PowerShell
This process can be accomplished in PowerShell with the following commands:
New-VHD -Path "F:\Hyper-v\FE-MDR\Virtual Hard Disks\FE-MDR-CAPTURE.vhdx" -SizeBytes 1000GB -Dynamic
Add-VMHardDiskDrive -VMName FE-MDR -path "F:\hyper-v\FE-MDR\Virtual Hard Disks\capture.vhdx" -ControllerType SCSI -ControllerNumber 0 -ControllerLocation 2
Using Hyper V Manager
Right click on the newly created FE-MDR virtual machine and select Settings. From the settings window, select SCSI controller in lefthand the hardware list. Select Hard Drive in the central pane and click Add.
A new hard drive will appear in the hardware list. Select it, and from the new drive's central pane, select Virtual hard disk and click New.
The New Virtual Hard Disk Wizard will open. Click Next to get started.
Select Dynamically expanding and click Next.
Give the drive a memorable and easily identifiable name (example: FE-MDR-CAPTURE) and set the location for the disk. click Next to continue.
Select Create a new blank virtual hard disk and give it 1000 GB of storage. Click Next to continue.
The final page of the wizard gives you an opportunity to review your new disk. When ready, click Finish to create your new virtual hard disk.
Disable Secure Boot
To ensure that the virtual appliance can run efficiently, secure boot must be disabled.
Using PowerShell
This process can be accomplished in PowerShell with the following command:
Set-VMFirmware -VMName FE-MDR -EnableSecureBoot Off
Using the Hyper-V Manager
From the FE-MDR machine's settings pane (right click>settings), select the Security in the lefthand hardware list. Uncheck Enable Secure Boot and click OK.
Configure Management and Capture Interfaces
The virtual appliance communicates to Field Effect using the management network interface and a capture network interface is used for collecting telemetry for analysis.
Creating the Management Interface
When creating the new virtual machine above, one network switch was created with it ("network adapter"). Rename this network interface "management" by using the following PowerShell command:
Rename-VMNetworkAdapter -VMName FE-MDR -Name "Network Adapter" -NewName "management"
The following steps outline how to create the second "capture" port.
Creating the Capture Interface
Using PowerShell
This process can be accomplished in PowerShell with the following command:
Add-VMNetworkAdapter -VMName FE-MDR -SwitchName external-vswitch1 -Name capture
Using the Hyper-V Manager
From the FE-MDR machine's settings pane (right click>settings), select the Add Hardware option in the lefthand hardware list. Select Network Adapter in the central pane and click Add.
The new switch will be listed in the hardware list as Network Adapter.
Rename this network adapter capture in PowerShell using the following command:
Rename-VMNetworkAdapter -VMName FE-MDR -Name "Network Adapter" -NewName "capture"
Configure the CPU Count
For this step, you will need to designate the appropriate amount of processing power required on the virtual machine to support the virtual appliance.
Using PowerShell
This process can be accomplished in PowerShell with the following command:
Set-VMProcessor -VMName FE-MDR -Count 4
Using the Hyper-V Manager
From the FE-MDR machine's settings pane (right click>settings), select Processor in the lefthand hardware list and set the number of virtual processors to 4. Click OK when complete.
Open the Console and Install the OS
Now that the virtual machine has been properly configured, open it and install the virtual appliance we stored in the virtual machine when configuring it.
Configure the Capture Port
The capture port created earlier needs to be configured as a port mirroring destination.
Using PowerShell
This process can be accomplished in PowerShell with the following command:
Set-VMNetworkAdapter -VMName FE-MDR -PortMirroring destination
Using the Hyper-V Manager
From the FE-MDR machine's settings pane (right click>settings), expand the capture port in the lefthand hardware list and select Advanced Features. In the central pane's Port Mirroring section, select destination in the dropdown. Click Ok to confirm.
Virtual Switches and monitoring VLAN traffic
If your ‘capture’ interface is connected to a virtual switch using VLANs, and you want to capture this VLAN tagged traffic, you will need to configure the interface to allow for this.
This cannot not be done in the Hyper-V Manager, but can be accomplished with the following PowerShell command:
This example allows all VLANs on the ‘capture’ network adapter.
Set-VMNetworkAdapterVlan -VMName FE-MDR -VMNetworkAdapterName capture -Trunk -AllowedVlanIdList 1-4094 -NativeVlanId 0
Setting Source VMs
Now that your virtual appliance is set up to receive traffic, you can now setup virtual machines to mirror their traffic to the virtual appliance.
Using PowerShell
This process can be accomplished in PowerShell with the following command.
Set-VMNetworkAdapter -VMName client -PortMirroring Source
Note that you will need to update "client" in the example above with the name of the virtual machine that you want as a traffic source for the virtual appliance.
Using the Hyper-V Manager
From the settings pane of the virtual machine you want to monitor, expand the capture port in the lefthand hardware list and select Advanced Features. In the central pane's Port Mirroring section, select source in the dropdown. Click Ok to confirm.
Now a copy of all of this virtual machine's traffic will be mirrored to the virtual appliance.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article