Перейти до змісту

VMware Brain Deployment Guide

Document version

Based on the Vectra AI deployment guide of October 7, 2025.

Introduction

This guide is intended to help customers or partners deploy a virtual Brain appliance in VMware environments. A VMware Brain appliance can be used in Vectra AI Platform deployments that use either the Respond UX or the Quadrant UX. The Respond UX is served from Vectra's cloud and the Quadrant UX is served locally from the Brain appliance. For more detail on Respond UX vs Quadrant UX, see Vectra Analyst User Experiences (Respond vs Quadrant).

This guide covers basic background information, connectivity requirements (firewall rules that may be needed in your environment), licensing, deployment, and next steps. One of the below guides should be the starting point for your overall Vectra deployment:

  • Vectra Respond UX Deployment Guide
  • Vectra Quadrant UX Deployment Guide

Either of the above guides covers basic firewall rules needed for the deployment and initial platform settings. Virtual Sensor (VMware, Hyper-V, KVM, AWS, Amazon, and GCP) configuration and pairing are covered in their respective guides. Physical appliance pairing is covered in the Vectra Physical Appliance Pairing Guide. See the Vectra Product Documentation Index on the Vectra support site for additional documentation, including deployment guides for CDR for M365 / IDR for Azure AD and CDR for AWS.

About VMware Brain Images

The .ova image used to deploy a Brain in VMware is available on the Vectra Customer Portal, which is part of Vectra Support. Vectra periodically updates the base image used for VMware Brain deployment. It is a best practice to always download the latest image from the Vectra Customer Portal before deploying a new VMware Brain.

Brains that are connected to Vectra are updated automatically according to the settings on that Brain. Offline updates are also possible for Quadrant UX deployments only. For more details, see the Vectra Quadrant UX Deployment Guide and the Offline Updates article on the Vectra Support site.

VMware Brain Requirements and Throughput

For Respond UX or Quadrant UX deployments

Sizing is driven by target aggregate throughput on the capture interfaces of paired Sensors.

Resource 2 Gbps 4 Gbps 10 Gbps
CPU 8 cores 16 cores 32 cores3
Memory 64 GB RAM 128 GB RAM 256 GB RAM
Drive (OS, Data), requires ≥ 260 MB/s 128 GB, 512 GB 128 GB, 512 GB 128 GB, 512 GB
Max paired Sensors 15 25 100
Max simultaneous tracked hosts2 50,000 50,000 150,000

Supported vSphere versions: 6.5 through 8. See notes below for supported VMware hardware versions.

For Respond UX for Network deployments only

Applies only when using network Sensors with the Respond UX.

Resource 150 Mbps 500 Mbps
CPU 4 cores 6 cores
Memory 48 GB RAM 48 GB RAM
Drive (OS, Data), requires ≥ 260 MB/s 128 GB, 512 GB 128 GB, 512 GB
Max paired Sensors 5 10
Max simultaneous tracked hosts2 25,000 37,500

Supported vSphere versions: 6.5 through 8.

Supported VMware hardware versions and platform notes

Supported VMware hardware versions

Vectra supports only versions 11 and 15 of VMware hardware. Do not update the hardware version if offered during deployment or in any other situation. If you move to an unsupported hardware version, contact Vectra Support for guidance. Downgrades may be possible but are not officially supported - support will be best-effort.

  • The virtual CPU must support the pdpe1gb CPU flag (1GB Large Pages), a minimum SSE instruction level of 4.2, and the POPCNT (population count) instruction. This requires the hypervisor host to run one of the following processors or later:
    • Intel Nehalem (2008) and newer
    • AMD Bulldozer (2011) and newer
    • Check VMware's Enhanced vMotion Compatibility (EVC Explained) article for details on EVC settings that may mask the underlying physical CPU's required flags. Change EVC settings if required.
  • Vectra VMware-based Brains do not support Mixed Mode deployment. They can only be used in Brain mode.
  • Vectra VMware-based Brains support running in FIPS mode. The underlying hardware must also be FIPS compliant (it must support the RDRAND CPU instruction).
  • Vectra VMware-based Brains and Sensors do not support DirectPath or SR-IOV passthrough.
  • Vectra VMware-based Brains and Sensors do not support emulated network adapters.
  • Vectra VMware-based Brains and Sensors do support paravirtualized NIC. Vectra uses VMXNET3 ports.
  • Vectra recommends that Brains use storage local to the hypervisor rather than a SAN. Brains require extremely high throughput from their disk storage, which cannot normally be sustained by SAN systems without impacting other SAN users.
  • See Virtual Sensor (vSensor) specifications for additional guidance around Storage/SANs, networking requirements, vMotion, Enhanced vMotion compatibility, and unsupported hypervisors. That article was written from the perspective of virtual Sensors, but the considerations also apply to VMware Brains.
  • vMotion is compatible with VMware Brains, but new hardware or copying the VM can cause VMware to generate a new UUID, which invalidates the Brain license and requires relicensing.
    • If VMware offers a choice, always pick "I moved it" or "Keep it" instead of copying to retain the UUID and avoid relicensing. See these VMware KBs for details: Changing or keeping a UUID for a moved virtual machine, Migrating VMs with vSphere vMotion.

Connectivity Requirements (Firewall Rules)

The Vectra AI Platform uses several TCP/UDP ports for different communication purposes. This document details basic requirements for initial setup and pairing. Many features and integrations are optional and not in scope. Additional connectivity guidance is in the Vectra Respond UX Deployment Guide or Vectra Quadrant UX Deployment Guide. For the full set of possible firewall rules, see Firewall requirements for Vectra appliances on the Vectra Support site.

Vectra Cloud Connectivity

  • In this document, the portions of the Vectra AI Platform that reside in Vectra's cloud are referred to as the Vectra cloud (this is not a specific service offering).
  • Check each category below to see whether it applies to your deployment and whether rules are required in your environment to enable connectivity.
    • For rule categories with multiple region options, you only need rules for the region your Vectra tenant is deployed in. The region is visible in the URL used to access the Respond UX - e.g. [tenant_id].ew1.prod.vectra-svc.ai is used for EU deployments (ew1).
  • RUX for Network refers to a RUX deployment that has enabled network data sources (sensors). In this setup you have a Brain on-premises (data center or public cloud) paired with network Sensors (virtual or physical) that capture traffic and distil metadata for processing by the Brain appliance. See the Vectra Respond UX Deployment Guide for more details.
  • The "For Brain or User's Host" column is interpreted as:
    • Brain - rules required for the Brain to reach the Vectra Cloud.
    • User's Web Browser - rules required for the user's browser to reach the Vectra cloud.
Rule Category Required For For Brain or User's Host
RUX for Network GUI Synchronization RUX for Network Deployments Brain
Auth Gateways RUX for Network Deployments. Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS. Brain
RUX Metadata Forwarding RUX for Network Deployments Brain
RUX Research Metadata Forwarding RUX for Network Deployments Brain
RUX Analyst/Admin Access All RUX Deployments User's Web Browser
RUX Static Asset CDN All RUX Deployments User's Web Browser
RUX Customer File Upload All RUX Deployments User's Web Browser

RUX for Network GUI Synchronization

  • Required for: All RUX for Network deployments.
  • Used to synchronise configurations between the Brain appliance and your Vectra tenant.
  • Initiated from the Brain to the endpoint in your Vectra tenant's region.
  • Protocol/ports: Websocket and HTTPS over TCP/443.
FQDN IP(s) Region Initiated From
main-cbi-tunnel-uw2.app.prod.vectra-svc.ai Dynamic US Brain
main-cbi-tunnel-ew1.app.prod.vectra-svc.ai Dynamic EU Brain
main-cbi-tunnel-ec2.app.prod.vectra-svc.ai Dynamic Switzerland Brain
main-cbi-tunnel-cc1.app.prod.vectra-svc.ai Dynamic Canada Brain
main-cbi-tunnel-as2.app.prod.vectra-svc.ai Dynamic Australia Brain

Auth Gateways

  • Required for:
    • All Respond UX for Network deployments.
    • Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS. Your Brain must be able to access the Vectra cloud over TCP/443 HTTPS to report detection events from these products to your UI.
  • In Respond UX for Network deployments, the Brain forwards network detections, entities, host sessions, and any selective PCAPs (Vectra Packet Capture) to your Vectra tenant via this connection.
  • Initiated from your Brain to the endpoint in your Vectra tenant's region.
FQDN IP(s) Protocol / Ports Region Initiated From
authgateway.uw2.public.app.prod.vectra-svc.ai 54.245.33.175, 52.42.70.176, 100.21.109.72, 52.26.91.157 HTTPS - TCP/443 US Brain
authgateway.ew1.public.app.prod.vectra-svc.ai 54.171.40.108, 54.246.213.148, 54.75.47.147 HTTPS - TCP/443 EU Brain
authgateway.ec2.public.app.prod.vectra-svc.ai 16.62.18.237, 16.62.142.98, 51.96.54.201 HTTPS - TCP/443 Switzerland Brain
authgateway.cc1.public.app.prod.vectra-svc.ai 3.96.112.208, 52.60.211.221, 15.222.69.161 HTTPS - TCP/443 Canada Brain
authgateway.as2.public.app.prod.vectra-svc.ai 13.54.11.66, 13.55.79.24, 13.55.106.102 HTTPS - TCP/443 Australia Brain

RUX Metadata Forwarding

  • Required for: All Respond UX for Network deployments.
  • Network metadata is forwarded to AWS S3 buckets and processed to power features such as Instant Investigation and Advanced Investigation in the Respond UX.
  • Initiated from your Brain to the endpoint in your Vectra tenant's region.
  • Protocol/ports: HTTPS over TCP/443.
FQDN IP(s) Region Initiated From
cbo-upload-network-metadata-forwarder-uswt2-371371611652.s3-accesspoint.us-west-2.amazonaws.com Dynamic US Brain
cbo-upload-network-metadata-forwarder-euwt1-371371611652.s3-accesspoint.eu-west-1.amazonaws.com Dynamic EU Brain
cbo-upload-network-metadata-forwarder-eucl2-371371611652.s3-accesspoint.eu-central-2.amazonaws.com Dynamic Switzerland Brain
cbo-upload-network-metadata-forwarder-cacl1-371371611652.s3-accesspoint.ca-central-1.amazonaws.com Dynamic Canada Brain
cbo-upload-network-metadata-forwarder-apse2-371371611652.s3-accesspoint.ap-southeast-2.amazonaws.com Dynamic Australia Brain

RUX Research Metadata Forwarding

  • Optional but highly recommended for: All Respond UX for Network deployments.
  • Research metadata from precursor algorithms is used to improve model quality and reduce detection noise.
  • Initiated from your Brain to the endpoint in your Vectra tenant's region.
  • Protocol/ports: HTTPS over TCP/443.
FQDN IP(s) Region Initiated From
cbo-upload-network-precursors-uswt2-371371611652.s3-accesspoint.us-west-2.amazonaws.com Dynamic US Brain
cbo-upload-network-precursors-euwt1-371371611652.s3-accesspoint.eu-west-1.amazonaws.com Dynamic EU Brain
cbo-upload-network-precursors-eucl2-371371611652.s3-accesspoint.eu-central-2.amazonaws.com Dynamic Switzerland Brain
cbo-upload-network-precursors-cacl1-371371611652.s3-accesspoint.ca-central-1.amazonaws.com Dynamic Canada Brain
cbo-upload-network-precursors-apse2-371371611652.s3-accesspoint.ap-southeast-2.amazonaws.com Dynamic Australia Brain

RUX Analyst/Admin Access

  • Required for: All Respond UX deployments.
  • Any analyst or admin that needs to access the Respond UX must be able to reach their Vectra tenant from their browser.
  • Initiated from the user's host.
  • Protocol/ports: HTTPS over TCP/443.
FQDN IP(s) Region Initiated From
[tenant_id].uw2.portal.vectra.ai Dynamic US User's Web Browser
[tenant_id].ew1.portal.vectra.ai Dynamic EU User's Web Browser
[tenant_id].ec2.portal.vectra.ai Dynamic Switzerland User's Web Browser
[tenant_id].cc1.portal.vectra.ai Dynamic Canada User's Web Browser
[tenant_id].as2.portal.vectra.ai Dynamic Australia User's Web Browser

RUX Static Asset CDN

  • Required for: All Respond UX deployments.
  • Certain static assets (HTML, CSS, JS) required by the Respond UX are hosted on a CDN.
  • Initiated from the user's host.
FQDN Protocol / Ports IP(s) Region Initiated From
dd6462tdmvp79.cloudfront.net, dpew7prsvwbf0.cloudfront.net HTTPS - TCP/443 Dynamic All User's Web Browser

RUX Customer File Upload

  • Required for: All Respond UX deployments.
  • This channel is used for:
    • Vectra Match deployments (uploading rulesets).
    • PCAP download from the Vectra Cloud for Selective PCAP (Vectra Packet Capture).
    • Additional capabilities are planned for future releases - it's recommended to put rules in place even if you don't use Match or Selective PCAP.
  • Initiated from the user's host.
FQDN Protocol / Ports IP(s) Region Initiated From
prd-main-customerfiles-580786928539-uswt2.s3.amazonaws.com HTTPS - TCP/443 Dynamic US User's Web Browser
prd-main-customerfiles-580786928539-euwt1.s3.amazonaws.com HTTPS - TCP/443 Dynamic EU User's Web Browser
prd-main-customerfiles-580786928539-eucl2.s3.amazonaws.com HTTPS - TCP/443 Dynamic Switzerland User's Web Browser
prd-main-customerfiles-580786928539-cacl1.s3.amazonaws.com HTTPS - TCP/443 Dynamic Canada User's Web Browser
prd-main-customerfiles-580786928539-apse2.s3.amazonaws.com HTTPS - TCP/443 Dynamic Australia User's Web Browser

General Connectivity Requirements

Source Destination Protocol/Port Description QUX-RUX-Both
Admin hosts Brain / Sensors TCP/22 (SSH) CLI access for Brain and Sensors. Both
Admin hosts Brain TCP/443 (HTTPS) Web UI of Brain appliances (Quadrant UX). Redirect / status of Brain (Respond UX). Both
Brain update2.vectranetworks.com (54.200.156.238) TCP/443 (HTTPS) Automatic updates. Pairing keys for physical sensors. Both
Brain api.vectranetworks.com (54.200.5.9) TCP/443 (HTTPS) Health monitoring, algorithm support, reverse lookups for external IPs, Vectra Threat Intelligence, additional detection content. Both
Brain rp.vectranetworks.com (54.200.156.238) TCP/443 (HTTPS) Used only for Brains deployed in IaaS clouds. Authentication and verification (integrity check of the file system). Both
Brain rs.vectranetworks.com (74.201.86.229) TCP/443 and UDP/9970 Remote Support. OpenVPN type if using a firewall with App ID rules. Both
Brain DNS servers (as configured) TCP/53, UDP/53 Both TCP and UDP are required for normal operation. Both
Brain NTP servers (default ntp.ubuntu.com) UDP/123 Time synchronisation. Both
Brain SMTP servers (as configured) TCP (as configured) Email alerting (optional but suggested). Quadrant UX
Sensors, Stream Brain TCP/22 (SSH), TCP/443 (HTTPS) Pairing, metadata transfer, and ongoing communication. Both
Brain Sensors, Stream TCP/22 (SSH) Remote management and troubleshooting. Both
Brain Recall collector TCP/443 (HTTPS) Destinations provisioned after enabled. Quadrant UX
Brain metadata.vectra.ai (100.20.236.31, 44.229.57.246, 44.228.37.60, 44.228.101.87) TCP/443 (HTTPS) Optional anonymised metadata sharing to contribute to future algorithm development. Quadrant UX

Reserved IP ranges

The following IP ranges conflict with remote support capability: 192.168.72.0/21 and 192.168.80.0/21. For remote support outside of screen-sharing sessions, the management interface (MGT) of any appliance (Brain or Sensor) must be numbered outside these ranges, or remote support access will not function.

Licensing and Deployment Overview

Appliance code is encrypted to protect Vectra's intellectual property, and a license is required for successful decryption of the file system and deployment. The licensing for Vectra NDR (formerly Detect for Network) running on VMware Brains also governs the ability of the system to create detections. After deployment, if your Vectra NDR license expires, detection algorithms will stop operating until a valid license is applied. Recall and Stream operation are unaffected if your Vectra NDR license expires and your Recall and/or Stream license is valid.

Deployment of a Brain appliance in VMware environments can be done on both standalone ESXi servers using the embedded host client or in full vSphere environments using vCenter to manage your virtual infrastructure. If deploying on standalone ESXi servers using the embedded host client, configuring a static IP is not possible until after deployment is completed and you have access to the Brain CLI - DHCP is the only supported IP assignment method while using the embedded host client. Deployment using vCenter allows either static or DHCP IP assignment for the Management port.

Licensing Enforcement

NDR (Detect for Network) versions 6.20 and higher support new licensing functionality regardless of deployment type (physical appliance, cloud IaaS, VMware). All versions can see license status and enable requests for and application of licenses. Enforcement of NDR licensing is only enabled on VMware Brains. Other Brain types do not currently have licensing for NDR enforced, although Vectra plans to add enforcement for them in the future. All customers should work with their account teams to ensure licensing is up to date.

Product Deployment Type License Enforcement
NDR (Detect for Network) VMware Brain Algorithms stop producing detections when expired.
NDR (Detect for Network) Physical or Cloud Brains Not currently enforced. Planned for future (timing TBD).

Other Vectra products such as Recall, Stream, or CDR for M365 and IDR Azure AD are also licensed, but enforcement is a matter of contract compliance between sales teams and customers or partners.

Deployment Overview

The main steps for the deployment are summarised below. For additional detail, see Brain Deployment in VMware.

  • Download the .OVA Brain appliance image from https://support.vectra.ai/vectra/additional-resources.
    • You must be logged in to your Vectra support account to see the download option.
  • Deploy the OVA in VMware and power on the appliance using one of the methods below:
    • Using the embedded host client on standalone ESXi requires DHCP to be available to the Brain appliance when booting so an IP can be assigned. After the system is licensed and the CLI is available for login, if a static IP is required, the initial DHCP setting can be switched to a static assignment using the CLI.
    • Using vCenter with a vSphere client for the deployment allows either a static or DHCP address assignment for the initial boot of the Brain appliance.
  • Browse to the IP assigned to the Brain's management interface to see the initial boot status messages. The status screen will update, but a manual refresh is required to display new information.
    • When the "System Setup and Provisioning" screen appears, enter proxy information if required and then continue to the "License configuration" screen.
  • Copy the licensing request code from the Vectra UI.
  • On the Vectra customer portal, paste the licensing request code into the Licensing Request form in the "Enter Authorization Code" box at https://support.vectra.ai/vectra/additional-resources.
  • Copy the license once generated and paste it into the Vectra UI "Licensing Information" box.
  • If your Brain deployment will not be online (connected to Vectra's provisioner/updater system - only supported for Quadrant UX deployments), check the Offline box to enable offline deployment. All licensing functions will then be performed manually offline.
    • If the Offline box is not checked prior to clicking Save, the deployment will fail and you will need to start over with a fresh deployment of the OVF template.
    • Offline updates mode is automatically enabled when selecting offline deployment mode.
    • VMware Brains deployed in offline mode can never be updated online.
  • Click Save on the licensing configuration screen.
  • After the license is validated, the file system is decrypted, a performance test is run, the Brain reboots, and the Brain reaches out to the Vectra provisioning server to complete provisioning (if online). Finally, a success message is presented with a button to redirect to the main UI login screen. Offline Brains follow a similar process but do not need to communicate with the provisioning server and can validate the license locally.
    • For Respond UX deployments, follow the process in the Vectra Respond UX Deployment Guide. You should not log in and configure anything in the Quadrant UX (which is available at this point) if you are performing a Respond UX deployment.
  • Initial UI credentials: admin / changethispassword. Initial SSH (CLI) credentials: vectra / changethispassword. You will be asked to change the password after the initial login.
  • Complete configuration using the Vectra Respond UX Deployment Guide or Vectra Quadrant UX Deployment Guide.

Brain Deployment in VMware

Requirements

  • IP address and subnet mask for the Management interface of the Brain.
  • DNS server addresses.
  • Current login to a fully approved Vectra Support Portal account.
    • Self-registered accounts that are not fully approved on the Vectra Support Portal will not have the license request option enabled.
  • An open Proof of Value (Proof of Concept or Trial) in progress with Vectra or a Vectra partner, or a valid entitlement to Vectra NDR through purchase.
    • The licensing system cannot provide licenses for customers who are not currently entitled via a trial or purchase.
  • Per VMware Brain Requirements and Throughput, 32-core Brains may need their NUMA settings adjusted before initial power-on. If deploying a 32-core Brain, see 32 Core NUMA Configuration.

Downloading the latest VMware Brain OVA image

The current Brain OVA image can be downloaded from the Vectra Customer Support Portal after logging in: https://support.vectra.ai/vectra/additional-resourcesDownload tab → VMware Brain OVA FileDownload File. A SHA256 hash is also provided so you can verify the download completed successfully. Always download a current copy when deploying a new VMware Brain - this will save time during deployment because fewer updates will need to be downloaded afterwards. Make the file available via a URL or local filesystem where the vSphere client runs.

Choose one of the two deployment methods below

Either the vSphere Client / vCenter Server method or the embedded host client for ESXi method.

Deploying the OVA (vSphere Client / vCenter Server)

  • On the host where the Brain will be deployed, right-click and select "Deploy OVF Template…".
  • Select the URL or Local file option depending on where the image was made available.
    • You can select the OVA itself, or if you decompressed the OVA, select the .ovf and associated .vmdk files.
  • Configure a virtual machine name and location for the VM and click Next.
  • Select a compute resource for the deployment and click Next.
  • Review details and click Next.
  • Choose a configuration and click Next.
    • Vectra may add additional configuration options in the future. See VMware Brain Requirements and Throughput for supported configurations.
    • When deploying a v8.1 or higher base image, new 4- and 6-core Respond UX specific configurations are available. Only choose these for Respond UX for Network deployments.
  • Select storage.
    • Vectra recommends thick provisioning (lazy or eager zeroed). Thin provisioning may work in some situations such as lab systems that don't require high throughput.
    • Storage DRS is not supported and should be disabled for this VM.
    • During initial boot, Vectra runs a performance test against established baselines. Results can be retrieved from the CLI using the performance-test command while logged in as vectra. See Post Deployment Guidance.
  • Select the network for the mgt1 (Management) interface and click Next.
  • On the Customize template screen, fill in the required details:
    • DHCP - check this box if you want the mgt1 interface to boot with DHCP enabled. If this is chosen, the rest of the fields don't need to be filled in (DHCP will assign them).
    • Hostname, IP Address, Netmask, Gateway, and DNS Servers - fill in as required.
      • If a static IPv6 address is assigned during deployment, IPv6 support is automatically enabled. See IPv6 Management Support for Vectra Appliances.
    • RespondUX - choose this option for a Respond UX for Network deployment.
      • When selected, the Brain boots directly into a state ready to be linked to the Vectra Cloud for use with the Respond UX. No local Quadrant UX GUI will be served, as would normally be the case for a standard VMware Brain deployment before it is linked with Vectra. Vectra personnel still need to link your Brain to your Respond UX tenant to complete your deployment.
      • Pick this option for any Respond UX for Network deployment, even if you previously chose the 6CORE_RespondUX configuration.
    • Click Next.
  • On the Ready to complete screen, validate all details and click Finish.
  • The OVF package will be imported and deployed.

Deploying the OVA (embedded host client for ESXi)

  • Select "Create/Register VM" on your host. This opens a "New virtual machine" window.
  • Select "Deploy a virtual machine from an OVF or OVA file" and click Next.
  • Enter a name for the VM and select or drag/drop the downloaded .ova file.
    • Click Next. An error message about ignoring a disk can be safely ignored.
  • Select the storage location for your VM and click Next.
  • On the Deployment options screen, configure the following:
    • Network mappings - choose the vSwitch for the mgt1 (Management) interface.
    • Deployment type - choose the configuration to deploy. See VMware Brain Requirements and Throughput.
      • When deploying a v8.1+ base image, new 4- and 6-core Respond UX specific configurations are available. Only choose these for Respond UX for Network deployments.
      • Unlike the vSphere Client / vCenter method, there is no option to deploy directly into a Respond UX enabled state when using the ESXi embedded client. Vectra personnel will still need to convert the Brain to a state ready to be linked to the Vectra Cloud for use with the Respond UX.
    • Disk provisioning - choose Thin or Thick. Vectra recommends thick provisioning (lazy or eager zeroed). Thin may work for lab systems that don't require high throughput.
      • During initial boot, Vectra runs a performance test against established baselines. Results can be retrieved from the CLI using performance-test while logged in as vectra. See Post Deployment Guidance for additional detail, including minimum required disk performance.
    • Choose whether to automatically power on the VM after deployment.
    • Click Next.
  • On the Ready to complete screen, validate all details and click Finish.
  • The VM will be created quickly and then the disks will be uploaded.

32 Core NUMA Configuration

Applies only to the 32-core Brain

No changes are required for other Brain sizes.

VMware provides guidance for Using NUMA Systems with ESXi; Virtual NUMA Controls documents the parameters. The numa.vcpu.maxPerVirtualNode parameter controls NUMA configuration for Vectra VMware VMs. Vectra cannot set this parameter at the .ova level, and on some 32-core VMware Brains (depending on the underlying hardware platform) the parameter must be set by the customer after VM deployment, or errors will be seen during boot.

If the VM reboots frequently (every 3-4 minutes), and show system-health at the Brain CLI shows a message about NUMA, this is the issue. To avoid it, check and set the parameter before powering on the VM.

numa.autosize.vcpu.maxPerVirtualNode is an advanced parameter in VMware vSphere/ESXi that controls how many vCPUs ESXi can automatically assign to a NUMA node when handling wide VMs. By default, ESXi sets and manages this internally based on host NUMA topology, VM sizing, and hypervisor defaults. The value should be set to 16 so that each NUMA node gets an equal number of vCPUs.

To check the parameter and set it if required:

  1. Go to VM Options > Advanced and edit the configuration parameters. Find:

    numa.autosize.vcpu.maxPerVirtualNode    16

  2. If the setting is 16, close the parameters/VM options.

  3. If the setting is not 16, change it to 16 and save the configuration.

Initial boot up and licensing

After deploying the Brain VM, it must be licensed during its initial boot.

  • Power on the Brain VM.

  • Once the UI is available (a few minutes after power-on), use your browser to connect to the Brain VM (using the IP assigned statically, via DHCP, or via hostname if your Brain is in DNS). If you watch the console and press Esc when you see the Ubuntu boot screen, you'll see system messages. The following message indicates that the UI will soon be available for license configuration:

    [  ***  ] A start job is running for Encrypted File Sys..ncrypted fs and send signal (41s / no limit)

    Navigate to http://<your_brain_IP_or_hostname> - you'll see the System Setup and Provisioning screen.

  • The initial boot process is paused until a valid license is entered. This process will not time out.

  • If a proxy is required to communicate with Vectra for provisioning, enter the Proxy Configuration screen and enter your proxy information.

    • If this is not done now, it can be done after a license is saved, but the provisioning process will time out and some time will be wasted until a proxy is configured.

    Proxy scope

    This proxy configuration screen is only used to communicate with Vectra's provisioning server and must use an HTTPS proxy. HTTP-only proxies are not supported here. Other proxy configuration in the main Vectra UI (Data Sources > Network > Brain Setup > Proxy & Status) after deployment accepts HTTP proxies and is used by non-provisioning related items.

    If you are doing a Respond UX deployment and require a proxy for non-provisioning-related services and integrations (including linking to Vectra's cloud for the Respond UX), configure that proxy at the Brain CLI after you progress through this initial configuration and reach the "Success!" message. See the Respond UX Deployment Guide, Deployment > Proxy Support.

  • Click into the License Configuration screen after saving a proxy configuration (if required).

  • Copy the license request information using the Copy button.
  • In another browser tab, navigate to https://support.vectra.ai/vectra/additional-resources and the License tab.
    • If you are not authenticated, you will be redirected to authenticate to your Vectra support account.
    • If you do not have a Vectra support account, you can self-register at the login screen, but licensing will not be available until your account is validated as a Vectra customer or prospect involved in a trial.
  • Paste the licensing request into the Enter Authorization Code section and click Generate License Key. You should see a "Success" message at the top and a key in the License Key box. Copy the license key using Copy License Key and return to your Brain tab.
  • Paste the license key into the License Information box.

Do not click Save yet

You must first determine whether your Brain will be Online or Offline. If your Brain will be Offline (Quadrant UX only), you must click the Offline checkbox now before clicking Save, or your deployment will fail and you will need to redeploy a new Brain VM and start over.

  • Offline Brains do not communicate with Vectra's provisioning service.
  • Offline Brains are typically used in air-gapped environments where customers do not have internet access and cannot communicate with Vectra directly.
  • For more on offline Brains:
    • Offline Updates (v8.9+)
    • Vectra Respond UX Deployment Guide or Vectra Quadrant UX Deployment Guide
  • After determining whether your Brain will be online (typical for most customers) or offline, click Save. You may need to refresh the resulting page, which may still say there is no license in place. After the refresh, you should see the status messages.
  • After the license is validated, the file system is decrypted, a performance test is run, the Brain reboots, and the Brain reaches out to the Vectra provisioning server to complete provisioning. A success message is presented with a button to redirect to the main UI login screen. Offline Brains follow a similar process but do not need to communicate with the provisioning server and can validate the license locally.
    • Status messages update, but you must manually refresh the browser to see new messages. Examples:
      • Verification complete, decrypting file system. This may take up to 5 minutes.
      • Successfully reached provisioning server, provisioning. This may take up to 15 minutes.
      • Device is rebooting. This may take up to 10 minutes.
      • Device is provisioned.
      • Success! Your connection is all set. [Login]
  • Once you see the success message and blue Login button, you are ready to log in to the main Vectra UI for a Quadrant UX deployment.
    • Click Login and enter the default credentials.
    • Initial UI credentials: admin / changethispassword. You will be asked to change the default password upon initial login.
  • SSH to the CLI is now available. Initial CLI credentials: vectra / changethispassword. You will be asked to change the default password upon initial login.
  • For Respond UX deployments, follow the process in the Vectra Respond UX Deployment Guide. Do not log in to the Quadrant UX served from the Brain at this time.

Post Deployment Guidance

Setting a static IP and DNS after initial DHCP deployment

If you used DHCP for the initial deployment but would like to configure a static IP for production use, log in to the CLI of the Brain to set a static interface assignment. DNS for Brain VMs can be configured at the CLI or in the UI.

Log in via your hypervisor console or using SSH to the management port if it was preconfigured with DHCP.

  • Connect to the Brain CLI via the hypervisor console or ssh vectra@<IP or Hostname> if you have DHCP and know the address/hostname.

  • Once logged in, view the command syntax for set interface:

    set interface -h
Usage: set interface [OPTIONS] [mgt1] [dhcp|static] [IP] [SUBNET_MASK]
[GATEWAY_ADDRESS]

Sets mgt1 to either dhcp or static ip configuration

Options:
  -h, --help  Show this message and exit.

  • Setting the IP address statically:

    • In v8.5+ of Vectra software, IPv6 is supported on the MGT1 interface. For full details, including dual-stack support, see IPv6 Management Support for Vectra Appliances on the Vectra support portal. Below is how to enable IPv6 support (off by default) and the syntax for IPv4 and IPv6.

    • Enable/disable IPv6 support:

      # show ipv6 enabled
IPv6 is disabled

# set ipv6 enabled
Response: ok

# show ipv6 enabled
IPv6 is enabled

# set ipv6 disabled
Response: ok

    • IPv4 and IPv6 syntax examples:

      IPv4 Syntax:
set interface mgt1 static x.x.x.x y.y.y.y z.z.z.z

Where:
x.x.x.x is the desired interface IP address
y.y.y.y is the desired interface network mask
z.z.z.z is the desired gateway

IPv6 Syntax:
set interface mgt1 static [IPv6 IP] [Subnet Mask] [Gateway]

Example:
set interface mgt1 static 2001:0db8:0:f101::25 64 2001:0db8:0:f101::1

  • To change back to DHCP (default):

    set interface mgt1 dhcp

  • Configure DNS for the appliance. Syntax (up to 3 nameservers supported):

    set dns [nameserver1 <ip>] [nameserver2 <ip>] [nameserver3 <ip>]

    Example:

    set dns 10.50.10.101 10.50.10.102

    Verify DNS configuration:

    show dns

  • You can also set DNS in the UI at Data Sources > Network > Brain Setup > DNS Entries.

Example - setting a static IP and DNS at the CLI:

vscli > set interface mgt1 static 172.16.12.11 255.255.255.0 172.16.12.1
Interfaces updated successfully
vscli > set dns 10.50.10.101
DNS Set: success
vscli > show interface
mgt1:
 Running:
   Gateway: 172.16.12.1,
   Ip: 172.16.12.11,
   Link Speed: 10Gbps,
   Link State: up,
   Mac: 00:0c:29:89:ad:a6,
   Mode: static,
   Netmask: 255.255.255.0
vscli > show dns
Id|Server       |Description
1  10.50.10.101  Configured DNS nameserver

Required Sensor update package for offline mode (Quadrant UX only)

As mentioned earlier, offline licensing and offline updates are configured separately. A Brain that is offline for licensing will not communicate with Vectra for updates, so offline updates must be enabled. To be enabled for offline updates, you must enable manual updates for your deployment - this is typically done over a web meeting with screen sharing. See Offline Updates (v8.9+) on the Vectra support site.

Once enabled for offline updates, you must apply a Sensor update package so that virtual Sensors (cloud or customer hypervisor) become fully functional. Any future updates will also require this package to have been installed. Offline Updates (v8.9+) also provides details on how to perform offline updates.

Performance testing

A performance test is run during the initial boot process to test the Brain against Vectra baselines for the different configuration options.

Cached results from the initial performance test can be retrieved from the CLI while logged in as vectra. Additional performance tests can be run using the --force switch on the performance test command.

Intensive operation

Running the performance test is intensive and takes down most services on the Brain. Additional performance tests should only be run when your security team knows the Brain will be unavailable. Paired Sensors will buffer metadata that can't be sent to the Brain, so there should ultimately be no detection gap, although this can introduce a delay in detection publishing while the test runs.

  • Baselines are set by Vectra for each Brain configuration.
    • Warning is triggered at 10% below expectations. Critical is triggered at 20% or more below expectations.
    • 260 MB/s is the minimum required throughput for all disks (OS and Data) and corresponds to a score of 10.0 on the disk category.
    • Critical is considered a failure and performance is not expected to be satisfactory. Vectra engineering treats systems that fail the performance test as invalid configurations - customers should use more performant base hardware to ensure supportability, reliability, and performant operation.

Example:

vscli > performance-test --help
Usage: performance-test [OPTIONS]

Run a system performance test

Options:
 --force     Run all tests regardless of cached results.
 -h, --help  Show this message and exit.

vscli > performance-test
This may take up to five minutes. Most system services will be down for the duration of the test.
Test            |Score        |Result |Time
cpu              10.00 / 10.0  pass    30.04
cpu_steal        10.00 / 10.0  pass     0.06
disk             10.00 / 10.0  pass    47.94
memory           10.00 / 10.0  pass     0.00
memory_balloon   10.00 / 10.0  pass     0.05
overall          10.00 / 10.0  pass    78.09

Integrity checks

Vectra performs file system integrity checks to make sure core libraries have not been altered. If the system detects changes during boot, a system setup and provisioning dialog similar to the licensing screen will appear.

  • Click Set File System Configuration.
  • Copy the error code and send it to Vectra Support for decryption.
  • Vectra has tooling to determine what has been changed and, if warranted, can provide a whitelist code to allow the system to continue booting.
  • Whitelist codes work one time. If the system again fails a file system integrity check, a new whitelist code will be required. Work with Vectra Support to ensure compliance.

Configuration validation

During boot, the Brain determines which configuration it is running and sets parameters differently depending on resource availability per configuration. This is automatic and requires no user input. Vectra may choose to support additional configuration options in the future - work with your Vectra account team to provide feedback on additional configuration options that would be useful to your organisation.

The show system-health command can be run at the CLI as the vectra user to verify your configuration is a supported option. Look for [ OK ] VM Specifications. The specific checks shown may not match your system - Vectra occasionally updates the specific checks used.

Example:

vscli > show system-health
======== Ran 8 check(s). 8 Passed, 0 Failed, 0 No Result ========

vscli > show system-health --verbose
[ OK ] Available Virtual Storage Space
[ OK ] Disk Writable
[ OK ] NIC Detection
[ OK ] Vectra User Password
[ OK ] Sensor Connectivity
[ OK ] Sensor Link Utilization
[ OK ] Sensor Tunnel
[ OK ] VM Specifications

License checks and renewal

Once a Brain is up and running, it periodically checks its license status regardless of whether the Brain is online or offline (from Vectra's perspective). 30 days before expiration it begins sending syslog messages counting down to expiration. Once the license expires, a new syslog message is sent (Quadrant UX). Respond UX deployments write the message to the audit log, which is available for query via API. Examples:

"License Checker: Detect License Expires in {days_until_expiration} days."
"License Checker: Detected Invalid/Expired License, disabling services"

Your license status can be seen in:

  • Manage > Licensing
  • Discover > System Health > Deployments - if license status does not show, click Update Now at the bottom.

For Brains connected to Vectra, license renewal is automated - no user intervention required. When your sales contract is renewed and the expiration date is updated, Vectra's provisioning service will provide a new license key to your Brain.

If your Brain is offline (not connected to Vectra or air-gapped), to renew your Vectra license browse to Manage > Licensing, copy the authorisation code, provide it to Vectra (Support, sales team, etc.), and Vectra will provide a new license key for entry into the UI once your entitlement is verified.

About VMware vCenter Integration

vCenter integration from the Vectra Brain enables a number of features:

  • Virtual Infrastructure view.
  • vCenter host information artifacts help feed Vectra's automated Host ID.
  • Additional VMware context is available for analysts on VMware hosts.
  • vCenter alerts are possible as an additional notification type.

Virtual Infrastructure View

Enabling vCenter API query connectivity helps with VMware vSensor deployment planning by identifying the physical hosts, clusters, and data centres that currently have vSensor coverage and those that do not.

Enabling the vCenter connection also shows available resources on physical VMware hosts and exposes configuration errors that might affect packet capture. This view, at Network Stats > Virtual Infrastructure, helps the Vectra admin identify the exact requirements that need to be conveyed to VMware operational teams.

With this integration, the security team may not need to rely on the IT team to be notified of changes impacting them.

Once vCenter integration is configured, the Network Stats > Virtual Infrastructure Hosts page is enabled in the Vectra GUI.

The filter dropdown controls what is shown on the Virtual Infrastructure page:

  • A red exclamation point means a physical hypervisor is NOT covered - either no vSensor is installed on the hypervisor or the installed vSensor cannot be detected.
  • A yellow warning sign means there is a configuration issue with the installed vSensor.
  • A green checkmark means the vSensor is configured and functioning properly.

vCenter Host ID artifacts

Vectra's automated Host ID is a key benefit for analysts. The goal is to provide human-readable names associated with known hosts.

Host names result from known information about the host. Each observed name is referred to as an artifact. Artifacts are typically added to a host record over time as more host activity is seen and better associations are made. Artifacts may be removed from a host depending on observed behaviours.

Hosts are tracked internally in a name-agnostic manner. When assessing host naming in your deployment, note that host names are decided at the time of viewing the web page - displayed host names will change over time to reflect the most human-readable name given the artifacts available at the time of page display.

The hostname obtained via vCenter/vSphere integration through an active query of the vCenter API is a key artifact when available. It is considered a best practice to enable vCenter integration even if you will not deploy VMware vSensors.

For additional information, see Understanding Vectra NDR Host Naming on the Vectra support portal.

Additional Host context for analysts

When an analyst views a host running VMware tools and reporting back to vCenter/vSphere with Vectra vCenter integration enabled, additional context is available. On the left-hand side of the host's page in the Vectra UI, look for summary info including the VM name and operating system as reported by the vCenter API. The Host Details view has a more complete view.

vCenter alerts

Once vCenter integration is configured, additional alerts are available for changes in the environment that may merit security consideration. To enable them, navigate to Settings > Notifications > Alert Emails, select the pencil / Edit icon, scroll to the bottom of Alert Emails settings, and enable the Send vCenter alerts toggle. Example scenarios where an alert will be sent:

  • A new physical hypervisor where a vSensor may be needed has been added to the environment.
  • A vSensor has been moved or powered down.
  • A VM is moved from a host monitored by a vSensor to a host not monitored by a vSensor.

Enabling vCenter Integration

Prepare a vSphere account for Brain access

To connect the Brain to vSphere, a vSphere user account and password must be configured on the Brain. The user account must have at least global, read-only rights. The Brain will not attempt to write any data to your VMware environment.

To ensure the vSphere user/group the Brain will use has global, read-only access, use the following steps in the vSphere UI:

  • From the vSphere Administration page, select Access > Global Permissions.
  • Click the + to display the global permissions dialog.
  • At the bottom of the left pane, click Add.
  • Ensure the domain is set correctly, select the users or groups you intend to use in Vectra's configuration to connect to the vCenter API, and click OK.
  • In the Assign Role section, select Read-Only from the drop-down list.
  • Make sure Propagate to children is selected, and click OK.

Configure vCenter/vSphere integration

You will need the IP or hostname of your VMware vCenter server. You can configure multiple integrations if you have more than one server to connect to. You will also need the port number, username, and password.

Navigate to Settings > External Connectors > vCenter and edit the vCenter settings. Any previously configured vCenters are shown here.

Click + Add vCenter to add an additional vCenter, fill in the blanks, and click Save.

Resizing the Brain

In some environments, you may wish to start with a smaller Brain instance and later move to a larger one to handle additional load (metadata from paired Sensors or additional paired Sensors).

  • See Resizing Virtual Sensors and Brains for details.

Next Steps

At this point your VMware Brain is fully deployed and you can move on to other tasks associated with your overall deployment.

It is recommended to follow the Vectra Respond UX Deployment Guide or Vectra Quadrant UX Deployment Guide for additional information regarding initial settings for your deployment. You may wish to deploy and pair network Sensors or configure other Vectra offerings such as Recall, Stream, CDR for M365, IDR for Azure AD, CDR for AWS, etc. Additional documentation can be found in the Vectra Product Documentation Index on the Vectra Support site.

Worldwide Support Contact Information

  1. Performance represents the aggregate bandwidth observed on the capture interfaces of any Sensors paired to the Brain. Guidance is for average traffic mixes. Traffic mixes that skew toward larger flows (like file transfers) will perform better than mixes that skew towards smaller flows (like DNS), which produce more metadata. 

  2. Refers to how many hosts the Brain can track simultaneously (open host sessions). Brains retain and display data for larger numbers of hosts; this figure only covers how many the system can process metadata for simultaneously. 

  3. See 32 Core NUMA Configuration for details on checking and setting the required parameter.