Virtual Deployment Overview

This document provides instructions on the installation and configuration of NetWitness hosts running in a virtual environment.

Virtual hosts have the same functionality as the NetWitness Azure, AWS, and hardware hosts. NetWitness recommends that you perform the following tasks when you set up your virtual environment.

Before you can deploy NetWitness in virtual environment, you need to:

IMPORTANT: Get familiar with the NetWitness Storage Guide to understand the types of drives and volumes needed to support NetWitness instances. For more information, see Storage Guide for NetWitness Platform 11.x.

  • Review the recommended compute and memory specifications needed for each NetWitness instance.

  • Make sure that you have a NetWitness Throughput license.
  • Review of the network architecture and port usage.


The components and topology of a NetWitness network can vary greatly between installations, and should be carefully planned before the process begins. Initial planning includes:

  • Consideration of site requirements and safety requirements.
  • Support of group aggregation on Archivers and Concentrators, and virtual hosts.

When updating hosts and services, follow recommended guidelines under the "Running in Mixed Mode" topic in the Host and Services Getting Started Guide.

You should also become familiar with Hosts, Host Types, and Services as they are used in the context of NetWitness also described in the Host and Services Getting Started Guide.

NetWitness High-Level Deployment Diagram

NetWitness is inherently modular. Whether organizations are looking to deploy on-premise or in the cloud, the NetWitness components are decoupled in a way which allows flexible deployment architectures to satisfy a variety of use cases.

The following figure is an example of a hybrid cloud deployment, where the base of the components are residing within the SecOps VPC. Centralizing these components make management easier while keeping network latency to a minimum.

Network, log and endpoint traffic could then be aggregated up to the SecOps VPC. The on-premise location would function just like a normal physical deployment and would be accessible for investigations and analytics.

Cloud SaaS visibility could be captured from a Log Decoder residing in either the cloud or on-premise locations.


For information on VMware concepts, refer to the VMware product documentation.

The virtual hosts are provided as an OVA. You need to deploy the OVA file as a virtual machine in your virtual infrastructure.

Installation Media

Installation media are in the form of OVA and VHDX packages, which are available for download and installation from Downloads ( As part of your order fulfillment, NetWitness gives you access to the OVA and VHDX.