Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Managing monitoring points

Kaspersky Anti Targeted Attack Platform uses

monitoring points
to receive and process mirrored SPAN traffic. Monitoring points can be added and removed for the Central Node and Sensor components.

Each monitoring point must be associated with a network interface that receives a copy of traffic from a certain network segment. To add monitoring points, you can use network interfaces that satisfy the following conditions:

  • Network interface type: Ethernet.
  • MAC address: not 00:00:00:00:00:00.
  • The network interface is designated for receiving a copy of network traffic and is not used for other purposes (for example, for connecting servers with installed application components).

Monitoring points can be enabled or disabled. You can disable a monitoring point to temporarily stop monitoring a network segment from which a copy of the traffic is received on the network interface. When you need to resume monitoring, you can re-enable the monitoring point.

After disabling or removing a monitoring point, the application may log events involving this monitoring point for some time. This is due to a possible lag in processing incoming traffic when the Central Node component is under high load.

Monitoring point details are displayed in the card of the network interface to which this monitoring point is linked. If necessary, you can rename the monitoring point.

In this section

Adding a monitoring point

Renaming a monitoring point

Enabling monitoring points

Disabling monitoring points

Deleting a monitoring point
Page top
[Topic 129425]

Adding a monitoring point

To receive and process traffic from the network on a network interface of a node, you need to add a monitoring point to that network interface.

To add a monitoring point to a network interface:

  1. Select the Sensor servers section in the window of the application web interface.
  2. In the card of the relevant network interface, click the Add monitoring point link.

    This opens the window for adding a monitoring point.

  3. In the Monitoring point name field, enter a name for the monitoring point.

    You can use uppercase and lowercase letters of the Latin alphabet, numbers, and _ and - characters.

    The name of the monitoring point must satisfy the following requirements:

    • Is unique (not assigned to any other monitoring point).
    • Contains 1 to 100 characters.
  4. Click Add monitoring point.

The monitoring point is added.

See also

Identifying the Ethernet port associated with a network interface

Managing technologies
Page top
[Topic 136490]

Renaming a monitoring point

You can rename the monitoring point associated with a network interface.

The new name of the monitoring point is reflected in the events logged after the renaming. Previously logged events keep the old name of the monitoring point.

To rename a monitoring point:

  1. Select the Sensor servers section in the window of the application web interface.
  2. Click the card of the relevant network interface.
  3. This opens a window with information about the network interface.
  4. Click Edit.
  5. In the Monitoring point name field, enter a new name.

    You can use uppercase and lowercase letters of the Latin alphabet, numbers, and _ and - characters.

    The name of the monitoring point must satisfy the following requirements:

    • Is unique (not assigned to any other monitoring point).
    • Contains 1 to 100 characters.
  6. Click Save.

The monitoring point is renamed.

Page top
[Topic 136491]

Enabling monitoring points

If a monitoring point is disabled, the application does not receive or process traffic arriving at its network interface. If you want to resume receiving and processing traffic, you must enable the monitoring point.

You can enable monitoring points individually or all at once, for one component or for all components.

Only users with the Administrator role can enable monitoring points.

To enable monitoring points:

  1. Select the Sensor servers section in the window of the application web interface.
  2. Do one of the following:
    • If you want to enable an individual monitoring point, in the card of the relevant component, click the Enable button. The button is available if the monitoring point is disabled.
    • If you want to enable all monitoring points, in the card of the relevant component, click the Enable all button. The button is available if the component has network interfaces with disabled monitoring points.
    • If you want to enable all monitoring points for all components, click the Enable on all nodes link in the toolbar.
  3. Wait for the changes to be applied.

The selected monitoring points are enabled.

Page top
[Topic 139258]

Disabling monitoring points

You can disable a monitoring point if you want to temporarily stop receiving and processing traffic on the network interface of that monitoring point.

You can disable monitoring points individually or all at the same time, for all components.

To disable monitoring points:

  1. Select the Sensor servers section in the window of the application web interface.
  2. Do one of the following:
    • If you want to disable an individual monitoring point, in the card of the relevant component, click the Disable button. The button is available if the monitoring point is enabled.
    • If you want to disable all monitoring points, in the card of the relevant component, click the Disable all button. The button is available if the component has network interfaces with enabled monitoring points.
    • If you want to disable all monitoring points for all components, click the Disable on all nodes link in the toolbar.
  3. Wait for the changes to be applied.

The selected monitoring points are disabled.

Page top
[Topic 136972]

Deleting a monitoring point

You can delete the monitoring point associated with a network interface. Deleting a monitoring point may be necessary if the network interface will no longer be used to receive traffic.

If you need to temporarily stop receiving traffic on the network interface of the monitoring point (for example, during maintenance and commissioning), you can disable the monitoring point without deleting it.

Traffic received from the monitoring point before it was deleted is not deleted from the database. Also, information about this monitoring point is kept in the table of logged events.

To delete a monitoring point:

  1. Select the Sensor servers section in the window of the application web interface.
  2. Click the card of the relevant network interface.
  3. This opens a window with information about the network interface.
  4. Click Delete.

    A window with a confirmation prompt opens. If the monitoring point is enabled, the application prompts you to disable the monitoring point.

  5. In the prompt window, confirm the deletion of the monitoring point.

The monitoring point is deleted.

Page top
[Topic 136492]