Installing and performing initial configuration of the application

This section contains instructions on installation and initial configuration of Kaspersky Anti Targeted Attack Platform.

Preparing for installing application components

This section provides information on how to prepare your corporate IT infrastructure for the installation of Kaspersky Anti Targeted Attack Platform components.

Preparing the IT infrastructure for installing application components

Before installing the application, prepare your corporate IT infrastructure for the installation of components of Kaspersky Anti Targeted Attack Platform:

1. Ensure that the servers, the computer intended for working with the application web interface, and the computers to be installed with the Endpoint Agent component all satisfy the hardware and software requirements.
2. To protect the network from the objects being analyzed, deny access to the local network of the Sandbox server for the management network interface and the network interface used for internet access of processed objects.
3. Prepare the corporate IT infrastructure in accordance with the table below:

   Ports for interaction between Kaspersky Anti Targeted Attack Platform components

   Source	Direction	Port or protocol	Description
   Central Node	Inbound	TCP 22	Connecting to the server over SSH
   		TCP 443	Receiving data from the Endpoint Agent (KEDR)
   		TCP 8085	Receiving data from the Endpoint Agent (NDR)
   		TCP 8443	Access to the web interface of the application
   		TCP 9081	Receiving data from Sensors installed on standalone servers
   		TCP 7423, 13520	Communication with the Sensor server
   		UDP 53
   	Outgoing	TCP 80 TCP 443 TCP 1443	Communication with the KSN servers and Kaspersky update servers
   		TCP 443	Sending objects to Sandbox for scanning
   		TCP 601	Sending messages to the SIEM system
   		UDP 53	Communication with the Sensor server
   	Inbound and outbound	ESP, AH, IKEv1, IKEv2	For interaction between Central Node and Sensor over a secure link based on the IPSec protocol
   Sensor	Inbound	TCP 22	Connecting to the server over SSH
   		TCP 1344	Receiving traffic from the proxy server
   		TCP 25	Receiving SMTP traffic from the mail server
   		TCP 443	When Sensor is used as a proxy server for communication between workstations with Endpoint Agent and Central Node
   		TCP 8085	Receiving data from the Endpoint Agent (NDR)
   		TCP 9443	Access to the web interface of the component
   		UDP 53	Communication with the Central Node server
   	Outgoing	TCP 80 TCP 443	Communication with the KSN servers and Kaspersky update servers
   		TCP 995	Integration with the mail server for secure connections
   		TCP 110	Integration with the mail server for unsecured connections
   		TCP 7423, 13520	Communication with the Central Node server
   		UDP 53
   	Inbound and outbound	ESP, AH, IKEv1, IKEv2	For interaction between Central Node and Sensor over a secure link based on the IPSec protocol
   Sandbox	Inbound (management interface)	TCP 22	Connecting to the server over SSH
   		TCP 443	Interaction with the Central Node
   		TCP 8443	Access to the web interface of the application
   	Outbound (management interface)	TCP 80 TCP 443	Communication with Kaspersky update servers
   	Outbound and corresponding inbound (interface for access of processed objects)	Any	Access to the internet for analyzing the network behavior of processed objects. Deny access to the corporate LAN to protect the network from analyzed objects.
   SCN (when using the distributed solution mode)	Outgoing	TCP 8443, 8444	For interaction between SCN and PCN over a secure link based on the IPSec protocol
   	Inbound and outbound	TCP 443, 53, 11000:11006, UDP 53 ESP, AH, IKEv1 and IKEv2
   PCN (when using the distributed solution mode)	Inbound	TCP 8443, 8444
   	Inbound and outbound	TCP 443, 53, 11000:11006, UDP 53 ESP, AH, IKEv1 and IKEv2

If you install an additional network interface that receives only mirrored traffic in a VMware ESXi virtual environment, use the E1000 network adapter or disable the LRO (large receive offload) option on a VMXNET3 network adapter.

Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3

If you are using a Microsoft Exchange mail server as your mail server and an email sender configured a request for read receipt notification, you must disable read receipt notifications. Otherwise, read receipt notifications will be sent from the email address that you have configured as the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform. You must also disable automatic processing of meeting requests to prevent filling of the mailbox used for receiving messages of Kaspersky Anti Targeted Attack Platform.

To disable sending read receipt notifications from the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform:

1. On the Microsoft Exchange server, check whether or not notifications are enabled. To do so, execute the command:

   Get-MailboxMessageConfiguration -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> | fl

2. If notifications are enabled, run the following command:

   Set-MailboxMessageConfiguration -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> -ReadReceiptResponse NeverSend

This will disable read receipt notifications from the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform.

To disable automatic processing of meeting requests:

1. On the Microsoft Exchange server, check whether or not notifications are enabled. To do so, execute the command:

   Get-CalendarProcessing -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> | fl

2. If automatic processing of meeting requests is enabled, run the following command:

   Set-CalendarProcessing -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> -AutomateProcessing:None

Automatic processing of meeting requests will be disabled.

Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP

To prepare your corporate IT infrastructure for Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol:

1. On the external mail server, configure rules for forwarding copies of the messages that you want to send for scanning by Kaspersky Anti Targeted Attack Platform to the addresses specified in Kaspersky Anti Targeted Attack Platform.
2. Specify the route for forwarding email messages to the Sensor server.

   It is recommended to specify a static route – IP address of the Sensor server.

3. Configure the firewall of your organization to allow inbound connections to port 25 of the Sensor server from mail servers that are forwarding copies of email messages.

You can also improve the security of Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol.

To improve the security of Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol.

1. Configure authentication of the Kaspersky Anti Targeted Attack Platform server on the side of the mail servers forwarding email messages for Kaspersky Anti Targeted Attack Platform.
2. Configure mandatory encryption of traffic on mail servers that are forwarding email messages for Kaspersky Anti Targeted Attack Platform.
3. Configure authentication of mail servers forwarding email messages for Kaspersky Anti Targeted Attack Platform on the Kaspersky Anti Targeted Attack Platform side.

Preparing the virtual machine for installing the Sandbox component

To prepare the virtual machine for installing the Sandbox component:

1. Run the VMware ESXi hypervisor.
2. Open the virtual machine management console.
3. In the context menu of the virtual machine on which you want to install the Sandbox component, choose Edit Settings.

   This opens the virtual machine properties window.

4. On the Virtual Hardware tab, expand the CPU settings group and select the Expose hardware-assisted virtualization to guest OS check box.
5. On the VM Options tab in the Latency Sensitivity drop-down list, select High.
6. Click Ok.

The virtual machine is ready for installing the Sandbox component.

Preparing an installation disk image with the Central Node, Sensor, and Sandbox components

Before installing the application, you must prepare an iso image of the installation disk with the Central Node, Sensor, and Sandbox components based on the Astra Linux operating system.

Minimum hardware requirements for a device that can be used to create the iso image:

• CPU: 4 cores, clock rate 2500 MHz or more.
• RAM: 8 GB.
• Available disk space: 100 GB.

Software requirements:

• Operating system based on an up-to-date Linux kernel.
• Docker 20 or later
• Availability of the iso image of the Astra Linux Special Edition 1.7.5

  Kaspersky Anti Targeted Attack Platform does not support other versions of the Astra Linux operating system.

To mount an iso image of the Central Node and Sensor or Sandbox components based on the Astra Linux operating system:

1. From the distribution kit, download the Central Node and Sensor component distribution kit (kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz), the Sandbox component distribution kit (kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz), and the file named iso-builder-7.0.3.520-x86_64_en-ru.tar.
2. Create an iso_builder.sh file with the following content.

   # $1 - absolute source_iso_host_path

   # $2 - absolute distribution_host_path

   # $3 - absolute iso_builder_image_host_path

   # $4 - absolute build_host_path

   # $5 - absolute target_iso_name

   docker load -i $3

   docker run -v $1:$1 -v $2:$2 -v $4:/build kaspersky/kata/deployment/iso_builder:6.0 --source-iso-uri file://$1 --kata-distribution-uri file://$2 --target-iso-name $5

3. Run the mkdir /var/kata_builder command.
4. Put the files listed in step 1 in the newly created /var/kata_builder directory. Make sure that the Astra Linux Special Edition 1.7.5 iso image is named installation-1.7.5.16-06.02.24_14.21.iso. If the name of the iso image is different, please rename it.
5. Run the following command:
   • If you are preparing a disk image with the Central Node and Sensor components: sudo ./iso_builder.sh /var/kata_builder/installation-1.7.5.16-06.02.24_14.21.iso /var/kata_builder/kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz /var/kata_builder/iso-builder-7.0.3.520-x86_64_en-ru.tar /var/kata_builder buildCNSensorAstra.iso
   • If you are preparing a disk image with the Sandbox component: sudo ./iso_builder.sh /var/kata_builder/installation-1.7.5.16-06.02.24_14.21.iso /var/kata_builder/kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz /var/kata_builder/iso-builder-7.0.3.520-x86_64_en-ru.tar /var/kata_builder buildSandboxAstra.iso

After running the commands, the installation disk images with the Central Node and Sensor components named buildCNSensorAstra.iso and buildSandboxAstra.iso are located in the /var/kata_builder directory.

If you use other directories for storing files, you can run the command as follows: sudo ./iso_builder.sh <source_iso_host_path> <distribution_host_path> <iso_builder_image_host_path> <build_host_path> <target_iso_name>, where:

• source_iso_host_path is the path to the distribution kit of the Astra Linux Special Edition 1.7.5.
• distribution_host_path is the path to the distribution kit: kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz or kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz.
• iso_builder_image_host_path is the path to the iso-builder-7.0.3.520-x86_64_en-ru.tar file.
• build_host_path is the path where the mounted ISO image must be located, without specifying the name being assigned to the ISO image.
• target_iso_name is the name that is being assigned to the ISO image.

Procedure for installing and configuring application components

Installing and configuring the application involves the following steps:

1. Installing the disk image containing the Sandbox component
2. Configuring the Sandbox component through the Sandbox web interface
3. Installing the disk images of Microsoft Windows operating systems and applications for the Sandbox component
4. Installing the Central Node and Sensor components

   You can install the Central Node and Sensor components in one of the following configurations:

   • Cluster.
   • Server.

   If there are multiple Central Node components, you can use the application in distributed solution mode.

5. Installing the Sensor component

   If there are multiple Sensor components, you can install and configure the Sensor component on the necessary number of servers.

6. Configuring the Central Node and Sensor components
7. Installing the Endpoint Agent component on computers of the corporate IT infrastructure.

   As the Endpoint Agent component, you may use following applications: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.

   Information about the compatibility of versions of applications that represent the Endpoint Agent component with versions of Kaspersky Anti Targeted Attack Platform is provided in the following Help sections: Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows, Kaspersky Endpoint Security for Linux, Kaspersky Endpoint Security for Mac.

The Kaspersky Endpoint Agent application can be used in the following configurations:

• Without integration with the EPP application.

  In this case, you only need to install Kaspersky Endpoint Agent for Windows.

• With integration with the EPP application.

  In this case, Kaspersky Endpoint Agent also sends information about threats detected by the EPP application and results of threat processing by this application to the Central Node server.

Kaspersky Endpoint Agent for Windows can integrate with the following EPP applications:

• Kaspersky Endpoint Security for Windows

  Integration of Kaspersky Endpoint Agent for Windows with Kaspersky Endpoint Security for Windows

  To integrate these applications, you must install Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security. Integrating separately installed applications is not supported.

  To install Kaspersky Endpoint Agent as part of Kaspersky Endpoint Security:

  1. Start the installation of the Kaspersky Endpoint Security application, which includes Kaspersky Endpoint Agent in its distribution kit.

     For more details about installing Kaspersky Endpoint Security, see Kaspersky Endpoint Security for Windows Help.

  2. During installation, select the Endpoint Agent component.

  After the application with the Endpoint Agent component is installed, the list of installed applications includes Kaspersky Endpoint Security and Kaspersky Endpoint Agent.

  If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Endpoint Security. Integration between compatible versions of the applications is maintained both when the Kaspersky Endpoint Agent application is upgraded and when the Kaspersky Endpoint Security application is upgraded. You can upgrade a previous version for Kaspersky Endpoint Agent version 3.7 or newer.

• Kaspersky Security for Windows Server.

  Integration of Kaspersky Endpoint Agent for Windows with Kaspersky Security for Windows Server

  To integrate these applications, you must install Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server. Integrating separately installed applications is not supported.

  To install Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server:

  1. Start the installation of the Kaspersky Security for Windows Server application, which includes Kaspersky Endpoint Agent in its distribution kit.

     For more details about installing Kaspersky Security for Windows Server, see Kaspersky Security for Windows Server Help.

  2. During installation, select the Kaspersky Endpoint Agent component.

  After the application with the Kaspersky Endpoint Agent component is installed, the list of installed applications includes Kaspersky Security for Windows and Kaspersky Endpoint Agent.

  If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Security for Windows Server. Integration between compatible versions of the applications is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Security for Windows Server is upgraded.

• Kaspersky Security for Virtualization Light Agent for Windows.

  Integration of Kaspersky Endpoint Agent for Windows with Kaspersky Security for Virtualization Light Agent

  Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent are installed separately. Kaspersky Endpoint Agent cannot be installed as part of Kaspersky Security for Virtualization Light Agent.

  To enable the integration of Kaspersky Endpoint Agent with Kaspersky Security for Virtualization Light Agent:

  1. Install Kaspersky Security for Virtualization Light Agent if it has not been installed yet.
  2. Enable the integration of
     Light Agent

     Component of the Kaspersky Security program. Installed on each virtual machine that requires protection.

     with Kaspersky Endpoint Agent.

     You can enable the integration with Kaspersky Endpoint Agent during installation or upgrade of Light Agent. You can also enable the integration with Kaspersky Endpoint Agent using the procedure for modifying the set of installed components of Light Agent.

     For more details about installing, enabling integration, and upgrading the application, as well as the procedure for modifying the set of installed application components, see Kaspersky Security for Virtualization Light Agent Online Help.

  3. Install the Kaspersky Endpoint Agent application on the virtual machine with Light Agent, if it has not been installed yet.

  For integration with Kaspersky Security for Virtualization Light Agent 5.2, we recommend using Kaspersky Endpoint Agent 3.14. If necessary, you can upgrade the Kaspersky Endpoint Agent application and Kaspersky Security for Virtualization Light Agent. When you upgrade the applications, integration between compatible versions is maintained.

• Kaspersky Industrial CyberSecurity for Nodes.

  Integration of Kaspersky Endpoint Agent for Windows with Kaspersky Industrial CyberSecurity for Nodes

  To enable integration of Kaspersky Endpoint Agent with Kaspersky Industrial CyberSecurity for Nodes:

  1. Install Kaspersky Industrial CyberSecurity for Nodes if the application has not been installed yet.

     For more details on installation, see Kaspersky Industrial CyberSecurity for Nodes Help.

  2. Install the Kaspersky Endpoint Agent application on the same device if it has not been installed yet.

  The applications are integrated automatically.

  To integrate with Kaspersky Industrial CyberSecurity for Nodes, the corresponding license key must be installed in the Kaspersky Endpoint Agent.

  For detailed information, you can contact your account manager.

Information about compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications is provided in the Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications section.

For details about installing Kaspersky Endpoint Security, see the Online Help of the application:

• Installing Kaspersky Endpoint Security for Windows
• Installing Kaspersky Endpoint Security for Linux
• Installing Kaspersky Endpoint Security for Mac

If your hosts have earlier versions of applications installed, you can upgrade them. For details, see the following sections.

Installing the Sandbox component

This section provides step-by-step instructions on installing the Sandbox component.

To begin the installation of the Sandbox component:

1. Run the disk image containing the Sandbox component.

   The Setup Wizard starts.

2. Click Ok.

Step 1. Viewing the End User License Agreement and Privacy Policy

To continue installation, please read the End User License Agreement (EULA) and accept its terms and conditions. Installation will not continue until you accept the terms of the End User License Agreement.

You must also read the Privacy Policy and accept its terms and conditions. If the Privacy Policy is not accepted, the installation cannot proceed.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the Sandbox component based on the Ubuntu Server operating system:

1. Select the language for viewing the End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window showing the End User License Agreement text.

2. Please read the End User License Agreement.
3. If you accept the terms of the End User License Agreement, click I accept.

   This opens a window displaying the text of the Privacy Policy.

4. Please carefully read the Privacy Policy.
5. If you accept the terms of the Privacy Policy, click I accept.

The Setup Wizard proceeds to the next step.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the Sandbox component based on the Astra Linux operating system:

1. If you are installing using BIOS, select the language for viewing the End User License Agreement for Astra Linux operating systems from the list by pressing the F1 key and press Enter.

   This opens a window with the text of the Astra Linux End User License Agreement.

2. Read the End User License Agreement of the Astra Linux operating systems.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the terms and conditions of the End User License Agreement of Astra Linux operating systems, select Yes and press Enter.

   This opens a window in which you can select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy.

4. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

5. If you accept the terms and conditions of the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

6. Read the AO Kaspersky Lab Privacy Policy.
7. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

Step 2. Selecting a disk for installing the Sandbox component

Select a physical disk for installing the Sandbox component.

To select a disk for installing the Sandbox component:

1. In the Select device window, in the list of disks, select the disk on which you want to install the Sandbox component and press ENTER.

   If the disk is not empty, a window is displayed asking you to confirm that you want to format the disk and install the application.

2. Click Install.

   The archive with the installation files will be unpacked to the disk. The server is restarted.

The Setup Wizard proceeds to the next step.

Step 3. Assigning the host name

Assign a server host name to be used by DNS servers.

To assign the host name for a server:

1. Enter the full domain name of the server into the Hostname field.

   Specify the server name in FQDN format (for example: host.domain.com or host.domain.subdomain.com).

2. Click Ok.

The Setup Wizard proceeds to the next step.

Step 4. Selecting the controlling network interface in the list

To ensure proper functioning of the Sandbox component, you must connect at least two network cards and configure the following network Interfaces:

• Management network interface. This interface is intended for providing SSH access to the Sandbox server; the Sandbox server also uses this interface to receive objects from the Central Node.
• Network interface used for Internet access of processed objects. Objects that are processed by Sandbox can use this interface to attempt activities on the Internet, and Sandbox can analyze their behavior. If you block Internet access, Sandbox cannot analyze the behavior of objects on the Internet, and will therefore only analyze the behavior of objects without internet access.

  The network interface used for Internet access of processed objects must be isolated from the local network of your organization.

Select the network interface that you want to use as the controlling interface.

To select the management network interface:

1. In the list of network interfaces, select the network interface that you want to use as the controlling interface.
2. Press ENTER.

The Setup Wizard proceeds to the next step.

Step 5. Assigning the address and network mask of the controlling interface

To assign the IP address and network mask of the management network interface:

1. In the Address field, enter the IP address that you want to assign to this network interface.
2. In the Netmask field, enter the network mask in which you want to use this network interface.
3. Click Ok.

The Setup Wizard proceeds to the next step.

Step 6. Adding DNS server addresses

To add DNS server addresses:

1. In the DNS servers window, select New and press ENTER.

   This opens the DNS server address entry window.

2. In the DNS server text box, enter the IP address of the primary DNS server in IPv4 format.
3. Click Ok.

   The DNS server address entry window is closed.

4. If you want to add the IP address of an additional DNS server, repeat the steps in the DNS servers window.
5. When you are done adding DNS servers, in the DNS servers window, select Continue and press ENTER.

The Setup Wizard proceeds to the next step.

Step 7. Configuring a static network route

To configure a static network route:

1. In the IPv4 Routes window, select New and press ENTER.

   This opens the IPv4 Static Route window.

2. In the Address/Mask field, enter the IP address and mask of the subnet for which you want to configure the network route.
3. If you want to use the default network route, enter 0.0.0.0/0.
4. In the Gateway field, enter the IP address of the gateway.
5. Click Ok.
6. If you want to add other network routes, repeat the steps in the IPv4 Static Route window.
7. If you are done adding network routes, click Continue.

The Setup Wizard proceeds to the next step.

Step 8. Configuring the minimum password length for the Sandbox administrator password

To set the minimum length of the administrator password for the Sandbox component:

1. In the Minimal length, enter the length in characters. Passwords 12 or more characters long are recommended.
2. Click Ok.

The Setup Wizard proceeds to the next step.

Step 9. Creating the Sandbox administrator account

Create an administrator account for working in the Sandbox web interface in the administrator menu and in the management console of the server with the Sandbox component.

To create a Sandbox administrator account:

1. In the Username field, enter the name of the administrator account. The 'admin' account is used by default.
2. In the password field, enter the password for the administrator account.

   The password must satisfy the following requirements:

   • Must contain at least 8 characters.
   • Must contain at least three types of characters:
     • Uppercase character (A-Z).
     • Lowercase character (a-z).
     • Number.
     • Special character.
   • Must not be completely or substantially the same as the user name.
3. Enter the password again in the Confirm password field.
4. Click Ok.

   This opens a window with the IP address of the Sandbox server. You can enter this address in your web browser to open the Sandbox web interface. To log in, use the Sandbox administrator account that you have created.

   The Sandbox server will restart.

Proceed to configuration of the Sandbox component through the web interface.

Deploying the Central Node component with Embedded Sensor as a cluster

A cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can use the Sizing Guide determine the right number of servers for your organization.

Deployment of the Central Node component with Embedded Sensor in the form of a cluster includes the following steps:

1. Deploying the first storage server

   The first step is to deploy the storage server. After the storage server is deployed, you can add additional storage and processing servers to the cluster.

2. Deploying processing servers and additional storage servers

   You can deploy the servers in any order.

3. Configuring the sizing settings of the application

   At the final stage of cluster deployment, you need to configure the scaling settings of the application: specify the planned volume of SPAN traffic, email traffic, the number of hosts with the Endpoint Agent component, as well as the size of the Storage and event database.

The Central Node component is always installed together with the Sensor component. If you need to use the Central Node component separately, when deploying the processing server, turn off receipt of mirrored traffic from SPAN ports at step 10.

If you have a cluster deployed on physical servers and want to add more hard drives to these servers or replace some of the existing drives and then reinstall the cluster, you must purge the drives previously allocated for the OSD (Object Storage Daemon) on the storage servers before installing components. Otherwise, the application is not guaranteed to work correctly. If you want to completely disconnect the drives and no longer plan to reconnect them to the server, purging the drives is not necessary.

Deploying a storage server

To deploy a data storage server, you need to run a disk image with the Central Node and Sensor components.

If an error occurred while performing the steps of the Setup Wizard, contact Technical Support.

Page top

Step 1. Viewing the End User License Agreement and Privacy Policy

To continue the installation, you must read the End User License Agreement and Privacy Policy and accept their terms and conditions. Installation will not continue until you accept the terms of the End User License Agreement and Privacy Policy.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Ubuntu operating system:

1. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

2. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

4. Read the AO Kaspersky Lab Privacy Policy.
5. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Astra Linux operating system:

1. Select the language for viewing the End User License Agreement for Astra Linux operating systems from the list by pressing the F1 key and press Enter.

   This opens a window with the text of the Astra Linux End User License Agreement.

2. Read the End User License Agreement of the Astra Linux operating systems.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the terms and conditions of the End User License Agreement of Astra Linux operating systems, select Yes and press Enter.

   This opens a window in which you can select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy.

4. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

5. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

6. If you accept the terms and conditions of the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

7. Read the AO Kaspersky Lab Privacy Policy.
8. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

Step 2. Selecting a server role

To select a server role:

1. Select one of the following options:
   • storage.

     This role is for installing a storage server for deploying the Central Node component as a cluster.

   • processing.

     This role is for installing a processing server for deploying the Central Node component as a cluster.

     The role also includes the installation and configuration of the Sensor component.

   • single.

     This role is for installing the Central Node and Sensor components on the same server.

   • sensor.

     This role is for installing the Sensor component on a standalone server.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 3. Selecting the deployment mode

To select a deployment mode:

1. Select one of the following options:
   • First node installation.

     Select this value when deploying the first server in the cluster.

   • Add extra node to the cluster.

     Select this value when deploying a server that will be added to an existing cluster.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 4. Selecting a disk for installing the component

You need at least 150 GB of disk space. If less than 150 GB of disk space is available, installation finishes with an error.

To select a disk for installing the component:

1. Select one of the suggested drives for installing the component and press Enter.

   The confirmation window is displayed.

2. Select Yes and press Enter.

The Setup Wizard proceeds to the next step.

Step 5. Selecting a network mask for server addressing

We recommend using the default value.

The netmask may not match netmasks used in the organization's infrastructure.

To specify the network mask for server addressing:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.18.0.0/16.

• If you want to specify a different network mask, in the Subnet field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 6. Selecting a network mask for addressing of application components

We recommend using the default value.

The network for application component addressing must not overlap with the network for cluster server addressing.

To specify the network mask for addressing the main components of the application:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.19.0.0/16.

• If you want to specify a different network mask, in the Bridge/overlay subnets field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 7. Selecting the cluster network interface

The cluster network interface is used for communication between cluster servers.

To select the cluster network interface:

1. Select the row containing the network interface that is used for the internal network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 8. Selecting the external network interface

The external network interface is used for SSH access to the server, managing the web interface of Kaspersky Anti Targeted Attack Platform, and other external connections.

To select the external network interface:

1. Select the row containing the network interface that is used for the external network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 9. Selecting the method of obtaining IP addresses for network interfaces

To select a method for obtaining an IP address for network interfaces:

1. Select the row containing the Configuration type: and press Enter.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. In the opened window, select one of the following options:
   • dhcp.
   • static.
3. If you selected static:
   1. Select the row containing the parameter and press the Enter key.
   2. In the opened window, enter the required data and press Enter twice.

      You need to specify a value for each parameter.

4. Select the row containing Save.
5. Press Enter.

The Setup Wizard proceeds to the next step.

Step 10. Creating an administrator account and authenticating the server in the cluster

During this step, you need to do one of the following:

• Create an administrator account if you are deploying the first server in the cluster.
• Authenticate a server in the cluster if you are deploying additional storage servers.

Creating the administrator account

An administrator account is only required when deploying the first server in the cluster. If you are deploying an additional storage server, instead of opening a window that prompts you to create an administrator account, the application prompts you to authenticate the server in the cluster.

When deploying the first server in the cluster, you need to create an administrator account. This user account is used for managing the web interface of the application, the administrator menu of the application, and for managing the application in Technical Support Mode.

By default, the user name of the administrator account is admin. You must enter a password for that user account.

To enter a password for the administrator user account:

1. This opens a window; in that window, in the min length field, enter the minimum password length. You must enter a value of 8 or greater.
2. Select Ok and press Enter.

   This opens the password creation window.

3. This opens a window; in that window, in the password field, enter the password for the administrator account.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

4. In the confirm field, enter the password again.
5. Select Ok and press Enter.

The Setup Wizard proceeds to the next step.

Authenticating the server in the cluster

Authenticating a server in the cluster is only required when deploying additional storage servers. If you are deploying the first server in the cluster, the application prompts you to create an administrator account instead of authenticating the server.

To authenticate a server in the cluster, you need to enter the admin account password that was set when the first server in the cluster was deployed.

To authenticate a server in the cluster:

1. In the password field, enter the password for the administrator account.
2. Select Ok and press Enter.

   To select a button, you can use the ↑, ↓, PageUp, and PageDown keys.

The server in the cluster will be authenticated. The Setup Wizard proceeds to the next step.

Step 11. Adding DNS server addresses

This step is available if you are deploying the first server in the cluster.

Configure the DNS settings for the operation of servers with application components.

To add DNS server addresses:

1. Select the Add field and press Enter.
2. Enter the IP address of the DNS server in the IPv4 format.
3. If you want to add the IP address of an additional DNS server, select the Add field, press Enter and enter the address of the server.
4. Having added all DNS servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

Step 12. Configuring time synchronization with an NTP server

This step is available if you are deploying the first server in the cluster.

Configure synchronization of the server time with the NTP server.

1. Select the Add field and press Enter.
2. Enter the IP address or name of the NTP server.
3. If you want to add the IP address or name of an additional NTP server, select the Add field, press Enter, and enter the IP address or name of the NTP server.
4. Having added all NTP servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

For the cluster to function, time must be synchronized on servers of the cluster. Make sure that the NTP server that you are adding is working correctly and can assure time synchronization among the cluster servers.

Step 13. Selecting disks for the Ceph storage

Select the disks for the Ceph storage. The number of disks is determined in accordance with the sizing guide.

To select disks for the Ceph storage:

1. Select the row containing the required drive.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.
3. Repeat steps 1 to 2 to select more drives if you want to select multiple drives.
4. Select the Apply and finish field and press Enter.

   The confirmation window is displayed.

5. Select Yes and press Enter.

The configuration may take some time. Then the installation is complete. You can proceed to configure the servers of the cluster.

Deploying the processing server

To deploy a processing server, you need to run a disk image with the Central Node and Sensor components.

If an error occurred while performing the steps of the Setup Wizard, contact Technical Support.

Step 1. Viewing the End User License Agreement and Privacy Policy

To continue the installation, you must read the End User License Agreement and Privacy Policy and accept their terms and conditions. Installation will not continue until you accept the terms of the End User License Agreement and Privacy Policy.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Ubuntu operating system:

1. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

2. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

4. Read the AO Kaspersky Lab Privacy Policy.
5. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Astra Linux operating system:

1. Select the language for viewing the End User License Agreement for Astra Linux operating systems from the list by pressing the F1 key and press Enter.

   This opens a window with the text of the Astra Linux End User License Agreement.

2. Read the End User License Agreement of the Astra Linux operating systems.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the terms and conditions of the End User License Agreement of Astra Linux operating systems, select Yes and press Enter.

   This opens a window in which you can select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy.

4. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

5. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

6. If you accept the terms and conditions of the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

7. Read the AO Kaspersky Lab Privacy Policy.
8. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

Step 2. Selecting a server role

To select a server role:

1. Select one of the following options:
   • storage.

     This role is for installing a storage server for deploying the Central Node component as a cluster.

   • processing.

     This role is for installing a processing server for deploying the Central Node component as a cluster.

     The role also includes the installation and configuration of the Sensor component.

   • single.

     This role is for installing the Central Node and Sensor components on the same server.

   • sensor.

     This role is for installing the Sensor component on a standalone server.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 3. Selecting a disk for installing the component

You need at least 150 GB of disk space. If less than 150 GB of disk space is available, installation finishes with an error.

To select a disk for installing the component:

1. Select one of the suggested drives for installing the component and press Enter.

   The confirmation window is displayed.

2. Select Yes and press Enter.

The Setup Wizard proceeds to the next step.

Step 4. Selecting a network mask for cluster server addressing

We recommend using the default value.

The netmask may not match netmasks used in the organization's infrastructure.

To specify the network mask for cluster server addressing:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.18.0.0/16.

• If you want to specify a different network mask, in the Subnet field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 5. Selecting a network mask for addressing of application components

We recommend using the default value.

The network for application component addressing must not overlap with the network for cluster server addressing.

To specify the network mask for addressing the main components of the application:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.19.0.0/16.

• If you want to specify a different network mask, in the Bridge/overlay subnets field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 6. Selecting the cluster network interface

The cluster network interface is used for communication between cluster servers.

To select the cluster network interface:

1. Select the row containing the network interface that is used for the internal network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 7. Selecting the external network interface

The external network interface is used for SSH access to the server, managing the web interface of Kaspersky Anti Targeted Attack Platform, and other external connections.

To select the external network interface:

1. Select the row containing the network interface that is used for the external network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 8. Selecting the method of obtaining IP addresses for network interfaces

To select a method for obtaining an IP address for network interfaces:

1. Select the row containing the Configuration type: and press Enter.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. In the opened window, select one of the following options:
   • dhcp.
   • static.
3. If you selected static:
   1. Select the row containing the parameter and press the Enter key.
   2. In the opened window, enter the required data and press Enter twice.

      You need to specify a value for each parameter.

4. Select the row containing Save.
5. Press Enter.

The Setup Wizard proceeds to the next step.

Step 9. Authenticating the server in the cluster

To authenticate a server in the cluster, you need to enter the admin account password that was set when the first server in the cluster was deployed.

To authenticate a server in the cluster:

1. In the password field, enter the password for the administrator account.
2. Select Ok and press Enter.

   To select a button, you can use the ↑, ↓, PageUp, and PageDown keys.

The server in the cluster will be authenticated. The Setup Wizard proceeds to the next step.

Step 10. Selecting the localization language for the NDR functionality and configuring the receipt of mirrored traffic from SPAN ports

If you are deploying the first worker server of the cluster, at this step, you must complete the steps of the Setup Wizard in the following order:

1. Select the localization language for the NDR functionality.
2. Configure the receipt of mirrored traffic from SPAN ports.

If you are deploying an additional worker server, the NDR localization selection step is omitted. After authenticating the server in the cluster, the Setup Wizard proceeds to the step at which you configure the receipt of mirrored traffic from SPAN ports.

Selecting the localization language for the NDR functionality

The selected language is used to display the parts of the application that have to do with the NDR functionality.

To select the localization language for the NDR functionality:

Select it in the list and press Enter.

The localization language of the NDR functionality is selected. The Setup Wizard proceeds to the step at which you configure the receipt of mirrored traffic from SPAN ports.

Configuring receipt of mirrored traffic from SPAN ports

To turn on receipt of mirrored traffic from SPAN ports:

1. This opens a window, in that window, select Yes and press Enter.
2. In the displayed list, select the network interfaces from which you want to capture network traffic.
3. Select the line containing Apply and finish and press Enter.

The configuration may take some time. Then the installation is complete. For the application to work correctly, you must configure the server.

To turn off the receipt of mirrored traffic from SPAN ports:

In the opened window, select No and press Enter.

The configuration may take some time. Then the installation is complete. For the application to work correctly, you must configure the server.

Purging hard disks on storage servers

If you have a cluster deployed on servers and want to add more hard drives to these servers or replace some of the existing drives and then reinstall the cluster, you must purge the drives previously allocated for the OSD (Object Storage Daemon) on the storage servers before installing components. Otherwise, the application is not guaranteed to work correctly.

To purge the disks allocated for OSD on a live storage server:

1. Sign in to the management console of the server where you want to purge the disks over SSH or through the terminal.
2. Stop the OSD starter service by running sudo systemctl stop kata-osd-starter.service.
3. Stop OSD containers by running sudo docker ps --filter name=osd -q | xargs docker stop.
4. Get a list of OSD disks by running sudo ceph-volume --cluster ceph lvm list | grep devices.
5. Purge these disks by running sudo ceph-volume lvm zap --destroy /dev/<disk name>.

   You must run this command for each drive that you got at step 4. For example: sudo ceph-volume lvm zap --destroy /dev/sda.

The OSD daemon is removed from the disks.

If the server is not live, you must delete the information about volume groups from each disk allocated for the OSD.

To delete the information about volume groups from each disk allocated for the OSD on a non-live server:

1. Start the server with the alternative operating system.
2. Get group IDs for each disk allocated for the OSD using the sudo pvs command.

   This command outputs a table where PV are physical volumes, VG indicates logical group membership, Fmt indicates the volume format, and Size indicates the physical volume size.

3. Remove the relevant volume groups by running sudo vgremove <volume group ID>.

Information about volume groups on disks allocated for OSD is deleted.

Installing the Central Node component with Embedded Sensor on a server

Deploying the Central Node component with Embedded Sensor on a server involves the following steps:

1. Installing the Central Node component with Embedded Sensor

   To install the component on the physical server, you need to boot from a disk image with the Central Node and Sensor components.

   To install the component on a virtual server, you need to connect the disk image with the Central Node and Sensor components to the selected virtual machine and boot the virtual machine. The installation starts immediately after the virtual machine is turned on. You can manage the installation process using the console of the virtual machine.

2. Configuring the sizing settings of the application

   At the final stage of cluster deployment, you need to configure the scaling settings of the application: specify the planned volume of SPAN traffic, email traffic, the number of hosts with the Endpoint Agent component, as well as the size of the Storage and event database.

The Central Node component is always installed together with the Sensor component. If you need to use the Central Node component separately, turn off receipt of mirrored traffic from SPAN ports in step 10.

If an error occurred while performing the steps of the Setup Wizard, contact Technical Support.

Step 1. Viewing the End User License Agreement and Privacy Policy

To continue the installation, you must read the End User License Agreement and Privacy Policy and accept their terms and conditions. Installation will not continue until you accept the terms of the End User License Agreement and Privacy Policy.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Ubuntu operating system:

1. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

2. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

4. Read the AO Kaspersky Lab Privacy Policy.
5. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Astra Linux operating system:

1. Select the language for viewing the End User License Agreement for Astra Linux operating systems from the list by pressing the F1 key and press Enter.

   This opens a window with the text of the Astra Linux End User License Agreement.

2. Read the End User License Agreement of the Astra Linux operating systems.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the terms and conditions of the End User License Agreement of Astra Linux operating systems, select Yes and press Enter.

   This opens a window in which you can select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy.

4. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

5. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

6. If you accept the terms and conditions of the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

7. Read the AO Kaspersky Lab Privacy Policy.
8. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

Step 2. Selecting a server role

To select a server role:

1. Select one of the following options:
   • storage.

     This role is for installing a storage server for deploying the Central Node component as a cluster.

   • processing.

     This role is for installing a processing server for deploying the Central Node component as a cluster.

     The role also includes the installation and configuration of the Sensor component.

   • single.

     This role is for installing the Central Node and Sensor components on the same server.

   • sensor.

     This role is for installing the Sensor component on a standalone server.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 3. Selecting a disk for installing the component

You need at least 150 GB of disk space. If less than 150 GB of disk space is available, installation finishes with an error.

To select a disk for installing the component:

1. Select one of the suggested drives for installing the component and press Enter.

   The confirmation window is displayed.

2. Select Yes and press Enter.

The Setup Wizard proceeds to the next step.

Step 4. Allocating the disk for the Targeted Attack Analyzer component's database

For optimal performance of the Targeted Attack Analyzer component, it is advised that you allocate on the server a physical disk of at least 1 TB for the component's database.

In this step, you can allocate a physical disk for the Targeted Attack Analyzer component's database or decline allocating a physical disk.

To allocate the disk for the Targeted Attack Analyzer component's database:

1. Select one of the suggested drives for the Targeted Attack Analyzer component database.

   If you do not need the database of the Targeted Attack Analyzer component, select Do not allocate a separate disk for TAA line.

   The confirmation window is displayed.

2. Select Yes and press Enter.

The Setup Wizard proceeds to the next step.

Step 5. Selecting a network mask for server addressing

We recommend using the default value.

The netmask may not match netmasks used in the organization's infrastructure.

To specify the network mask for server addressing:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.18.0.0/16.

• If you want to specify a different network mask, in the Subnet field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 6. Selecting a network mask for addressing of application components

We recommend using the default value.

The network for application component addressing must not overlap with the network for server addressing.

To specify the network mask for addressing the main components of the application:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.19.0.0/16.

• If you want to specify a different network mask, in the Bridge/overlay subnets field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 7. Selecting the external network interface

The external network interface is used for SSH access to the server, managing the web interface of Kaspersky Anti Targeted Attack Platform, and other external connections.

To select the external network interface:

1. Select the row containing the network interface that is used for the external network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 8. Selecting the method of obtaining IP addresses for network interfaces

To select a method for obtaining an IP address for network interfaces:

1. Select the row containing the Configuration type: and press Enter.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. In the opened window, select one of the following options:
   • dhcp.
   • static.
3. If you selected static:
   1. Select the row containing the parameter and press the Enter key.
   2. In the opened window, enter the required data and press Enter twice.

      You need to specify a value for each parameter.

4. Select the row containing Save.
5. Press Enter.

The Setup Wizard proceeds to the next step.

Step 9. Creating the administrator account

The administrator account is used for managing the web interface of the application, the administrator menu of the application, and for managing the application in Technical Support Mode.

By default, the user name of the administrator account is admin. You must enter a password for that user account.

To enter a password for the administrator user account:

1. This opens a window; in that window, in the min length field, enter the minimum password length. You must enter a value of 8 or greater.
2. Select Ok and press Enter.

   This opens the password creation window.

3. This opens a window; in that window, in the password field, enter the password for the administrator account.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

4. In the confirm field, enter the password again.
5. Select Ok and press Enter.

The Setup Wizard proceeds to the next step.

Step 10. Selecting the localization language for the NDR functionality

The selected language is used to display the parts of the application that have to do with the NDR functionality.

To select the localization language for the NDR functionality:

Select it in the list and press Enter.

Step 11. Adding DNS server addresses

Configure the DNS settings for the operation of servers with application components.

To add DNS server addresses:

1. Select the Add field and press Enter.
2. Enter the IP address of the DNS server in the IPv4 format.
3. If you want to add the IP address of an additional DNS server, select the Add field, press Enter and enter the address of the server.
4. Having added all DNS servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

Step 12. Configuring time synchronization with an NTP server

Configure synchronization of the server time with the NTP server.

1. Select the Add field and press Enter.
2. Enter the IP address or name of the NTP server.
3. If you want to add the IP address or name of an additional NTP server, select the Add field, press Enter, and enter the IP address or name of the NTP server.
4. Having added all NTP servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

Step 13. Configuring receipt of mirrored traffic from SPAN ports

To turn on receipt of mirrored traffic from SPAN ports:

1. This opens a window, in that window, select Yes and press Enter.
2. In the displayed list, select the network interfaces from which you want to capture network traffic.
3. Select the line containing Apply and finish and press Enter.

The configuration may take some time. Then the installation is complete. For the application to work correctly, you must configure the server.

To turn off the receipt of mirrored traffic from SPAN ports:

In the opened window, select No and press Enter.

The configuration may take some time. Then the installation is complete. For the application to work correctly, you must configure the server.

Installing the Sensor component on a standalone server

To install the Sensor component on a physical server, you need to run a disk image with the Central Node and Sensor components.

To install the Sensor component on a virtual server, you need to connect the disk image with the Central Node and Sensor components to the selected virtual machine and run it. The installation starts immediately after the virtual machine is turned on. You can manage the installation process using the console of the virtual machine.

Step 1. Viewing the End User License Agreement and Privacy Policy

To continue the installation, you must read the End User License Agreement and Privacy Policy and accept their terms and conditions. Installation will not continue until you accept the terms of the End User License Agreement and Privacy Policy.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Ubuntu operating system:

1. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

2. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

4. Read the AO Kaspersky Lab Privacy Policy.
5. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

To accept the terms and conditions of the End User License Agreement and the Privacy Policy when installing the components based on the Astra Linux operating system:

1. Select the language for viewing the End User License Agreement for Astra Linux operating systems from the list by pressing the F1 key and press Enter.

   This opens a window with the text of the Astra Linux End User License Agreement.

2. Read the End User License Agreement of the Astra Linux operating systems.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

3. If you accept the terms and conditions of the End User License Agreement of Astra Linux operating systems, select Yes and press Enter.

   This opens a window in which you can select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy.

4. Select the language for viewing the AO Kaspersky Lab End User License Agreement and Privacy Policy in the list and press Enter.

   This opens a window with the text of the AO Kaspersky Lab End User License Agreement.

5. Read the AO Kaspersky Lab End User License Agreement.

   To move up and down, you can use the keys: ↑, ↓, PageUp, and PageDown.

6. If you accept the terms and conditions of the AO Kaspersky Lab End User License Agreement, select the I accept button and press Enter.

   This opens a window with the text of the AO Kaspersky Lab Privacy Policy.

7. Read the AO Kaspersky Lab Privacy Policy.
8. If you accept the terms and conditions of the AO Kaspersky Lab Privacy Policy, select the I accept button and press Enter.

The Setup Wizard proceeds to the next step.

Step 2. Selecting a server role

To select a server role:

1. Select one of the following options:
   • storage.

     This role is for installing a storage server for deploying the Central Node component as a cluster.

   • processing.

     This role is for installing a processing server for deploying the Central Node component as a cluster.

     The role also includes the installation and configuration of the Sensor component.

   • single.

     This role is for installing the Central Node and Sensor components on the same server.

   • sensor.

     This role is for installing the Sensor component on a standalone server.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 3. Selecting a disk for installing the component

You need at least 150 GB of disk space. If less than 150 GB of disk space is available, installation finishes with an error.

To select a disk for installing the component:

1. Select one of the suggested drives for installing the component and press Enter.

   The confirmation window is displayed.

2. Select Yes and press Enter.

The Setup Wizard proceeds to the next step.

Step 4. Selecting a network mask for server addressing

We recommend using the default value.

The netmask may not match netmasks used in the organization's infrastructure.

To specify the network mask for server addressing:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.18.0.0/16.

• If you want to specify a different network mask, in the Subnet field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 5. Selecting a network mask for addressing of application components

We recommend using the default value.

The network for application component addressing must not overlap with the network for server addressing.

To specify the network mask for addressing the main components of the application:

• If you want to use the predefined value for the network mask, select the Ok button and press Enter.

  Default value: 198.19.0.0/16.

• If you want to specify a different network mask, in the Bridge/overlay subnets field, enter your value, select the Ok button, and press Enter.

  The mask must match the template: x.x.0.0/16.

The Setup Wizard proceeds to the next step.

Step 6. Selecting the external network interface

The external network interface is used for SSH access to the server, managing the web interface of Kaspersky Anti Targeted Attack Platform, and other external connections.

To select the external network interface:

1. Select the row containing the network interface that is used for the external network.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. Press Enter.

The Setup Wizard proceeds to the next step.

Step 7. Selecting the method of obtaining IP addresses for network interfaces

To select a method for obtaining an IP address for network interfaces:

1. Select the row containing the Configuration type: and press Enter.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

2. In the opened window, select one of the following options:
   • dhcp.
   • static.
3. If you selected static:
   1. Select the row containing the parameter and press the Enter key.
   2. In the opened window, enter the required data and press Enter twice.

      You need to specify a value for each parameter.

4. Select the row containing Save.
5. Press Enter.

The Setup Wizard proceeds to the next step.

Step 8. Creating the administrator account

The administrator account is used for managing the web interface of the application, the administrator menu of the application, and for managing the application in Technical Support Mode.

By default, the user name of the administrator account is admin. You must enter a password for that user account.

To enter a password for the administrator user account:

1. This opens a window; in that window, in the min length field, enter the minimum password length. You must enter a value of 8 or greater.
2. Select Ok and press Enter.

   This opens the password creation window.

3. This opens a window; in that window, in the password field, enter the password for the administrator account.

   To select a row, you can use the ↑, ↓, PageUp, and PageDown keys. The selected row is highlighted in red.

4. In the confirm field, enter the password again.
5. Select Ok and press Enter.

The Setup Wizard proceeds to the next step.

Step 9. Adding DNS server addresses

Configure the DNS settings for the operation of servers with application components.

To add DNS server addresses:

1. Select the Add field and press Enter.
2. Enter the IP address of the DNS server in the IPv4 format.
3. If you want to add the IP address of an additional DNS server, select the Add field, press Enter and enter the address of the server.
4. Having added all DNS servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

Step 10. Configuring time synchronization with an NTP server

Configure synchronization of the server time with the NTP server.

1. Select the Add field and press Enter.
2. Enter the IP address or name of the NTP server.
3. If you want to add the IP address or name of an additional NTP server, select the Add field, press Enter, and enter the IP address or name of the NTP server.
4. Having added all NTP servers, select the Continue field and press Enter.

The Setup Wizard proceeds to the next step.

Step 11. Configuring receipt of mirrored traffic from SPAN ports

To turn on receipt of mirrored traffic from SPAN ports:

1. In the displayed list, select the network interfaces from which you want to capture network traffic.
2. Select the line containing Apply and finish and press Enter.

The configuration may take some time. Then the installation is complete.

Optimization of network interface settings for the Sensor component

Follow these instructions if the application encounters network packet loss or performance issues when processing network traffic.

To reduce network packet loss and incomplete extraction of files from traffic:

1. Specify the maximum number of RSS queues:
   • If the data transfer rate on your network is less than 1 Gbps, set the number to 1.
   • If the data transfer rate on your network is greater than 1 Gbps, set the number to 16.

   If your network interface does not allow setting the maximum number of RSS queues to 16, set it to the maximum supported number.

2. Configure symmetric RSS hashing for the network interface. For details on configuring RSS hashing, refer to the vendor documentation of your network adapter.
3. Create an interrupts.sh file with the following content.

   #!/usr/bin/env bash

   set -e

   dev=$1
min_cpu=$2
max_cpu=$3
step=$4

   irs=($(cat /proc/interrupts | grep "$dev" | awk '{split($1,a,":"); print a[1]}'))

   cpu=$min_cpu
for ir in ${irs[@]}; do
echo $cpu > /proc/irq/$ir/smp_affinity_list
cpu=$(((cpu + step) % max_cpu))
cat "/proc/irq/$ir/smp_affinity_list"
done

4. Run the following command:

   sudo bash interrupts.sh <dev> <min_cpu> <max_cpu> <step>, where

   • <dev> is the network interface whose interrupts you want to distribute among cores.
   • <min_cpu> is the first core in the range for network adapter interrupt distribution.
   • <max_cpu> is the last core in the range for network adapter interrupt distribution.
   • <step>is the increment for picking the next core to assign to interrupts.

     Example: sudo bash interrupts.sh ens192 2 11 1

5. If you are using NVIDIA Mellanox network adapters (mlx4), configure the number of RSS queues and RSS hashing by running the following commands:

   ethtool -L $dev rx 16

   ethtool -X $dev equal 16

   ethtool -X $dev hfunc xor

6. If you are using Intel network adapters (i40e), configure the number of RSS queues and RSS hashing:

   rmmod i40e && modprobe i40e

   ifconfig $dev down

   ethtool -L $dev combined 16

   ethtool -K $dev rxhash on

   ethtool -K $dev ntuple on

   ifconfig $dev up

   ethtool -X $dev hkey 6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:

   5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A:6D:5A equal 16

   ethtool -A $dev rx off

   ethtool -C $dev adaptive-rx off adaptive-tx off rx-usecs 125

   ethtool -G $dev rx 1024

   ethtool -N $dev rx-flow-hash tcp4 sdfn

   ethtool -N $dev rx-flow-hash tcp6 sdfn

   ethtool -N $dev rx-flow-hash udp4 sdfn

   ethtool -N $dev rx-flow-hash udp6 sdfn

The network interfaces are configured.

After restarting the application, you must reconfigure the network interfaces following the instructions.

Connecting and configuring external storage for the Sensor component

Kaspersky Anti Targeted Attack Platform saves traffic received from network interfaces as network traffic dump files. If you want to ensure long-term storage of network traffic dump files, you can connect and configure external storage. You can use network traffic dump files in external storage to download network traffic as PCAP files. We recommend using SSD drives as external storage.

To connect and configure external storage for network traffic dump files on a server with the Sensor and Central Node components installed:

1. Connect a disk of at least 100 GB that you want to use as external storage.
2. Enter Technical Support Mode.
3. Run the following commands:

   sudo -i

   fdisk -l

   Make sure that the disk that you connected for external storage is displayed in the console.

4. Run the following commands:

   mke2fs -t ext4 -L DATA -m 0 /dev/<name of the connected disk>

   sudo nano etc/fstab

   This opens the fstab file in a text editor.

5. Add the following line at the end of the file:

   /dev/<name of the connected disk> /data/volumes/dumps/ ext4 defaults 0 0

6. Close the text editor.
7. Run the following commands:

   mount

   rm -r /data/volumes/dumps/*

   These commands delete all data from the connected disk.

   The connected disk will be configured for use as external storage.

8. Run the following commands:

   chown kluser:klusers /data/volumes/dumps/

   ls -lah /data/volumes/dumps/

   lsblk

   Make sure that in the MOUNTPOINTS column, /data/volumes/dumps is displayed next to the name of the connected disk.

9. Run the following commands:

   docker stop $(docker ps | grep preprocessor_span | awk '{print $1}')

   docker ps | grep preprocessor_span

   Wait until the Up 2 seconds appears in the console.

10. Run the following commands:

    docker exec -it $(docker ps | grep preprocessor_span | awk '{print $1}') bash

    lsblk

    Make sure that in the MOUNTPOINTS column, the /mnt/kaspersky/nta/dumps value is displayed next to the name of the connected disk.

11. Select the Sensor servers section in the window of the application web interface.
12. Click the card of the relevant Sensor component.

    This opens a window with information about the component.

13. Click Edit.
14. Select the External storage tab and use the Connect external storage for traffic dump files switch to enable external storage mode.
15. Set the space limit for storing the traffic dump files under Maximum size.

    You can select the unit of measure for the space limit: MB or GB.

16. If necessary, in the Filtering using BPF section, enable filtering and enter an expression for filtering using the BPF (Berkley Packet Filter) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
17. If necessary, in the Storage time limit section, enable a limit on the minimum storage time for the files and specify the relevant number of days.
18. Click Save.

External storage for network traffic dump files on the server with Sensor and Central Node installed is connected and configured.

To connect and configure external storage for network traffic dump files on a standalone server with the Sensor component installed:

1. Connect a disk of at least 100 GB that you want to use as external storage.
2. Enter Technical Support Mode.
3. Run the following commands:

   sudo -i

   fdisk -l

   Make sure that the disk that you connected for external storage is displayed in the console.

4. Run the following commands:

   mke2fs -t ext4 -L DATA -m 0 /dev/<name of the connected disk>

   sudo nano etc/fstab

   This opens the fstab file in a text editor.

5. Add the following line at the end of the file:

   /dev/<name of the connected disk> /data/volumes/dumps/ ext4 defaults 0 0

6. Close the text editor.
7. Run the following command:

   rm -r /data/volumes/dumps/*

   These commands delete all data from the connected disk.

8. Select the Sensor servers section in the window of the application web interface.
9. Click the card of the relevant Sensor component.

   This opens a window with information about the component.

10. Click Edit.
11. Select the External storage tab and use the Connect external storage for traffic dump files switch to enable external storage mode.
12. Set the space limit for storing the traffic dump files under Maximum size.

    You can select the unit of measure for the space limit: MB or GB.

13. If necessary, in the Filtering using BPF section, enable filtering and enter an expression for filtering using the BPF (Berkley Packet Filter) technology. The BPF filtering expression is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
14. If necessary, in the Storage time limit section, enable a limit on the minimum storage time for the files and specify the relevant number of days.
15. Click Save.

External storage for network traffic dump files on the standalone server with the Sensor component installed is connected and configured.