Guide for Dell 8840 and 8880 appliances Symantec Endpoint … · 2020. 6. 8. · Symantec™ Endpoint Detection and Response 4.4 Installation Guide for Dell 8840 and 8880 appliances

Symantec™ Endpoint Detection and Response 4.4 InstallationGuide for Dell 8840 and 8880 appliances

Symantec™ Endpoint Detection and Response 4.4 Installation Guide for Dell 8840 and

8880 appliances

Table of Contents

Copyright statement.........................................................................................................................4About Symantec Endpoint Detection and Response.......................................................................5

About Symantec Endpoint Detection and Response...................................................................................................5System Requirements..........................................................................................................................7

Symantec EDR version support for appliances........................................................................................................... 7Browser requirements for the EDR appliance console............................................................................................... 7System requirements for Symantec Endpoint Protection integration....................................................................... 7

Planning for installation...................................................................................................................... 9Pre-installation checklist for physical appliances........................................................................................................9Physical appliance installation worksheet.................................................................................................................. 10About operating roles, operating modes, and network connections.......................................................................13Supported connections for Dell appliances by appliance role.................................................................................15About selecting a network scanner............................................................................................................................. 16About network configurations and port connections................................................................................................16Where to place the appliance in your network for best results............................................................................... 18Required firewall ports.................................................................................................................................................. 22Proxy recommendations................................................................................................................................................26Symantec EDR platform support matrix......................................................................................................................26Obtaining a Symantec EDR license file and installing it...........................................................................................28

Installing an appliance...................................................................................................................... 29Dell appliance installation workflow............................................................................................................................ 29Installing the 8840 appliance........................................................................................................................................ 30Installing the 8880 appliance........................................................................................................................................ 32Symantec Endpoint Detection and Response Dell appliance specifications.......................................................... 34

Configuring the iDRAC on a physical appliance............................................................................35About the iDRAC............................................................................................................................................................ 35Configuring the iDRAC (8880 appliance only)............................................................................................................35Configuring the iDRAC using a monitor, keyboard, and optional mouse............................................................... 36

Running bootstrap............................................................................................................................. 38Running bootstrap to configure the appliance...........................................................................................................38status_check command.................................................................................................................................................39

Running the setup wizard.................................................................................................................41Running the setup wizard............................................................................................................................................. 41

Post-installation tasks....................................................................................................................... 43Completing setup tasks.................................................................................................................................................43

2


8880 appliances

Testing Symantec EDR for successful monitoring or blocking.................................................................................44Testing the appliance bypass mode......................................................................................................................... 44

Accessing the EDR appliance console........................................................................................................................45Data migration during upgrade to ATP v.3.1.................................................................................. 46

Data migration during upgrade to Advanced Threat Protection v.3.1......................................................................46About the data migration process............................................................................................................................... 46

Appendix Materials............................................................................................................................ 48Appendix A: Ports, connectors, and indicators on the appliance................................................ 49

About appliance ports, connectors, and indicators...................................................................................................49

3


8880 appliances

Copyright statement

Copyright ©2020 Broadcom. All rights reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”)are for your informational purposes only and are subject to change or withdrawal by Broadcom at any time. ThisDocumentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, withoutthe prior written consent of Broadcom. This Documentation is confidential and proprietary information of Broadcomand may not be disclosed by you or used for any purpose other than as may be permitted in a separate confidentialityagreement between you and Broadcom.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, youmay print a reasonable number of copies of the Documentation for internal use by you and your employees in connectionwith that software, provided that all Broadcom copyright notices and legends are affixed to each reproduced copy.

The right to print copies of the Documentation is limited to the period during which the applicable license for such softwareremains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing toBroadcom that all copies and partial copies of the Documentation have been returned to Broadcom or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW OR AS AGREED BY BROADCOM IN ITS APPLICABLELICENSE AGREEMENT, BROADCOM PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OFANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESSFOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL BROADCOM BE LIABLE TO THEEND USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OFTHIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESSINTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF BROADCOM IS EXPRESSLY ADVISED IN ADVANCE OFTHE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement andsuch license agreement is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is Symantec, a Broadcom Company.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to therestrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

4


8880 appliances

About Symantec Endpoint Detection and Response

About Symantec Endpoint Detection and ResponseSymantec Endpoint Detection and Response performs the critical security tasks that detect, protect, and respond tothreats to your network. Symantec EDR: is comprised of the following control points:

Symantec EDR NetworkSensor

Processes the network stream in real time across all Internet ports and protocols and passes it throughvarious filters and detection engines. Symantec EDR can detect events on unmonitored endpointsas traffic passes through the scanner. Since Symantec EDR doesn't have SEP agent's information,Symantec EDR cannot provide all of the information about the endpoint. Such information includes theuser name, last check-in, or SEPM group.

Symantec EDR Gathers the information by proxying communications between Symantec Endpoint Protection clientsand Symantec and by leveraging SEP’s Endpoint Detection and Response Endpoint CommunicationsChannel functionality.

Symantec Email ThreatDetection and Response

Integrates with Symantec Email Security.cloud to uncover the attacks that enter your organizationthrough email.

Symantec EDR uses Synapse to correlate network event data with email event data, web event data, and endpoint eventdata. The Synapse correlation engine automatically matches events with SEP, Email Security.cloud, Web Security.cloud,and Symantec EDR to reduce the volume of security alerts. As incidents are detected, they are correlated with otherincidents discovered on your network to show overall attack patterns and prioritize the most significant threats.

Symantec EDR employs the following detection technologies:

Vantage Vantage is a signature-based detection engine that finds threats in the network stream.Insight Insight accesses the world’s largest reputation database and has reputation intelligence on over 8 billion

files. Insight is a Symantec-owned reputation request service for Insight reputation queries. This servicegathers information about the Windows executable files that are observed on endpoints.

Mobile Insight Mobile Insight performs similar analyses for Android applications as Insight does for Windowsexecutable files. In addition to tackling malware detection, Mobile Insight also detects privacy andperformance issues in mobile apps.

Antivirus engine The Antivirus engine is a signature-based technology that detects malware.Sandboxing Symantec's sandboxing technologies detonate files in a virtual sandbox environment, analyze the

results, and report each step of the observed behavior. Sandboxes use machine-learning technology tocompare the results to known, bad attributes. They then correlate your data with real-world data providedby the Symantec Global Intelligence Network to determine if the files are malicious.

Blacklists and Whitelists Symantec global blacklist and whitelist feeds, which are updated on the Symantec ATP appliancesregularly, accelerate detection and optimize performance. You can also create custom blacklists andwhitelist that you maintain through Symantec EDR.

SONAR Symantec Endpoint Protection includes Symantec Online Network for Advanced Response (SONAR)technology for process behavior detection and remediation. However, SEP provides no insight into thesedetails. When you integrate Symantec EDR and SEP, Symantec EDR can provide insight into SONARdetections. SONAR detects the system changes that have occurred on your managed endpoints, theorder that they occurred, and related file attributes. This information gives you greater visibility into theactivity that occurs in your environment.SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactivelocal monitoring on SEP endpoints to detect emerging threats. SONAR also detects changes or behavioron the endpoints that you should monitor. SONAR does not make detections on application type, but onhow a process behaves.

5


8880 appliances

Suspicious file classifier Symantec EDR uses a file classifier to analyze files with unknown dispositions. The file classifierbreakdowns files by their attributes to determine if the file is good or malicious. The classifier uses thedecision trees that are trained with millions of files.This technology uses machine-learning instead of signatures or sandbox detonation.

6


8880 appliances

System Requirements

Symantec EDR version support for appliancesThe following appliance models support Advanced Threat Protection 3.0 and later and Symantec EDR 4.0 and later:

• Dell 8880• Dell 8840

Symantec EDR 8880 and 8840 appliances include an Integrated Dell Remote Access Controller (iDRAC). The iDRACconsole requires the latest version of the Java Runtime Environment (JRE) installed on your administrative client.

Browser requirements for the EDR appliance consoleBrowser requirements for the EDR appliance console lists the web browsers that are compatible with the EDR applianceconsole. JavaScript must be enabled in the browser and cookies must be allowed. The minimum resolution for viewing theEDR appliance console is 1280x1024.

Table 1: Browser requirements for the EDR appliance console

Browser Version

Microsoft Internet Explorer 11 or later

Note: Quick filters are not supported.

Mozilla Firefox 70 or laterGoogle Chrome 78 or laterMicrosoft Edge 42 or later

Note: Quick filters are not supported

Safari Not supportedOpera Not supported

System requirements for Symantec Endpoint Protection integrationSymantec Endpoint Protection version requirements

Symantec Endpoint Detection and Response can integrate with Symantec™ Endpoint Protection for enhancing eventinformation and providing Endpoint Communications Channel (ECC) functionality. Symantec EDR has certain versionrequirements based on various components of SEP.

The minimum SEPM version is 12.1 RU6 or later. Symantec EDR can connect to multiple SEP sites with one connectionper SEP site, up to a total of ten connections to SEPM hosts.

Symantec EDR can manage the client endpoints that run SEP version 12.1 RU 6 MP3 or later with full ECC functionality.However, clients must be running SEP 14 or later to take advantage of ECC 2.0 functionality.

Client endpoints that run versions earlier than SEP 12.1 RU5 are not supported. Some functionality is limited for theclients that run on versions between SEP 12.1 RU5 and 12.1 RU6 MP3. The Symantec EDR documentation describesany functionality limits based on the version of the SEP client.

Embedded database requirements

7


8880 appliances

SEPM can store logs either in an internal embedded database or in an external Microsoft SQL Server database.Symantec EDR can access external Microsoft SQL Server database without any special host system requirements. WhenSEPM uses an embedded database, Symantec EDR uses a log collector on the SEPM host. This log collector requiresthe SEPM host to be running one of the following operating systems:

• Windows 7 (64-bit only)• Windows 8 (64-bit only)• Windows Server 2008• Windows Server 2012• Windows Server 2012 R2 or later (recommended)

See the Symantec Endpoint Protection documentation for SEPM system requirements.

8


8880 appliances

Planning for installation

Pre-installation checklist for physical appliancesPre-installation checklist lists the actions to complete and the information to have ready before you install a physicalappliance.

Table 2: Pre-installation checklist

Action/Item Description

Ensure your environment has the required resources. Symantec EDR version support for appliancesSymantec EDR platform support matrix

For initial setup, have a computer available with an Ethernet port and with webbrowser access to:• The management port network.• The iDRAC (physical appliance only).

The computer that you use to configure theappliance must have access to the managementnetwork the Symantec EDR device is on. Forexample, by connecting to a switch or router. If youset up a physical appliance, the computer also musthave network access to the iDRAC.

Have Ethernet cables (up to four normal cables and two crossover cables)available.

The number and types of cables depends on yournetwork configuration and the number of LAN andWAN ports on the appliance. For example, to permitthe ethernet interfaces to negotiate 1000 Mbps,either cat5e or cat6 cables are required.You may need crossover cables for an Inlinedeployment.Crossover cables aren't required if one or bothdevices (switch, firewall) connected to the WANport and LAN port have automatic MDI/MDI-X.Where to place the appliance in your network forbest results

Open required ports on the firewall and other network devices. Make sure that the necessary ports are open onyour firewall and other network devices to allowtraffic from or to the Symantec EDR device. Forexample, HTTP 80 and HTTPS 443.Required firewall ports

Decide on the operating role and operating mode. The operating configuration roles are as follows:• All-in-one• Management platform• Network scannerAbout operating roles, operating modes, andnetwork connectionsAbout network configurations and port connections

Obtain the license file and make sure that the license file is accessible. Make sure you can browse to and select theSymantec license file from the computer you use torun the setup wizard.Obtaining a Symantec EDR license file andinstalling it

9


8880 appliances

Action/Item Description

Complete the installation worksheet. Make all of the decisions that you'll need forinstallation before you start. Having this informationat hand ensures that the installation process runssmoothly and quickly.Physical Appliance Installation Worksheet

Physical appliance installation worksheetSymantec EDR recommends that you complete the Installation Worksheet fully prior to commencing installation. Providethis checklist to the administrators who will be performing the installation tasks. You should also retain a copy for yourrecords for archival and backup purposes.

Table 3: Set up the iDRAC (Dell appliance installation only)

Configuration Description Value to input

Choose the IP address,subnet mask, gatewayaddress, and password foriDRAC.

The integrated Dell Remote Access Controller(iDRAC) on the physical appliance providesconsole access to the appliance. Althoughintegrated, iDRAC is a separate device thatrequires its own network address to function.The password is required to access theiDRAC's browser-based interface.

IP address:________.________.________.________Subnet mask:_________________________________Gateway address:________.________.________.________Password:Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Configuring the iDRAC (8880 appliance only)

Configuring the iDRAC using a monitor, keyboard, and optional mouse

Table 4: Bootstrap configuration (all physical appliances)


New password: A new, secure password for the console. Thispassword replaces the default password,symantec.

Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Weak passwordTry another [y/n]?

Note: A password that is similar to a word inthe Dictionary, is too short, or not complexenough is less secure. Symantec EDR will askyou to confirm using a weak password.

________ yes________ no

Re-enter new password: Confirm the new password. Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

10


8880 appliances


Select one of thefollowing appliance roles:1 = Managementplatform ..., 2 = Networkscanner ..., 3 = All-in-one ... []?

Specify the appliance's role.About operating roles, operating modes, andnetwork connections

_______ 1 - Management platform_______ 2- Network scanner_______ 3- All-in-one

Configure themanagement port. IPv4address []:

The static IP for the management port. For amanagement platform or all-in-one appliance,this IP address is used to access the EDRappliance console from a browser.

________.________.________.________

IPv4 netmask []: The network mask for the management portIPv4 address. ________.________.________.________

Gateway []: The IP address for the gateway (switchor router) that the appliance can use tocommunicate with the rest of your network.

________.________.________.________

Name server (IPv4) []: The IP address of a name server that theappliance can use to resolve IP addresses. ________.________.________.________

Configure anothernameserver? [y/n]

Yes add an additional name server or No touse only one name server. If yes, provide theIP address of a second name server.

________ yes________.________.________.________________ no

Network scanner role only:IP address of theManagement Platform:

The management port IP address of themanagement platform appliance that controlsthis scanner.

________.________.________.________

Management platform ornetwork scanner roles only:Communication Channelpassword:

A secure password to encryptcommunications between the managementplatform and all its network scanners.This password must be the same for themanagement platform and all networkscanners. It should be different from themanagement console password. Letters,numbers, periods, underscores, and hyphensare allowed, and the password can be up to50 characters.

Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Management platform ornetwork scanner roles only:Re-enter CommunicationChannel password:

Confirm password. Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Configure IPv4 staticroutes? [y/n]

Yes to configure an IPv4 static route or no toskip this configuration step.Static routes may be required. For example,use static routes to connect a networkscanner to its management platform.

________ yes________ no

Destination (CIDRallowed):Gateway:

If you choose to configure IPv4 static routes,provide a destination IP address and thegateway IP address.

________.________.________.________

Add another route? [y/n] Yes to configure an additional IPv4 staticroute. No to go to the next prompt.You can configure up to three IPv4 staticroutes in bootstrap. You can configureadditional static routes in the EDR applianceconsole.

________ yes (up to three supported)________.________.________.________________.________.________.________________.________.________.________________ no

11


8880 appliances


What do you want to callthis device?

The name to identify this system in the EDRappliance console. Letters, numbers, spaces,periods, and hyphens are allowed, and thename can be up to 50 characters.

__________________________________

Set NTP server [] The IP address or FQDN of the NTP server.Setting an NTP server ensures that theappliance has an accurate time to indicatewhen detections occurred.

________.________.________.________

Running bootstrap to configure the appliance

Table 5: Setup wizard


Access EDR applianceconsole.

This is the static IP for the management portthat was specified during bootstrap. ________.________.________.________

Upload License You must upload a license before theSymantec EDR device is functional. Youcannot use Symantec EDR after initialinstallation without a license. No grace periodexists.

Symantec EDR license location:______________________________________

SMTP Settings Symantec strongly recommends that you specify the SMTP settings in the setup wizard. Doing so letsyou recover a lost password. Otherwise, you can check Skip adding SMTP server configuration andspecify the settings later in the EDR appliance console.

SMTP Server and Port The fully qualified domain name and portnumber of the secure mail server. ________.________.________.________

Appliance Email The email address where alerts, such as alicense expiration notification, are sent from. ___________________@_____________._____

Authorize If your mail server requires a secure logonto receive messages, type a user name andpassword that Symantec EDR can use toauthenticate with the mail server.

User name:_______________________________Password:Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Create an Administrativeaccount

These are the login credentials for the initial administrator account. You need this logon to complete thesetup wizard.This administrator can create additional user accounts, including additional administrator accounts.

Logon name Initial administrator logon name _______________________________Display name The initial administrator's display name as it

appears in the EDR appliance console. _______________________________

User email address The initial administrator's email address fornotifications. ____________________@____________._____

Running the setup wizard

Installation worksheet completed by:

Name: _______________________________________ Date: _________________________

12


8880 appliances

Provided to:

EDR Administrator: _____________________________ Date: _________________________

About operating roles, operating modes, and network connectionsYou configure each appliance for Symantec EDR with an operating role and an operating mode. Together, thesedetermine how the device is connected to your network and how it functions to protect your network and to report threats.

Operating roles | Operating modes and network connections

Operating roles

You can deploy the appliance as a management platform, network scanner, or all-in-one device. You assign the operatingrole when you run bootstrap on the appliance. These roles have the following functionality:

Management platform If two or more appliances are installed, one should be deployed in the Management platform role.A management platform hosts the EDR appliance console and displays incidents and endpoints at risk forall connected scanners. The management platform presents a comprehensive view of malicious activityon your network. The management platform also centralizes configuration, management, and reportingfunctions.The management platform does not scan network traffic.

Network scanner If two or more appliances are installed, all devices except the management platform should be deployedas network scanners. Each network scanner can monitor traffic on a different network and send its incidentdata to the management platform. Depending on the operating mode, the network scanner may blockmalicious traffic in real time.A network scanner does not have the EDR appliance console. You configure and manage the networkscanner from the management platform. Its incident data is consolidated with the incident data fromother network scanners and reported from the management platform. When your network expands,additional network scanners can be installed and connected to the management platform to protect thenew networks.

All-in-one If only one appliance is installed, it should be deployed in all-in-one mode. An all-in-one device performsthe functions of both the management platform and network scanner role.

NOTE

An all-in-one device cannot function as a management platform for network scanners. Only an appliance that isassigned the management platform role can manage a network scanner.

The roles you choose depend upon the throughput of network traffic. For small to medium-sized installations, you shouldhave one appliance running in the all-in-one role. For larger installations, you would install multiple appliances with oneacting in the management platform role and the remaining appliances acting as network scanners.


To change the operating role of an appliance after initial installation, you must reinstall the appliance software.

Operating modes and network connections

The operating mode controls how your network traffic is processed. It also affects how the appliance is physicallyconnected to your network.

Symantec EDR operating modes and network connections describes the Symantec EDR modes that are available forthe appliances and the network connections that are required for each role. You must assign a static IP address to eachSymantec EDR network connection.

13


8880 appliances

Table 6: Symantec EDR operating modes and network connections

Mode Description Network connections required

Inline Block In Inline Block mode, network traffic passes through theappliance between the endpoints and the Internet. Any filedownloads, accessed websites, and traffic that are consideredmalicious are blocked. Only Inline Block mode provides real-time protection against threats.The ATP 8880 model has two Inline interfaces in Inline Blockmode.

1 Management2 WAN2 LAN(Model 8880 only: 2 WAN and 2 LAN)

Inline Monitor In Inline Monitor mode, network traffic passes through theappliance between the endpoints and the Internet. Maliciousfiles, websites, and traffic are logged for visibility but are notblocked. Any threats that are found in Inline Monitor mode mustbe mitigated manually.Inline Monitor mode is often used as a test for systemperformance and to analyze potential behavior for blocking(from reports) before blocking is implemented. The physicalconnections for Inline Block and Inline Monitor modes areidentical, so no re-cabling is necessary when you switchbetween these modes.

1 Management1 WAN1 LAN(Model 8880 only: 2 WAN and 2 LAN)

Bypass (Inlinemode failsafe)

A physical appliance that is configured for Inline modeautomatically switches to bypass mode if the appliance cannotfunction. It also switches to bypass mode if it is turned off. Inbypass mode, Internet traffic continues to flow through theLAN port and WAN port, but no blocking or monitoring occurs.Normal operations resume when you restart the appliance orreenable scanning.Symantec EDR NICs operate in either standard NIC mode (nobridging between the LAN port and WAN port) or in bypassmode (bridging between the LAN port and WAN port) dependingon these circumstances:• Installed out of the box:

Standard NIC mode• Configured for Inline deployment:

Bypass mode• Configured for Tap deployment:

Standard NIC mode• Reimaged (factory reset) after any previous deployment:

Standard NIC mode

Same as Inline Block or Inline Monitor

Tap In Tap mode, the appliance connects to a Tap or Span port ona switch. The appliance monitors a copy of the traffic betweenthe endpoints and the Internet so monitoring incidents andlogging incidents do not affect network performance. Becausethe monitoring and logging engines work at different intervals,there may be a slight delay in detecting incidents. All threatsmust be mitigated manually.The 8880 model can monitor up to four monitor ports onseparate networks in Tap mode. The 8840 model can monitorup to two monitor ports on separate networks in Tap mode.

1 Management1 Monitor connection for each networkmonitored

Managementplatform

In management platform mode, all communications andmanagement go through the management port. Since amanagement platform appliance does not scan, only themanagement connection is required.

1 Management

14


8880 appliances

You choose the operating mode for an all-in-one device or network scanner from the EDR appliance console. Amanagement platform operates in management platform mode automatically.

About network configurations and port connections

Where to place the appliance in your network for best results

Supported connections for Dell appliances by appliance roleThe physical network connections to the appliance vary depending on the appliance model and the role the appliance hasin the network. The tables in this topic show the connections for the various models and roles.

IMPORTANT: The appliances have multiple ethernet ports, some of which cannot be used and are not supported ifenabled. No ethernet cables should be connected to ports that are not clearly labeled as:

• Management• Monitor 1 / WAN 1• Monitor 2 / LAN 1• Monitor 3 / WAN 2• Monitor 4 / LAN 2

NICs labelled as Gb2, Gb3, Gb4, etc. are not supported. The iDRAC port is separate hardware and not seen by theappliance software.

Table 7: Role: Management platform

Model Hardware Version Management Port

8880 R730 eth08880 R720 eth08840 R330 eth08840 R220 eth0

Table 8: Role: All-in-one

Model HardwareVersion

ManagementPort

Monitor1 / WAN 1

Monitor2 / LAN 1

Monitor3 / WAN 2

Monitor4 / LAN 2

8880 R730 eth0 eth7 eth6 eth5 eth48880 R720 eth0 eth7 eth6 eth5 eth4

15


8880 appliances


ManagementPort

Monitor1 / WAN 1

Monitor2 / LAN 1

Monitor3 / WAN 2

Monitor4 / LAN 2

8840 R330 eth0 eth3 eth2 N/A N/A8840 R220 eth0 eth2 eth3 N/A N/A

Table 9: Role: Scanner


ManagementPort

Monitor1 / WAN 1

Monitor2 / LAN 1

Monitor3 / WAN 2

Monitor4 / LAN 2

8880 R730 eth0 eth7 eth6 eth5 eth48880 R720 eth0 eth7 eth6 eth5 eth48840 R330 eth0 eth3 eth2 N/A N/A8840 R220 eth0 eth2 eth3 N/A N/A

About appliance ports, connectors, and indicators

About selecting a network scannerThe following factors determine the number of recommended network scanners.

Hardware versus virtual Make this decision based on your current infrastructure. Users with extensive VMware investmentmight want to use virtual appliances. Users with little or no VMware investment should usehardware.Hardware solutions have bypass NICs, so on failure Symantec EDR continues to pass trafficwhen deployed inline. Therefore, real hardware is preferred for inline deployments.For more information, see the Installation Guide for your respective platform (physical or virtualappliance).

Available bandwidth The hardware solutions have higher throughput than virtual solutions.R220 and R330 have a throughput of 1 Gbps in their single NIC. R720 and R730 have two NICsthat can achieve 1Gbps each.See the Symantec Endpoint Detection and Response Sizing Guide for more information.

Total endpoints in the organization While each deployment varies, R220 and R330 have a capacity of approximately 10Ksimultaneous connections. R720 and R730s can support 25K simultaneous connections. Thesenumbers are for inline mode. In Tap mode, hardware can support approximately twice the numberof connections as inline.

Symantec EDR features If the deployment is to use mostly network scanning, then a separate scanner and managementplatform deployment provides room to increase scanning capacity. In this case, the physicalappliance has more storage capacity and is suitable for the management platform. The numberof scanners would depend on the number of ingress and egress points in the network and theamount of traffic at those points.An all-in-one deployment needs to be able to handle all the traffic for the projected growth of theorganization for the lifetime of the appliance. If the deployment functions primarily as SymantecEDR: Endpoint, then select an all-in-one deployment.

About network configurations and port connectionsThe following table describes the ways to connect Symantec Endpoint Detection and Response to your network.

NOTE

Port connections vary by appliance model, version, and role.

16


8880 appliances

Supported connections by appliance role

Network configuration Description ConnectManagement to Connect WAN to Connect LAN to

Simple port span/tap This configurationmonitors the trafficbetween the endpointsand the Internet but doesnot block file transfersor websites. Internet-bound traffic is copiedto the switch port usingport mirroring that isconfigured on the switchitself.This configurationuses two monitor portsand one managementconnection. This setup iseasy and is useful as aninitial test of SymantecEDR.

Port on your LAN switch Connect Monitor1 tonetwork tap or port onyour LAN switch that isset to span mode

Not used

Port span/tap withmultiple monitor ports

This configurationuses two monitor portsand one managementconnection. Extra monitorports allow the sameappliance to connect tomultiple switches fromdifferent subnets. Thisconfiguration does notblock file transfers orwebsites.

Port on your LAN switch Connect Monitor1 tonetwork tap or port onyour LAN switch that isset to span mode

Connect Monitor2 tonetwork tap or port onyour LAN switch that isset to span mode

Simple inline You can block filetransfers and websitesusing this configuration.Inline configurationrequires more networkconnections than portspan/tap. Ideally, youshould deploy SymantecEDR inline between theclient and the firewall.If you use a proxy,you should connectthe appliance shouldbetween the client andthe proxy.

Port on your LAN switch Internet firewall LAN port Port on your LAN switch

17


8880 appliances

Network configuration Description ConnectManagement to Connect WAN to Connect LAN to

Inline with two firewalls,two proxies, and twoappliances

You can connect twoappliances to twofirewalls as part of a high-availability environment.You can configure thefirewalls in active/activefailover or active/standbyfailover. Configure theappliances identicallyexcept for the networksettings. Both appliancesshould be connected tothe same managementplatform.

Port on your LAN switch Internet firewall LAN port Port on your LAN switch

Management platform In a managementplatform configuration, anappliance is configuredto manage otherappliances. Thisappliance does not scan,so it requires only amanagement connection.

Port on your LAN switch Not used Not used


Where to place the appliance in your network for best resultsThe placement of your appliance depends upon whether the appliance is a management platform, network scanner,or all-in-one device. The Symantec Endpoint Detection and Response appliance must be able to perform the followingdepending upon its role:

• Scan all network traffic coming into and out of the organization• Determine the source and destination of all traffic• Detect internal connection endpoints• Act as a network proxy for endpoints (if integrating with Symantec Endpoint Protection Manager)• Have a minimal affect on network performance

If your architecture includes a demilitarized zone (DMZ) and you integrate Symantec EDR with Symantec EndpointProtection, don't place the following in the DMZ:

• Management platform appliance• All-in-one appliance• SEP

Deploying the appliance between a proxy and firewall prevents Symantec EDR from detecting the IP address of thesource endpoint. So in this scenario, you must enable the X-Forwarded-For: header field. You might also need toconfigure your firewall to strip the X-Forwarded-For: header field.

Symantec EDR does not scan traffic between internal computers. The exception is when one of the computers is a proxyserver. The internal traffic that is routed to a proxy server is scanned because it is outbound network traffic.

If you want Symantec EDR to reach the Internet through a proxy server, you must treat the appliance as a trusted deviceand disable authentication. Symantec EDR does not support passing Basic Authentication credentials to the proxy.Symantec EDR supports Basic or Simple Password Authentication to the proxy.

18


8880 appliances

You can use the management port for any of the following:

• To access the EDR appliance console.• For communication to Symantec's servers (e.g., LiveUpdate, cloud-based sandboxing, Insight, telemetry, etc.).• To facilitate communication to SEPM and endpoints for the endpoint proxy.

The management network should not be open to the Internet as a whole. If you need access to the management networkfrom outside, a VPN or short-lived Remote Desktop connection is recommended.

In Inline mode, the management port must be on a different subnet from the Inline interface.

The following figures show examples of network configurations.

NOTE

You can use the ATP 8840 or 8880 appliance in any of these configurations.

You might need crossover cables for Inline deployment if devices connected to WAN port and LAN port don't haveautomatic MDI/MDI-X configuration.

19


8880 appliances

20


8880 appliances

21


8880 appliances

About network configurations and port connections


Physical appliance installation workflow

Required firewall portsDepending on your network layout, you may need to open some ports on your firewall and edit your firewall rules. Thesechanges let you access the important web addresses that are essential for Symantec Endpoint Detection and Responseoperations.

Symantec EDR web and IP addresses lists the web and IP addresses to which Symantec EDR requires access.

22


8880 appliances

Table 10: Symantec EDR web and IP addresses

Web addresses/IP Address Protocol Port Description

• remotetunnel1.edrc.symantec.com• remotetunnel2.edrc.symantec.com• remotetunnel3.edrc.symantec.com• remotetunnel4.edrc.symantec.com• remotetunnel5.edrc.symantec.com

HTTPS 443 Permits Symantec Support remote access tothe Symantec EDR appliance

https://api-gateway.symantec.com TCP 443 Accesses Symantec's Targeted AttackAnalytics service

licensing.dmas.symantec.com TCP 443 Used to get the Cynic licenseapi.us.dmas.symantec.comapi.eu.dmas.symantec.com

TCP 443 Used to perform queries to the Cynic US andUK servers (required)

liveupdate.symantec.com TCP 80 Used to check for and download definitions forSymantec's detection technologies

ratings-wrs.symantec.com TCP 443 Used to query Norton Safe Web server toidentify malicious websites

stnd-avpg.crsi.symantec.comstnd-ipsg.crsi.symantec.com

TCP 443 Used to send detection telemetry to Symantec

register.brightmail.com TCP 443 Used to register the applianceswupdate.brightmail.com TCP 443 Used to check for and download new releases

of Symantec EDRshasta-rrs.symantec.comshasta-mrs.symantec.com

TCP 443 Used to perform reputation lookups forWindows executable and APK installable files

datafeedapi.symanteccloud.com TCP 443 Used to download EDR: Roaming and EmailSecurity.cloud events

stats.norton.com TCP 443 When telemetry is configured, used to sendstatistics telemetry to Symantec

telemetry.symantec.com TCP 443 When telemetry is configured, used to send filetelemetry and to upload diagnostic packagesto Symantec

EDR appliance console TCP 443 (inbound) or inthe range of 1024 to9997

Access to Symantec EDR public API

*.edrc.symantec.com* Based on Pod or Cloud that the account isprovisioned on. For example:cloud1.edrc.symantec.com

TCP 443 Used to register and connect your applianceswith the Symantec EDR Cloud

https://sso1.edrc.symantec.com TCP 443 Used for SSO

Symantec EDR ports and settings describes the ports that Symantec EDR uses for communications, content updates, andinteractions with Symantec.cloud detection services.

23


8880 appliances

Table 11: Symantec EDR ports and settings

Service Protocol Port From To Description

Back up FTP; SSH 20 TCP, UDP21 TCP22 TCP, UDP

Managementplatform or all-in-one appliances

Configuredbackup storageserver(Internal traffic)

FTP server: FTP ports 20, 21SSH server: SSH port 22

Email notifications SMTP 25 TCP587 TCP

Managementplatform or all-in-one appliance

SMTP server(Internal traffic)

Communication with the SMTPserver

Content updates HTTP 80 TCP All appliances Symantec(External traffic)

Virus and Vantage definitions,and other content thatLiveUpdate deliversThis port is required for properfunctioning of the product.

Statistics delivery HTTP 80 TCP All appliances Symantec(External traffic)

Sends the data to Symantecfor statistical and diagnosticpurposesPrivate data is not sent overthis port.

(ECC) 2.0 HTTPSHTTP

44380

Managed SEPendpoints

Symantec EDR Communicates commands tothe endpoints

ECC 1.0 HTTPS 8446 Symantec EDR SEPM Commands to SEPMRRS/endpoint submissionsECC 2.0

HTTPSHTTP

4438080

SEP Symantec EDR The SEPM private cloud thatlets endpoints communicatewith Symantec EDR

RRS/endpoint submissionsECC 1.0

HTTPSHTTPHTTP

443808443¹

SEP Symantec EDR The SEPM private cloud thatlets endpoints communicatewith Symantec EDR

Symantec cloud detection,analysis, and correlationservices and telemetryservices

If endpointactivityrecorderenabledIf endpointactivityrecorderdisabled

443 TCP All appliances Symantec(External traffic)

Cloud service queries andtelemetry data exchangesIf the endpoint activity recorderis enabled SEP sendsconviction events directly toSymantec EDR.

Antivirus and intrusionprevention convictioninformation

HTTPS HTTP 8080 TCP orHTTPS 443 TCPHTTP 80 TCP orHTTPS 8443 TCP

SEP clients Symantec EDRmanagementplatform

Information about the files andthe network traffic that SEP detects.

Antivirus and intrusionprevention convictioninformation

HTTPSHTTP

443 TCP80

Symantec EDRmanagementplatform

Symantec(External traffic)

Information about files and thenetwork traffic that SEP detects

Product updates HTTPS 443 TCP All appliances Symantec(External traffic)

Finds and delivers newversions of Symantec EDR

EDR appliance console HTTPS 443 TCP443 (inbound) or inthe range of 1024to 9997

Client connectingto manage anappliance

Managementplatform or all-in-one appliance(Internal traffic)

EDR appliance console accessfor an all-in-one appliance ormanagement platform

24


8880 appliances


EDR appliance console,network scanners, and all-in-one

SSH 22 Client connectingto manage anappliance

Managementplatform,scanner, or all-in-one appliance(Internal traffic)

Command-line access foran all-in-one appliance ormanagement platform

Synapse SEPMconnection with MicrosoftSQL Server (optional)

JDBC 1433 TCP (default) Managementplatform or all-in-one appliance

SEPM MicrosoftSQL Server(Internal traffic)

Required if using the MicrosoftSQL Server for SEPM andSynapseSEPM administrators canconfigure a different port forthis communication.

Communication channel(management platformand network scannerinstallations only)

AMQP 5671 TCP5672 TCP

Network scannerappliance

Managementplatform(Internal traffic)

Communications between themanagement platform andnetwork scannersNot required for an all-in-oneinstallation. After the initialexchange on this port, thecommunication is secured.

Blocking page (Inline Blockmode only)

HTTP 8080 TCP Network scanner Protectedendpoints(Internal traffic)

Sends the blocking pagewhen content is blocked at anendpointNot required for Inline Monitoror Tap/Span modes.

Synapse SEPMconnection with EmbeddedDB (optional)

HTTPS 8081 TCP (default) Managementplatform or all-in-one appliance

SEPM server(Internal traffic)

Required if using theembedded database forSynapse connection to SEPM

Synapse SEPMconnection with theSEPM web servicesRemote Management andMonitoring (RMM) service(optional)

HTTPS 8446 TCP (default) Managementplatform or all-in-one appliance

SEPM Server Required if connecting to theSEPM server for executingmanagement operationsFor example, adding orremoving items from theblacklist or placing an endpointunder quarantine.

Syslog Syslog TCP (preferred) orUDP port shouldbe the same asconfigured in theEDR applianceconsole for syslog

All appliances ConfiguredSyslog server(Internal orexternal trafficbased on yourenvironment)

If syslog is configured, thisconnection delivers logmessages to remote syslog

EDR: RoamingEDR: Email

HTTPS 443 TCP Managementplatform or all-in-one appliance

Symantec This connection lets SymantecEDR collect conviction eventsfrom EDR: Roaming andEDR: Email when SynapseCorrelation is enabled for eitherone of these services

Active Directory LDAPS 636 Managementplatform or all-in-one appliance

Active Directoryserver

This connection allowsSymantec EDR to integratewith Active Directory for userauthentication

25


8880 appliances


Security Analytics link HTTPSTCP/UDP

443 Managementplatform or all-in-one appliance

SymantecSecurityAnalyticsappliance orvirtual appliance

This connection lets SymantecEDR integrate with SymantecSecurity Analytics to providea link on individual log eventsto navigate users to additionalinformation on related networkmotion

¹ Port 8443 is only available if you were using this port on previous versions of Symantec EDR and have since updated. Ifyou are installing Symantec EDR for the first time, this port is not available.


Physical appliance installation workflow

Proxy recommendationsThe following are Symantec's proxy recommendations:

Network scanning Proxy deployment options are as follows:• Deploy Symantec EDR between the internal network and the proxy.

This deployment configuration is recommended.When customers deploy Symantec EDR between the internal network and the proxy, it givesSymantec EDR full visibility of endpoint information.You must deploy Symantec EDR when you are load balancing proxies between the internalnetwork and a farm of proxies. This information ensures Symantec EDR can failover to the proxy.In this scenario, the LAN port of the proxy is the good place to plug in Symantec EDR inline.

• Deploy Symantec EDR between the proxy and their firewall.When customers deploy Symantec EDR between the proxy and their firewall, customers mustenable to the X-forwarded-for feature on the proxy. The firewall must have the ability to strip outthe X-forwarded-for tag. Customers should see the documentation for their firewall for instructionsfor how to remove this tag. The disadvantage of this deployment is that it requires more effort toconfigure.

Management traffic fromSymantec EDR to Symantecback-end servers

This proxy traffic does not support SSL interception. If the proxy server has SSL interception enabled,customers must create a policy to let Symantec traffic bypass. Such a policy prevents the proxy frominspecting Symantec traffic, thereby reducing resource demands.

Symantec EDR platform support matrixUse the matrix below to verify that your current installation of Symantec EDR meets the system requirements to supportSymantec EDR's features.

26


8880 appliances

Table 12: Platform support matrix

Platform Config Specs ECC 1.0ECC 2.0DefaultEvents¹

ECC 2.0All Events

Scanner OnlyThroughputTap Mode

Scanner OnlyThroughputInline Mode

8840 8840v1 Dell r220 4 CoresMemory: 32GBHard drive: 1TB

10,000endpoints

Not supported Notsupported

1.4 Gbps 950 Mbps

8840v2 Dell r330 4 CoresMemory: 32GBHard drive: 1TB

10,000endpoints


1.4 Gbps 950 Mbps

8880 8880v1 Dell r720 12 CoresMemory: 96GBHard drive: 931GB

50,000endpoints


2.7 Gbps 1.8 Gbps

8880v1 Dell r720+ HD

12 CoresMemory: 96GBHard drive:4,158 GB

50,000endpoints

50,000endpoints

25,000endpoints50,000endpointswith ProcessLaunchevents (butno ProcessTerminateevents)

2.7 Gbps 1.8 Gbps

8880v2 Dell r730 18 CoresMemory: 96GBHard drive: 558GB

90,000endpoints


2.7 Gbps 1.8 Gbps

8880v2 Dell r730+ HD

18 CoresMemory: 96GBHard drive:4,158 GB

90,000endpoints

50,000endpoints

25,000endpoints50,000endpointswith ProcessLaunchevents (butno ProcessTerminateevents)

2.7 Gbps 1.8 Gbps

8880v3 Dell r730+ mem and HD

18 CoresMemory:192GBHard drive:4,158 GB

100,000endpointsRetention: 6months

100,000endpoints

50,000endpointsRetention: 4days

2.7 Gbps 1.8 Gbps

¹ Process Launch and Process Terminate events disabled.

² Symantec does not recommend inline mode for the virtual appliance. When you deploy a virtual appliance in inline modeyou run a risk because there is no bypass ability.

27


8880 appliances

Obtaining a Symantec EDR license file and installing itWhen you purchase Symantec EDR, Broadcom sends you a fulfillment confirmation "Welcome" email that includes yourserial number and a license key file attachment.If you did not receive a Broadcom Welcome letter or you cannot locate your license key file, click here to go to theBroadcom web site where you can access your license key file.

Save your license key file to a location that you can access from the EDR appliance console.

Install the license key file in EDR appliance console for product activation.

1. In the EDR appliance console, click Settings > Global.

2. Scroll down to the Licensing section and click Upload License.

3. In the Upload License dialog box, browse to and select the license file, and then click Upload.

The new license takes effect immediately, although it must be distributed to each of the scanners. If the previouslicense had expired, make sure that you enable scanning again on all scanner devices.

Related LinksSymantec to Broadcom Transition Guide - My Entitlements

28

https://www.broadcom.com/support/symantec/getting-started#on-premises-security-products

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=145885&_ga=2.206883987.1048733966.1583761188-848804485.1572636998


8880 appliances

Installing an appliance

Dell appliance installation workflow

Step Action Description

1 Complete all items in thepre-installation checklist.

Completing the pre-installation checklist ensures that you have everything you needto install an appliance. It also ensures that you have completed all the tasks requiredbefore installation begins.Pre-installation checklist for physical appliancesPhysical Appliance Installation Worksheet

2 Install the appliance. Install the hardware in a rack and connect network cables and power cables.

Note: The appliance's role (all-in-one, management platform, or network scanner)and operating mode determine the cable connections and port mappings.

Note: About operating roles, operating modes, and network connections

Installing the 8840 applianceInstalling the 8880 appliance

3 Set up the iDRAC. The integrated Dell Remote Access Controller (iDRAC) on an appliance providesremote access to the console. When you set up the iDRAC, you assign a static IPaddress to the iDRAC management port. Although you can use DHCP to configurethe iDRAC, a best practice is to use a static IP address. To access the console on the Symantec EDR, you open a browser on the iDRAC'snetwork and enter https://<iDRAC management port static IP address>.Configuring the iDRAC (8880 appliance only)Configuring the iDRAC using a monitor, keyboard, and optional mouse

4 Run bootstrap. Open the console and run the bootstrap.During bootstrap, you are prompted to provide appliance configuration information.Your Symantec EDR administrator provides you this information on the Installationchecklist.Running bootstrap to configure the appliance

5 Run the status_checkcommand.

Run the command status_check to determine if the network connectivity has beenset up properly. The command lists all of the items that are checked and the status ofwhether each item is successful or not.status_check command

6 Run the setup wizard.Management platformor all-in-one appliancesonly.

The Symantec EDR setup wizard guides you through the mandatory configurationsteps of an all-in-one or management platform device. This set up includes uploadingthe product license and creating the first administrator account so that you can log onto the EDR appliance console.Running the setup wizard

7 Perform the post-installation tasks andconfigurations.For all configurationsexcept managementplatform.

After you exit the setup wizard, log on to the EDR appliance console. Perform therecommended tasks to start scanning traffic and collecting incident and event data.Completing setup tasks

29


8880 appliances

Step Action Description

8 Test the appliance. Run the status_check command again to determine if configuration settings havebeen correctly specified.Symantec has a test webpage, http://testatp.coe.org.uk, that contains a series oflinks. When you click on each of the links, you should see a corresponding incident inthe database.In Inline Block mode, file downloads should be interrupted. You should also testwhether bypass mode works correctly.Testing Symantec EDR for successful monitoring or blockingTesting the appliance bypass mode

Installing the 8840 applianceYou can mount the 8840 appliance into a 19-inch (483mm) rack. If you do not have a rack, the appliance can rest on astable surface.

8840 back panel shows the 8840 back panel.

1. Install the two included rails in a rack and mount the appliance in the rack.

2. Connect the power cord to a power outlet and then to a power supply on the appliance.

3. Plug an Ethernet cable into the iDRAC port on the back of the server. Then connect the other end to a LAN switch onyour network. The iDRAC port is on the left and is marked with a wrench icon.


4. Plug an Ethernet cable into the management port and connect the other end to your Management network.

5. For Tap mode, you can connect the Monitor1 port to a Tap/Span port on a switch or router. For a managementplatform, do not make this connection.

For an appliance to operate in Inline Block or Inline Monitor mode, connect the WAN port to the server that hosts thefirewall.

30

http://testatp.coe.org.uk


8880 appliances

6. Connect the LAN port to the corporate LAN for Inline Block or Inline Monitor mode. Connect it to a Tap/Span port on aswitch or router for Tap mode. For a management platform, do not make this connection.

If the appliance is deployed in Inline Block or Inline Monitor mode, bypass mode starts operating.

7. Configure the iDRAC using an external monitor and keyboard.


8. Open a browser from a computer that is on the same network as the appliance, and then type https://<iDRACmanagement port static IP address>. The iDRAC default logon is root; the password is calvin. From the iDRACmanagement utility, open a console to the appliance. Log on with the user name admin and the password symantecto start the bootstrap process. After you complete and accept the bootstrap configuration, the system restarts.


9. (Required for management platform and all-in-one) Open a browser, and the type https:// <{{ProductName}}management port static IP address>.

For example, type https://10.10.10.10 if you specified an IP address of 10.10.10.10 during the bootstrap process.

10. (Required for management platform and all-in-one devices) In the EDR appliance console, enter the user name setupand password symantec to start and run the setup wizard.


If you plan to install a scanner, log on to the EDR appliance console on the management platform that controls thescanner to complete the installation.

More Information

31


8880 appliances

Supportability considerations on how to utilize ATP 8840 appliances with ATP 3.0 and later

Installing the 8880 applianceYou can mount the 8880 appliance into a 19-inch (483mm) rack. If you do not have a rack, the appliance can rest on astable surface.

8880 back panel shows the 8880 back panel.

1. Install the two included rails in a rack and mount the appliance in the rack.

2. Connect each power cord to a power outlet and then to a power supply on the appliance.

3. Plug an Ethernet Cable into the iDRAC port on the back of the server on the left. Then connect the other end to a LANswitch on your network. Enable the iDRAC using either the front panel display or an attached monitor and keyboard.



4. Plug an Ethernet cable into the management port and connect the other end to the network.

32

https://knowledge.broadcom.com/external/article?legacyId=INFO4643


8880 appliances

5. For an appliance to operate in Inline Block or Inline Monitor mode, connect the WAN port to the server that hosts thefirewall. For Tap mode, you can connect this port to a Tap/Span port on a switch or router. You may optionally connectthe WAN2 port. In Tap mode, you can use either port for monitoring traffic.

6. Connect the LAN port to the corporate LAN for Inline Block or Inline Monitor mode. Connect it to a Tap/Span port on aswitch or router for Tap mode. You may optionally connect the LAN2 port.

If the appliance is deployed in Inline Block or Inline Monitor mode, bypass mode starts operating.

7. Open a browser from a computer that is on the same network as the appliance and enter https://<iDRAC managementport static IP address>. The iDRAC default logon is root; the password is calvin. From the iDRAC managementutility, open a console to the appliance. Log on with the user name admin and the password symantec to start thebootstrap process. After you complete and accept the bootstrap configuration, the system restarts.


8. (Required for management platform and all-in-one) Open a browser, and then type https:// <{{ProductName}}management port static IP address>.

For example, type https://10.10.10.10 if you specified an IP address of 10.10.10.10 during the bootstrap process.

9. (Required for management platform and all-in-one) In the EDR appliance console, type the user name setup andpassword symantec to start and run the setup wizard.

If you plan to install a scanner, log on to the EDR appliance console on the management platform that controls thescanner to complete the installation.

33


8880 appliances


Troubleshooting

"EPSA Error Code: 2000-0251" during Dell hardware diagnostics on ATP8880 appliance

Symantec Endpoint Detection and Response Dell appliancespecifications

Table 13:

Model Form Factor CPU Memory HardDrive

PowerSupply Throughput NICs

8840 1U RackMount

Single, IntelXeon, Six-core

32 GB 1 x 1TBdrive

Non-redundantPSU

500Mbps Four Gigabit Ethernet ports:• 1 WAN / LAN pair• 1 Management port• 1 Monitor port

8880 2U RackMount

2 x 12 coreIntel Xeon

96 GB RAID 5, 4x 300GB

2 x 750W,2 x 750WRedundantPSU

2Gbps 1 Monitor port (1Gigabit)• Four 10 Gigabit Ethernet ports• Two 1Gigabit Ethernet ports• 2 WAN / LAN pairs (10Gigabit)• 1 Management port (1Gigabit)• 1 Monitor port (1Gigabit)

34

https://knowledge.broadcom.com/external/article?legacyId=TECH230352


8880 appliances

Configuring the iDRAC on a physical appliance

About the iDRACThe Dell appliances include an integrated Dell Remote Access Controller (iDRAC). This controller provides (among otherfeatures) remote console access to the appliance. Before you can connect a physical appliance to your network usingbootstrap, you must first assign a network address to the iDRAC.

The following procedures describe how to assign a static IP address to the iDRAC:



On the ATP 8880 model, the IP address can be assigned to the iDRAC. Assign the IP address either by using the frontpanel controls or by attaching a monitor, keyboard, and optional mouse to the appliance. Then use the System Set-uputility. Symantec EDR Model 8840 does not have front panel iDRAC controls, so you must configure the IP address usingthe System Setup utility.

For more information on iDRAC features and operation, refer to the integrated Dell Remote Access Controllerdocumentation at https://www.dell.com/en-us.

Configuring the iDRAC (8880 appliance only)Before you begin to configure iDRAC on the Dell 8880 appliance, make sure that the appliance is connected to AC power.When you do, it gives power to the iDRAC even if you do not turn on the appliance. When the service tag number appearson the iDRAC display, the iDRAC is ready to be configured.

Although you can use DHCP to configure the iDRAC network settings, a best practice is to assign a static IP address.

The iDRAC front panel has these three buttons for selecting, changing, and entering data:

✓ = Enter

< = Move the selection to the left or decrease the value (depending on the context)

> = Move the selection to the right or increase the value (depending on the context)

1. Press ✓ to enter the menu system.

2. Press > to highlight Setup and then press ✓.

3. With iDRAC highlighted, press ✓ .

4. Press > to highlight StaticIP and press ✓ .

The front panel displays a default IP address. You need to change only the numbers that differ from the static IPaddress you want to assign.

35

https://www.dell.com/en-us


8880 appliances

5. Press > until you have highlighted a number that you want to change, and then press ✓ to select it.

6. Press > to increase the value or < to decrease the value. When the correct number is displayed, press ✓ .

7. Repeat steps 5 and 6 for each additional number you need to change.

8. When the static IP address is correct, press > until » is highlighted, and then press ✓ .

9. The display shows the default subnet mask (Sub). Use the instructions in steps 5 and 6 to modify values as needed.

10. Press > until » is highlighted, and then press ✓ .

11. The display shows the default gateway IP address (Gtw). Use the instructions in steps 5 and 6 to modify values asneeded.

12. Press > until » is highlighted, and then press ✓ .

13. The display asks if you want to set up DNS. Setting up DNS is recommended. Performing this task lets you programnetwork resources on the iDRAC based on DNS names, rather than requiring you to enter IP addresses.

To set up DNS, highlight Yes and press ✓ . Go to step 14.

If you do not want to set up DNS, highlight No and press ✓ . Then highlight Save and press ✓ . Configuration iscomplete.

14. The iDRAC displays the default address of the primary DNS server (D1). Use the instructions in steps 5 and 6 tomodify values as needed.

15. The iDRAC then displays the default address for an alternate DNS server (D2). An alternate server is optional butprovides redundancy in case the primary DNS server fails. Use the instructions in steps 5 and 6 to modify values asneeded. If you do not want to configure an alternate server, set all values to zeros.

16. When you are prompted to Save, highlight Yes and press ✓.

NOTE

Settings are not applied until you press Yes to save. If you walk away from the appliance before you save thesettings, the display eventually times out and all unsaved configuration changes are lost.

For more information on the iDRAC, refer to the Integrated Dell Remote Access Controller documentation at http://dell.com/support/manuals.

About the iDRAC on the physical appliance


Configuring the iDRAC using a monitor, keyboard, and optional mouseThe Dell 8840 and 8880 appliances have VGA and USB ports on the front and on the back of the server. If you want touse the ports on the front, you must remove the front bezel.

36

http://dell.com/support/manuals

http://dell.com/support/manuals


8880 appliances

Although you can use DHCP to configure the iDRAC network settings, a best practice is to assign a static IP address.

1. Plug an Ethernet cable into the iDRAC port on the back of the appliance on the left. Then plug the other end of thecable into the LAN switch on the network.

2. Attach a monitor to a VGA port on the appliance.

3. Attach a keyboard to a USB port on the appliance.

4. Press the server power button.

5. When the monitor displays the system BIOS screen, press F2 to select System Settings.

6. From the menu, select iDRAC Settings.

7. On the iDRAC Settings screen select Network.

8. Scroll down to IPV4 Settings, and enter the following for the iDRAC:

• Static IP address• Static Gateway• Static IP Subnet Mask

9. (Optional) Enter the IP addresses for the Static Preferred DNS Server and the Static Alternate DNS Server.

Setting up DNS allows the iDRAC to access network resources using DNS names, instead of IP addresses. If you donot use DNS, go to step 11.

10. Press Tab to highlight Back, then press Spacebar.

11. Press Tab to highlight Finish, then press Spacebar.

12. Press Spacebar to select Yes to save changes.

13. Press Spacebar to select OK in the Success dialog box.

14. Press Spacebar until Exit is highlighted, and then press Spacebar to confirm that you want to exit and restart theiDRAC.

15. Open a browser and enter the iDRAC IP address to display the iDRAC logon screen.

16. Log on to the iDRAC with the ID root and the password calvin.

17. At the prompt, change the root password.

About the iDRAC on the physical appliance


37


8880 appliances

Running bootstrap

Running bootstrap to configure the applianceYou'll need to open the console window to run bootstrap.

During bootstrap, you are prompted to provide appliance configuration information. Your Symantec EDR administratorprovides you this information on the Installation worksheet.

When bootstrap is complete, the system restarts.

You can re-run bootstrap (for example, to change certain IP addresses) after initial installation from the CLI using thebootstrap command. You cannot re-run bootstrap to change the operating role of the appliance.

1. In the console window at the login prompt, log in as follows:

User name = admin

Password = symantec

Bootstrap begins automatically when you are logged on for the first time before configuration.

Once you complete configuration, you can run bootstrap again using the bootstrap CLI command.

2. For each prompt, type a response and then press Enter to specify the required information.

The following table describes the bootstrap prompts:

New password: Type a new, secure password for the console. This passwordreplaces the default password, symantec.

Weak passwordTry another [y/n]?

A password that is similar to a word in the Dictionary, is tooshort, or not complex enough is less secure. Type y todelete the new password and be prompted to try again. Typen to keep the new password you previously entered.

Re-enter new password: To confirm the new password, type it again and pressEnter. If the two passwords do not match, you areprompted to type and retype the password again.

Select one of the following appliance roles:1 = Management platform ..., 2 = Network scanner ..., 3 = All-in-one ... []?

Type the number that corresponds to the role for thisappliance. The prompt describes each of the roles available.

Configure the management port. IPv4 address []: Type a static IP for the management port. For a managementplatform or all-in-one appliance, this IP address is used toaccess the EDR appliance console from a browser.

IPv4 netmask []: Type the network mask for the management port IPv4address.

Gateway []: Type the IP address for the gateway (switch or router) thatthe appliance can use to communicate with the rest of yournetwork.

38


8880 appliances

Name server (IPv4) []: Type the IP address of a name server that the appliance canuse to resolve IP addresses.

Configure another nameserver? [y/n] Type y to add an additional name server or n to use onlyone name server. If you type y, you are prompted to type theIP address of a second name server.

Network scanner role only:IP address of the Management Platform:

Type the management port IP address of the managementplatform appliance that controls this scanner.

Management platform or network scanner roles only:Communication Channel password:

Type a secure password to encrypt communications betweenthe management platform and all its network scanners. Thispassword must be the same for the management platformand all network scanners. It should be different from themanagement console password. Letters, numbers, periods,underscores, and hyphens are allowed, and the passwordcan be up to 50 characters.

Management platform or network scanner roles only: Re-enterCommunication Channel password:

To confirm the communication channel password, type itagain and press Enter. If the two passwords do not match,you are prompted to type and retype the password again.

Configure IPv4 static routes? [y/n] Type y to configure an IPv4 static route or n to skip thisconfiguration step. Static routes may be required. Forexample, use static routes to connect a network scanner to itsmanagement platform.

Destination (CIDR allowed):Gateway:

If you choose to configure IPv4 static routes, you areprompted to type the destination IP address and the gatewayIP address.

Add another route? [y/n] After you configure an IPv4 static route, type y in responseto this prompt to configure an additional IPv4 static route.Type n to go to the next prompt.You can configure up to three IPv4 static routes in bootstrap.You can configure additional static routes in the EDRappliance console.

What do you want to call this device? Type a name to identify this system in the EDR applianceconsole. Letters, numbers, spaces, periods, and hyphens areallowed, and the name can be up to 50 characters.

Set NTP server [] Type the IP address or FQDN of the NTP server.Setting an NTP server ensures that the appliance has anaccurate time to indicate when detections occurred.

3. When configuration is complete, the console displays the settings that you configured and then prompts Savechanges? [y/n]. Type y to save the configuration or n to reject it and make changes.

If you type n, bootstrap restarts from the beginning. Most prompts display the previous value you entered. Press Enterto accept the previous value (if present), or type a new value to correct the entry.

status_check commandDescription: Check system status and server connectivity. This system status includes things such as management portstatus, interface status, incident and event forwarding through the network proxy, and connectivity to Symantec servers inthe cloud.

Synopsis: status_check

Option or argument: Not applicable.

Note: By default, Cynic attempts to contact the closest server to the submitting computer's location unless you enable theoption to use the U.K. Cynic Server on the Settings > Global page.

39


8880 appliances

Default Cynic server: https://api.us.dmas.symantec.com

U.K. Cynic server: https://api.eu.dmas.symantec.com

40


8880 appliances


Running the setup wizardThe Symantec Endpoint Detection and Response setup wizard guides you through the mandatory configuration steps of anall-in-one or management platform device.

During bootstrap, you assigned a static IP address to the management port of the appliance. You need this IP address toaccess the setup wizard and the EDR appliance console.

The console admin account in bootstrap is independent from the administrative account in the setup wizard.

This setup wizard logon is not available after you complete the setup wizard.

NOTE

The appliance might take a few minutes to boot and start the required services before you can run the setupwizard. If the IP address of the management port is not responsive, wait a few minutes and try again.

1. On a computer that is accessible to the appliance, open a window on a supported browser and type: https://<IPaddress of the management port>.

For example, if you assigned the static IP address 10.20.20.20 to the appliance during bootstrap, typehttps://10.20.20.20.

NOTE

You must use the HTTPS protocol when you type the address of the setup wizard. The HTTPS protocol isrequired.

2. If the browser displays an untrusted certificate or untrusted connection warning, choose to proceed, and add anexception, if required.

The Symantec EDR web interface initially includes a self-signed certificate that can be changed to use a customer-generated certificate after the initial setup.

3. On the logon screen, type the following credentials and then click Sign In or press Enter:

User name: setup

Password: symantec

This account is deactivated when you complete the setup wizard.

4. On the Terms and Conditions screen, read the terms and conditions.

You must accept the Terms and Conditions to continue.

The data handling options are enabled by default. You may choose to uncheck these options.

41


8880 appliances

5. Click Next.

6. Respond to the prompts on each screen to complete the mandatory configuration. Click Next to go to the next screen,or click Previous to return to a screen you completed.

The following table describes the additional prompts in the setup wizard and how to respond to them.

Upload License Click Browse to locate the license file, and select the file. When you click Next, Symantec EDRuploads the file.You must upload a license before the Symantec EDR device is functional. You cannot use SymantecEDR after initial installation without a license. No grace period exists.Obtaining a Symantec EDR license file and installing it

SMTP Settings You can enter the SMTP settings in the setup wizard, or you can check Skip adding SMTP serverconfiguration and specify the settings later in the EDR appliance console.Type the SMTP Server (fully qualified domain name is allowed) and Port number of your secure mailserver.In the Appliance Email field, type the email address where alerts, such as a license expirationnotification, are sent from.If your mail server requires a secure logon to receive messages, check Authorize. Then type a username and password that Symantec EDR can use to authenticate with the mail server.

Create an Administrativeaccount

Specify a logon name, password, display name, and user email address for the initial administratoraccount. You need this logon to complete the setup wizard.This administrator can create additional user accounts, including additional administrator accounts.

7. Click Save.

8. Click Exit to end the setup wizard and display the EDR appliance console logon screen.

42


8880 appliances

Post-installation tasks

Completing setup tasksTasks to complete Symantec Endpoint Detection and Response installation lists the tasks that Symantec recommendsyou take immediately after you complete the preliminary Symantec Endpoint Detection and Response installation.

Click the context-sensitive help tokens in the EDR appliance console for more information about performing these tasks.

Table 14: Tasks to complete Symantec Endpoint Detection and Response installation

Task Description

Access EDR appliance console. Perform the post-installation tasks and configurations in EDR appliance console.Accessing the EDR appliance console

Configure the following settings on the Settings > Global page.Set up Synapse correlation. If SEP or Email Security.cloud protect your network, configure Synapse to correlate incident data

from these sources with Symantec EDR.If you intend to use SymantecEndpoint Protection with SymantecEDR. configure the SEPMController connection.

You can integrate Symantec Endpoint Detection and Response with Symantec EndpointProtection to:• Collect conviction events from your SEPM, and correlate them with events from your other

control points• Configure Symantec EDR to proxy reputation requests from your endpoints• Send commands to your SEPM (for example, to update your SEPM blacklist)• Send commands to your endpoints (for example, to delete a file, or quarantine an endpoint)• Retrieve information from your SEPM (for example, a list of your endpoints and their online

status)• Retrieve information from your endpoints (for example, a dump of all its events)

Configure backups. Configure one or more backup schedules and locations.Configure secure access to theEDR appliance console.

Upload a certificate to encrypt EDR appliance console sessions.

For Inline Block operation, you mayalso want to customize the blockingpage.

Blocking pages are used only when you operate in Inline Block mode and scanning is turned on.When Symantec Endpoint Detection and Response blocks access to a website or prevents thedownload of a potentially malicious file, a blocking page appears. The blocking page informs theuser that the page is blocked and who to notify for more information.

Configure the following settings on the Settings > Appliance page.Configure Internal Networksettings.

When you define internal networks, you specify which computers are part of your networkand which computers belong to the world outside. With this information, Symantec EDR candistinguish between protected computers and the computers that are outside of the network.

Configure Network Proxy andEnterprise Proxy settings, ifthese proxies are present in theenvironment.

Symantec EDR supports the following types of proxy configurations:• A network proxy. Symantec EDR uses a network proxy to access the external network.• An enterprise proxy within an enterprise environment. Symantec EDR treats the traffic that

is routed to an enterprise proxy (which may have an IP address within an internal network)differently than the traffic that is routed through a network proxy.

If you use proxies, each Symantec EDR appliance, whether in CIU, standalone, or scanner role,must have the IP addresses of existing proxies.

Configure syslog serverconnections.

Connect to one or more syslog servers (a SIEM, for example) to capture and report dataexternally.

43


8880 appliances

Task Description

Setup sandboxing services. By default, Symantec EDR submits files to Symantec’s Cynic cloud-based malware detonationsystem for analysis. However, you can keep file analysis local and submit your files to acustomer-owned, on-premises Symantec Malware Analysis appliance for detonation andanalysis.

Enable scanning After you configure the appliance settings, you'll want to enable scanning.Configure the following settings on the Settings > Users page.Add new EDR appliance consoleaccounts.

Add additional Admin, Controller, and User accounts for accessing the EDR appliance console.Tip: As a best practice, you should set up at least one additional Admin user accountimmediately after installation in case there's an issue accessing the EDR appliance console withthe initial Admin account credentials.

Configure the following settings on the Reports page.Set up reports. Set up the reports that can be generated on a daily, weekly, or monthly schedule.

Testing Symantec EDR for successful monitoring or blockingSymantec has a website that you can use to test that Symantec Endpoint Detection and Response monitors network data.

1. Open a web browser on a computer in the LAN that is connected to Symantec EDR.

2. On the Internet, go to the following URL:

http://www.broadcom.com

The Broadcom website should display normally without any messages.

3. On the Internet, go to the following URL:


4. Click on each of the links on the test page.

You should see a corresponding incident in the database, whether you are in Tap mode or Inline Monitor mode. Cloud-based sandboxing detections may be delayed during virtual execution.

If you are in Inline Block mode, file downloads (except the cloud-based sandbox new file submission) are interrupted.Subsequent attempts to download the same file are blacklisted.

About operating roles, operating modes, and network connections

Testing the appliance bypass modeWhen the Symantec Endpoint Detection and Response appliance is in Inline mode, the appliance enters bypass modeif it cannot function or is turned off. In bypass mode, Internet traffic is routed through the LAN port and the WAN port, butno monitoring or blocking occurs. For bypass mode to function properly, ensure that you use the proper type of Ethernetcables to connect to the LAN. LEDs on the back of the appliances indicate bypass mode if the appliance is not turned off.

NOTE

In the bypass mode, the Ethernet cables on the LAN port and the WAN port are interconnected. You mustensure that the total length of the interconnected cables does not exceed the maximum Ethernet cablelength. The Ethernet cable length per ANSI/TIA/EIA cabling standards is 100m for Cat5e and Cat6. For moreinformation on the Ethernet cable length, refer the ANSI/TIA/EIA cabling standards.

To test the physical appliance bypass mode

1. On the left navigation pane, click Settings > Appliances, and then click on an appliance in the list.

The Appliance details page appears.

44

http://www.broadcom.com



8880 appliances

2. In the Network Interface Settings panel, click the toggle switch in the Scanning field to set scanning to the Offposition. Click Ok if a warning dialog appears asking if you are sure that you want to disable scanning.

With scanning disabled, the physical appliance should now operate in bypass mode.

3. Try to access the Internet from a computer in the LAN that the device monitors or protects.

You should be able to access the Internet. The bypass LEDs on the back of the Symantec EDR appliance should beon, but not blinking.

4. In the EDR appliance console, click Settings > Appliances, select the device from the list. Then click the toggleswitch in the Scanning field to set scanning to the On position. Click Ok if a warning dialog appears asking if you wantto proceed.

5. Test Symantec EDR to ensure that it functions properly.

Testing Symantec EDR for successful monitoring or blocking

Accessing the EDR appliance consoleAccess the EDR appliance console from a web browser on any client computer that can connect to the management portof your management platform or all-in-one appliance.

NOTE

To view Symantec EDR appliance pages or access the Symantec EDR console through the cloud website, youmust be connected via your company LAN or VPN, or provide Symantec EDR with a public IP address that isaccessible from the internet. Failure to do so will result in the error message: This page can't be displayed.

If you're using self-signed certificate for your EDR installation, you need to accept the certificate in your browser.

1. On the computer that can access the network that is connected to the management port, open a web browser.

2. In the web browser, type the following:

https://<IP address>

Where <IP address> is the address that you specified for the appliance during the bootstrap process.

For example, if the IP address that you specified for the appliance is 192.168.42.24, go to the following URL:

https://192.168.42.24

NOTE

Ensure that you use the HTTPS protocol to access the EDR appliance console.

3. For certain web browsers, you may need to configure a certificate security exception to access the EDR applianceconsole.

Typically, this step is only required at the first logon per computer per session.

Browser requirements for the EDR appliance console

45


8880 appliances

Data migration during upgrade to ATP v.3.1

Data migration during upgrade to Advanced Threat Protection v.3.1When you upgrade to Advanced Threat Protection version 3.1, your existing data is migrated to a new version of theElasticsearch database. The following list provides important notes about the data migration process:

WARNING

Rollback is not supported. You should perform a remote backup of your data before you proceed with theupgrade.

• During the upgrade procedure, your Symantec EDR installation is unavailable for normal operation. The length of timethe installation is down varies depending on the amount of migrated data. In most cases, downtime is expected to be 4hours or less.

• Data migration to version 3.1 is more extensive than previous migrations. For this reason, you should schedule themigration to occur during off-peak or non-operational hours.

• You are asked to verify the upgrade.• The system health status displays Warning during the migration process.• Progress updates and error messages are available in the portal under Logging > System Activity. The quick filter

Features > Data Migration, provides data migration statistics.• Only the last 90 days of data are migrated.• Operational data is migrated first. Other data may be migrated in the background after the rest of the upgrade

completes.• The following features are not available during the migration of non-operational data:

– Splunk– Public API– Service Now– Reports– Criterion– Backup restore

• About the data migration process This topic provides additional information about service availability during themigration process, and the data migration sequence.

• Clear your browser cache after the upgrade.

About the data migration processWhen you upgrade to Symantec Advanced Threat Protection (ATP) v.3.1, your operational and non-operational data aremigrated to the product's updated Elasticsearch database. These data are defined as follows:

Operational data

Operational data corresponds to entities in the system such as endpoints, files, domains, and aggregates. This data isdisplayed on the dashboard event activity widget.

Operational data is migrated after the product is upgraded to ATP 3.1.0, but before the product is restarted. When theEDR appliance console is available after restart, the Symantec EDR admin can view all entities and the dashboard, withthe following exceptions:

46


8880 appliances

• Dashboard click-through to corresponding events are not available until migration of non-operational data is inprogress.

• Related entities and incidents are not available until the migration of non-operational data is in progress.

Non-operational data

Non-operational data corresponds to historical events, incidents, command results, command states, and system log. Thisdata is migrated after the appliance is restarted after upgrade to ATP 3.1.0. This data is migrated in three phases:

• Phase 1– Migrates the events and incidents from the last 7 days.– Live response events from last 7 days are not migrated.– The time to complete this migration depends on size but should complete in the first 12 hours after the upgrade.– Splunk connector, Service Now, and Public API services are enabled after this phase is complete.

• Phase 2– Migrates the live response events from the last 7 days.– The time to complete Phase 2 depends on size but should complete in the first 2 days to 5 days after the upgrade.– No additional services are enabled after this phase is complete.

• Phase 3– Migrates all remaining indexes.

NOTE

The migration only moves indexes from the last 3 months.– The time to complete Phase 3 depends on the amount of data.– Reports, Criterion, and Backup restore services are enabled after this phase is complete.

NOTE

During the migration, Symantec EDR the System Health Indicator in the upper-right corner of the EDR applianceconsole displays as yellow. When the migration is complete, this indicator displays as green.

Data migration during upgrade to Advanced Threat Protection v.3.1

47


8880 appliances

Appendix Materials

48


8880 appliances

Ports, connectors, and indicators on the appliance

About appliance ports, connectors, and indicatorsPorts, connectors, and indicators on the Symantec EDR appliances describes the ports, connectors, and indicators on theback of Symantec EDR appliances.

NOTE

Connections vary between models, versions, and roles.


Table 15: Ports, connectors, and indicators on the Symantec EDR appliances

Port, connector, or indicator Description

Power Distribution Unit (PDU)(recommended)

Symantec recommends using a PDU to improve power quality, load balance, and for remotemonitoring and control.

USB port You can use this port to reimage the host using a USB stick or DVD that connects with a USBplug.

Serial port Connect the serial port to another computer to access the Serial Console character-basedinterface.

LAN/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN port to a switch that is connected to your internal network.

WAN1/Monitor1 Ethernet port In tap mode, connect the Monitor1 port to the network tap device or a monitoring port on aswitch for SPAN.In inline mode, connect the WAN1 port to a switch toward your Internet connection or to yourfirewall.

LAN1/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN1 port to a switch that is connected to your internal network.

WAN2/Monitor3 Ethernet port In tap mode, you may connect the Monitor3 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the WAN2 port to a switch toward your Internet connection or to yourfirewall.

LAN2/Monitor4 Ethernet port In tap mode, you may connect the Monitor4 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN2 port to a switch that is connected to your internal network.

Management (Mgmt) Ethernet port Connect the management port to a switch that is connected to your internal network.The management port must have access to the following:• Domain Name Server (DNS)• Required Internet services

Power This connector provides power to the appliance. Your appliance may have an extra,redundant power connector.

49


8880 appliances

Port, connector, or indicator Description

Bypass NIC LED indicators Three pairs of LED indicators appear on the bypass NIC card.The Link/Activity pair is solid green and blinks green on activity when bypass mode is off. It isoff when bypass mode is on.The Bypass pair is solid green when the appliance is running in bypass mode and is off whenbypass mode is off.The DISC pair is always off (not used).

50

Documents

Guide for Dell 8840 and 8880 appliances Symantec Endpoint … · 2020. 6. 8. · Symantec™ Endpoint Detection and Response 4.4 Installation Guide for Dell 8840 and 8880 appliances