Symantec Endpoint Detection and Response 4.6 Installation Guide For Virtual Appliances

Symantec™ Endpoint Detection and Response 4.
6 Installation
Guide for virtual appliances
Symantec™ Endpoint Detection and Response 4.6 Installation Guide for virtual appliances
Table of Contents
Copyright statement......................................................................................................................... 4
About Symantec Endpoint Detection and Response.......................................................................5
About Symantec Endpoint Detection and Response (EDR)........................................................................................5
About virtual appliance installation................................................................................................... 7
About virtual appliance operating modes..................................................................................................................... 7
Important information about the Symantec EDR virtual appliance............................................................................ 7
Before you install your virtual appliance...................................................................................................................... 7
About virtual network adapters...................................................................................................................................... 8
System Requirements..........................................................................................................................9
System requirements for the virtual appliance............................................................................................................ 9
Browser requirements for the EDR appliance console............................................................................................... 9
System requirements for SEP integration...................................................................................................................10
Planning for installation.................................................................................................................... 11
Pre-installation checklists for virtual appliances....................................................................................................... 11
Virtual appliance Installation Worksheet..................................................................................................................... 12
Virtual appliance installation workflow........................................................................................................................15
Configuring virtual switches......................................................................................................................................... 16
About operating roles, operating modes, and network connections.......................................................................21
About selecting a network scanner............................................................................................................................. 23
About network configurations and port connections................................................................................................ 23
Where to place the appliance in your network for best results............................................................................... 25
Required firewall ports.................................................................................................................................................. 29
Proxy recommendations................................................................................................................................................33
Symantec EDR platform support matrix......................................................................................................................33
Obtaining a Symantec EDR license file and installing it........................................................................................... 34
Installing a virtual appliance............................................................................................................ 35
Deploying the OVA template.........................................................................................................................................35
Reserving required resources for the virtual appliance............................................................................................ 36
Extending the virtual hard disk size............................................................................................................................ 37
Running bootstrap to configure the appliance...........................................................................................................38
sshconfig command.......................................................................................................................................................40
Running the extend_storage tool.................................................................................................................................40
status_check command.................................................................................................................................................41
Reinstalling a virtual appliance.................................................................................................................................... 42
Setting up Symantec EDR................................................................................................................ 43
2
Running the setup wizard............................................................................................................................................. 43

Completing setup tasks.................................................................................................................................................44
Accessing the EDR appliance console........................................................................................................................45
Testing Symantec EDR for successful monitoring or blocking................................................................................ 46
Data migration during upgrade to ATP v.3.1.................................................................................. 48
About the data migration process............................................................................................................................... 48
3
Copyright statement
Copyright statement
Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.
Copyright ©2021 Broadcom. All Rights Reserved.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit
www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does
not assume any liability arising out of the application or use of this information, nor the application or use of any product or
circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
4
About Symantec Endpoint Detection and Response
About Symantec Endpoint Detection and Response (EDR)

Symantec Endpoint Detection and Response performs the critical security tasks that detect, protect, and respond to
threats to your network. Symantec EDR: is comprised of the following control points:
Symantec EDR Network Processes the network stream in real time across all Internet ports and protocols and passes it through
Sensor various filters and detection engines. Symantec EDR can detect events on unmonitored endpoints
as traffic passes through the scanner. Since Symantec EDR doesn't have SEP agent's information,
Symantec EDR cannot provide all of the information about the endpoint. Such information includes the
user name, last check-in, or SEPM group.
Symantec EDR Gathers the information by proxying communications between Symantec Endpoint Protection clients
and Symantec and by leveraging SEP’s Endpoint Detection and Response Endpoint Communications
Channel functionality.
Symantec Email Threat Integrates with Symantec Email Security.cloud to uncover the attacks that enter your organization
Detection and Response through email.
Symantec EDR uses Synapse to correlate network event data with email event data, web event data, and endpoint event
data. The Synapse correlation engine automatically matches events with SEP, Email Security.cloud, Web Security.cloud,
and Symantec EDR to reduce the volume of security alerts. As incidents are detected, they are correlated with other
incidents discovered on your network to show overall attack patterns and prioritize the most significant threats.
Symantec EDR employs the following detection technologies:
Vantage Vantage is a signature-based detection engine that finds threats in the network stream.
Insight Insight accesses the world’s largest reputation database and has reputation intelligence on over 8 billion
files. Insight is a Symantec-owned reputation request service for Insight reputation queries. This service
gathers information about the Windows executable files that are observed on endpoints.
Mobile Insight Mobile Insight performs similar analyses for Android applications as Insight does for Windows
executable files. In addition to tackling malware detection, Mobile Insight also detects privacy and
performance issues in mobile apps.
Antivirus engine The Antivirus engine is a signature-based technology that detects malware.
Sandboxing Symantec's sandboxing technologies detonate files in a virtual sandbox environment, analyze the
results, and report each step of the observed behavior. Sandboxes use machine-learning technology to
compare the results to known, bad attributes. They then correlate your data with real-world data provided
by the Symantec Global Intelligence Network to determine if the files are malicious.
Deny lists and allow lists Symantec global deny list and allow list feeds, which are updated on the Symantec ATP appliances
regularly, accelerate detection and optimize performance. You can also create custom deny lists and
allow lists that you maintain through Symantec EDR.
SONAR Symantec Endpoint Protection includes Symantec Online Network for Advanced Response (SONAR)
technology for process behavior detection and remediation. However, SEP provides no insight into these
details. When you integrate Symantec EDR and SEP, Symantec EDR can provide insight into SONAR
detections. SONAR detects the system changes that have occurred on your managed endpoints, the
order that they occurred, and related file attributes. This information gives you greater visibility into the
activity that occurs in your environment.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive
local monitoring on SEP endpoints to detect emerging threats. SONAR also detects changes or behavior
on the endpoints that you should monitor. SONAR does not make detections on application type, but on
how a process behaves.
5
Suspicious file classifier Symantec EDR uses a file classifier to analyze files with unknown dispositions. The file classifier
breakdowns files by their attributes to determine if the file is good or malicious. The classifier uses the
decision trees that are trained with millions of files.
This technology uses machine-learning instead of signatures or sandbox detonation.
6
About virtual appliance installation
About virtual appliance operating modes

All operating modes that are supported for the physical appliance are supported for the virtual appliance. However, the
virtual appliance does not have a bypass mode. If you deploy a virtual appliance as a scanner, the preferred mode is Tap
mode.
For a virtual appliance in an Inline Block or Inline Monitor operating mode, network traffic is halted when the virtual
machine is turned off. The network traffic is also halted when the physical host computer is turned off. Symantec EDR
does not recommend inline mode for the virtual appliance. But you can use it in inline mode for testing purposes. If you
deploy a virtual appliance in inline mode in a production environment, you run a potential risk because there is no bypass
ability.
About operating roles, operating modes, and network connections

Important information about the Symantec EDR virtual appliance
Important information about the Symantec EDR virtual appliance

• Symantec EDR can require a large amount of computing power and network bandwidth. Exercise caution when you
consider sharing virtual resources between Symantec EDR and any other virtual machine.
• You must reserve the required resources before you start the VMware computer for the first time.
Reserving required resources for the virtual appliance
Extending the virtual hard disk size
• Symantec does not recommend that you deploy a virtual appliance as a scanner if you intend to operate the scanner in
Inline Block or Inline Monitor mode. Physical appliances have a bypass NIC that allows traffic through if the system is
offline. Virtual appliances do not have this bypass NIC.
About virtual appliance operating modes
• If your host loses sync with your NTP server, you must use the VMware virtual clock, which is the host computer's
physical clock. Set the NTP server in the VMware client Configuration > Software > Time Configuration >
Properties to UTC.
Before you install your virtual appliance

When you run Symantec EDR in a virtual environment, it is important to properly configure the virtual computer on which
your Symantec EDR appliance runs. The following are some important configuration considerations:
It's imperative that your virtual computer has the proper resources allocated before you power on the VM.
If you intend to use the Endpoint Communications Channel, you'll need to extend the hard disk space. That's because the
endpoint activity recorder collects data from your endpoints, which is then stored in Symantec EDR's database. As such,
Symantec EDR requires more system resources and storage space. Otherwise, you will experience disk space issues.
Use the proper block size, depending upon the VMFS version of your system. If the block size is not properly set, the
deployment of the OVA can fail. The failure message indicates that the disk capacity of the computer is greater than the
amount available on the datastore.
System requirements for the virtual appliance
7
When you deploy a network scanner on a virtual machine and you have mapped the WAN port to a physical NIC through
a vSwitch, change the configuration of the vSwitch to allow all VLAN IDs in the port group properties. Without this setting,
Symantec EDR may not capture some network traffic.
For virtual machines intended to function as Symantec EDR network scanners, enable Promiscuous mode on the WAN and
LAN virtual switches. This setting permits Symantec EDR to scan all network traffic.
Configuring virtual switches
Virtual appliance installation workflow
About virtual network adapters

When you install a virtual appliance on an ESXi server, you must map the virtual network adapters that are built into the
OVA template to a physical port on the ESXi server. The OVA template includes the following virtual network adapters:
Adapter Description
Management Required for all appliances for the management connection

Monitor1_WAN • Establishes a monitor connection when the appliance operates in Tap mode
• Establishes the WAN connection when the appliance operates in either Inline Block or Inline
Monitor mode
Monitor2_LAN • Establishes a second monitor connection when the appliance operates in Tap mode
• Establishes the LAN connection when the appliance operates in either Inline Block or Inline
Monitor mode
Click the following link to learn more about the virtual switches you'll need to connect each virtual network adapter to a
physical port on the ESXi server.
Deploying the OVA template
8
System Requirements

IMPORTANT
It's imperative that your virtual computer has the proper resources allocated before you power on the VM.
Otherwise, you will experience disk space or high-memory usage errors. Also, a lack of CPU cores could
also result in failure to raise services during the boot sequence and/or an inability to open the EDR appliance
console. See the Symantec Endpoint Detection and Response Installation Guide for virtual appliances for more
information.
System requirements for a virtual appliance installation lists the system requirements for the virtual appliance. These
requirements differ if you use Symantec EDR's endpoint activity recorder feature. The endpoint activity recorder collects
data from your endpoints, which is then stored in Symantec EDR's database. As such, Symantec EDR requires more
system resources and storage space when the endpoint activity recorder is enabled.
Table 1: System requirements for a virtual appliance installation
Minimum per VM for production

Minimum per VM for production environment
Requirement environment without endpoint
with endpoint activity recorder feature
activity recorder feature
Disk space 500 GB 1.5 TB (1 TB hard disk in addition to the VM's existing
500 GB hard disk)
CPU 12 Cores 12 Cores
Memory 48 GB 48 GB
VMware VMware ESXi version 6.5 U1 or later
OVA template ESX 6.5 or later
Refer to your VMware documentation for VMware system requirements and configuration of virtual
machines.
Additional requirements are as follows:

• Use the proper block size, depending upon the VMFS version of your system. If your ESXi server is using VMFS-2,
then set block size to 4MB or greater.
• If you are using a file system later than VMFS-2, then set block size to 8MB or greater.
Browser requirements for the EDR appliance console

Browser requirements for the EDR appliance console lists the web browsers that are compatible with the EDR appliance
console. JavaScript must be enabled in the browser and cookies must be allowed. The minimum resolution for viewing the
EDR appliance console is 1280x1024.
Table 2: Browser requirements for the EDR appliance console
Browser Version
Mozilla Firefox 86.0 or later (64-bit)

Google Chrome Version 88.0.4324.190 or later (64-bit)
Microsoft Edge Version 88.0.705.81 or later (64-bit)
9
NOTE
Browsers not listed above are unsupported.
System requirements for SEP integration

Symantec Endpoint Protection version requirements
Symantec Endpoint Detection and Response can integrate with Symantec™ Endpoint Protection for enhancing event
information and providing Endpoint Communications Channel (ECC) functionality. Symantec EDR has certain version
requirements based on various components of SEP.
The minimum SEPM version is 12.1 RU6 or later. Symantec EDR can connect to multiple SEP sites with one connection
per SEP site, up to a total of ten connections to SEPM hosts.
Symantec EDR can manage the client endpoints that run SEP version 12.1 RU 6 MP3 or later with full ECC functionality.
However, clients must be running SEP 14 or later to take advantage of ECC 2.0 functionality.
Client endpoints that run versions earlier than SEP 12.1 RU5 are not supported. Some functionality is limited for the
clients that run on versions between SEP 12.1 RU5 and 12.1 RU6 MP3. The Symantec EDR documentation describes
any functionality limits based on the version of the SEP client.
Synapse log collector database requirements
SEPM 14.3 RU1 or later uses Microsoft SQL Express as its database for log collection. Symantec EDR can access the
database without any special host system requirements.
SEPM 14.3 MP1 or earlier supports either the MS SQL Server database or an embedded database. When SEPM uses
an embedded database, Symantec EDR uses a log collector on the SEPM host. This log collector requires the SEPM host
to be running one of the following operating systems:
• Windows 7 (64-bit only)
• Windows 8 (64-bit only)
• Windows Server 2008
• Windows Server 2012
• Windows Server 2012 R2 or later (recommended)
See the Symantec Endpoint Protection documentation for SEPM system requirements.
10
Planning for installation
Pre-installation checklists for virtual appliances

Step 1 of the Symantec EDR Virtual appliance installation workflow: Before you begin workflow.
The VM appliance installation assumes that a VM administrator performs the tasks required to set up and deploy the OVA
image through running bootstrap. After bootstrap, a Symantec EDR administrator/user performs the remaining installation
tasks.
Table 3: Symantec EDR administrator
Task Description
Ensure your environment has the required Coordinate with your VM administrator to ensure that your VM appliance environment
resources. can meet the requirements to support Symantec EDR's features.
Symantec EDR platform support matrix
Decide on the operating role and operating Because the virtual switch and adapter mapping is different for the inline modes versus
mode. tap mode, decide the mode before setting up the virtual appliance.
Note: Inline Block and Inline Monitor modes are not recommended for virtual appliances
because bypass mode is not available.
Choose network settings for the appliance. Where to place the appliance in your network for best results
Open required ports on the firewall and Make sure that the necessary ports are open on your firewall and other network devices
other network devices. to allow traffic from or to the Symantec EDR device.
Required firewall ports
Make sure that the license file is accessible. Make sure you can browse to and select the Symantec license file from the computer
you use to run the setup wizard. A valid license file is required for installation.
Complete the installation worksheet. Make all of the decisions that you'll need for installation before you start. Having this
information at hand ensures that the installation process runs smoothly and quickly.
Provide this worksheet to the VM administrator who will set up the virtual appliance.
Virtual appliance Installation Worksheet
Table 4: VM administrator
Task Description
Ensure your environment has the required Make sure your VM appliance can meet the requirements to support Symantec EDR's
resources. features.
Important information before you install your virtual appliance
Download virtual image files (virtual Download the virtual image files from https://login.symantec.com/ into a single directory
appliance only). that you can access from your VMware application.
11
Task Description
Have the installation worksheet on-hand. The Installation worksheet contains all of the information that you'll need to perform the
VM setup through bootstrap. Having this information at hand ensures that the installation
process runs smoothly and quicker.
Get this checklist from your Symantec EDR administrator.

Symantec EDR recommends that you complete the Installation Worksheet fully prior to commencing installation. Provide
this checklist to the administrators who will be performing the installation tasks. You should also retain a copy for your
records for archival and backup purposes.
Table 5: OVA deployment
Configuration Description Value to input
Symantec EDR OVA Access the template from a network Symantec EDR OVA template file location:
template location that you can access during ________________________________
installation.
Map Source Network The adapters are built into the Symantec Management = _____________________
adapters with Symantec EDR OVA. The Destination Networks are
Monitor1_WAN = __________________
EDR OVA with Destination configured on your network.
Networks Monitor2_LAN = ____________________
Table 6: Extending hard disk size
Disk size Specify the minimum hard drive disk size. 500 GB
Table 7: Allocating resources
CPU The minimum required CPU space. 12000 MHz (12 GHz)
Memory The minimum required memory. Reserve all guest memory
12
Table 8: Bootstrap configuration
New password: A new, secure password for the console. This Provide this information to the administrator installing the
password replaces the default password, appliance in a secure method.
symantec. Ensure that the password is retained in a secure location
for archival purposes.
Weak password Note: A password that is similar to a word in
Try another [y/n]? the Dictionary, is too short, or not complex ________ yes
enough is less secure. Symantec EDR will ask ________ no
you to confirm using a weak password.
Re-enter new password: Confirm the new password. Provide this information to the administrator installing the
appliance in a secure method.
Ensure that the password is retained in a secure location
Select one of the Specify the appliance's role.
following appliance roles: About operating roles, operating modes, and
_______ 1 - Management platform
1 = Management network connections
_______ 2- Network scanner
platform ..., 2 = Network
_______ 3- All-in-one
scanner ..., 3 = All-in-
one ... []?
Configure the The static IP for the management port. For a
management port. IPv4 management platform or all-in-one appliance,
________.________.________.________
address []: this IP address is used to access the EDR
appliance console from a browser.
IPv4 netmask []: The network mask for the management port
________.________.________.________
IPv4 address.
Gateway []: The IP address for the gateway (switch
or router) that the appliance can use to ________.________.________.________
communicate with the rest of your network.
Name server (IPv4) []: The IP address of a name server that the
________.________.________.________
appliance can use to resolve IP addresses.
Configure another Yes add an additional name server or No to ________ yes
nameserver? [y/n] use only one name server. If yes, provide the ________.________.________.________
IP address of a second name server. ________ no
Network scanner role only: The management port IP address of the
IP address of the management platform appliance that controls ________.________.________.________
Management Platform: this scanner.
Management platform or A secure password to encrypt Provide this information to the administrator installing the
network scanner roles only: communications between the management appliance in a secure method.
Communication Channel platform and all its network scanners. Ensure that the password is retained in a secure location
password: This password must be the same for the for archival purposes.
management platform and all network
scanners. It should be different from the
management console password. Letters,
numbers, periods, underscores, and hyphens
are allowed, and the password can be up to
50 characters.
13
Management platform or Confirm password. Provide this information to the administrator installing the
network scanner roles only: appliance in a secure method.
Re-enter Communication Ensure that the password is retained in a secure location
Channel password: for archival purposes.
Configure IPv4 static Yes to configure an IPv4 static route or no to
routes? [y/n] skip this configuration step.
________ yes
Static routes may be required. For example,
________ no
use static routes to connect a network
scanner to its management platform.
Destination (CIDR If you choose to configure IPv4 static routes,
allowed): provide a destination IP address and the ________.________.________.________
Gateway: gateway IP address.
Add another route? [y/n] Yes to configure an additional IPv4 static ________ yes (up to three supported)
route. No to go to the next prompt. ________.________.________.________
You can configure up to three IPv4 static ________.________.________.________
routes in bootstrap. You can configure ________.________.________.________
additional static routes in the EDR appliance ________ no
console.
What do you want to call The name to identify this system in the EDR
this device? appliance console. Letters, numbers, spaces,
__________________________________
periods, and hyphens are allowed, and the
name can be up to 50 characters.
Set NTP server [] The IP address or FQDN of the NTP server.
Setting an NTP server ensures that the
________.________.________.________
appliance has an accurate time to indicate
when detections occurred.
Table 9: Setup wizard
Access EDR appliance This is the static IP for the management port
________.________.________.________
console. that was specified during bootstrap.
Upload License You must upload a license before the
Symantec EDR device is functional. You
Symantec EDR license location:
cannot use Symantec EDR after initial
______________________________________
installation without a license. No grace period
exists.
SMTP Settings Symantec strongly recommends that you specify the SMTP settings in the setup wizard. Doing so lets
you recover a lost password. Otherwise, you can check Skip adding SMTP server configuration and
specify the settings later in the EDR appliance console.
SMTP Server and Port The fully qualified domain name and port
________.________.________.________
number of the secure mail server.
Appliance Email The email address where alerts, such as a
___________________@_____________._____
license expiration notification, are sent from.
14
Authorize If your mail server requires a secure logon User name:

to receive messages, type a user name and _______________________________
password that Symantec EDR can use to Password:
authenticate with the mail server. Provide this information to the administrator installing the
appliance in a secure method.
Ensure that the password is retained in a secure location
Create an Administrative These are the login credentials for the initial administrator account. You need this logon to complete the
account setup wizard.
This administrator can create additional user accounts, including additional administrator accounts.
Logon name Initial administrator logon name _______________________________
Display name The initial administrator's display name as it
_______________________________
appears in the EDR appliance console.
User email address The initial administrator's email address for
____________________@____________._____
notifications.
Installation worksheet completed by:

Name: __________________________________ Date: _________________________
Provided to:
VM Administrator: _________________________ Date: _________________________
EDR Administrator: ________________________ Date: _________________________

Table 10: Virtual appliance installation workflow
Step Action Role Description
1 Complete and Symantec EDR Completing the pre-installation checklist ensures that you have everything you need
collect all of administrator and to install an appliance. It also ensures that you have completed all the tasks required
the items in the VM administrator before installation begins.
pre-installation Pre-installation checklists for virtual appliances
checklist. Virtual appliance Installation Worksheet
2 Create the required VM administrator Create the virtual switches you'll need to connect to the physical adapters on the
virtual switches. ESXi server.
3 Deploy the OVA VM administrator Deploy the OVA template on the ESXi host and map the adapters to the virtual
template. switches.
4 Reserve the VM administrator It's imperative that you reserve the required resources on your Symantec EDR
necessary appliance virtual machine before you start the VMware computer for the first time.
resources. Reserving required resources for the virtual appliance
5 Extend the hard VM administrator If you intend to enable Endpoint Communications Channel, you'll need to add a hard
disk size. disk to extend the hard disk size.
Optional Extending the virtual hard disk size
15
Step Action Role Description
6 Run bootstrap. VM administrator Open the console and run the bootstrap.
During bootstrap, you are prompted to provide appliance configuration information.
Your Symantec EDR administrator provides you this information on the Installation
checklist.
Running bootstrap to configure the appliance
7 Enable the SSH Symantec EDR Enable the SSH service via the command-line interface to secure communications
service. administrator with the virtual appliance.
sshconfig command
8 Run the Symantec EDR This step is only required if you added a hard disk.
extend_storage CLI administrator Running the extend_storage tool
command.
Optional
9 Test the network Symantec EDR Run the status_check command-line command to determine if the network
connectivity. administrator connectivity is set up properly. The command lists all of the items that are checked
and the status of whether each item is successful or not.
status_check command
10 Run the setup Symantec EDR The Symantec EDR setup wizard guides you through the mandatory configuration
wizard. administrator steps of an all-in-one or management platform device. This set up includes
Management uploading the product license and creating the first administrator account so that you
platform or all-in- can log on to the EDR appliance console.
one appliances Running the setup wizard
only.
11 Perform the post- Symantec EDR After you exit the setup wizard, log on to the EDR appliance console. Perform the
installation tasks administrator recommended tasks to start scanning traffic and collecting incident and event data.
and configurations. Completing setup tasks
For all
configurations
except
management
platform.
12 Test the appliance. Symantec EDR Run the status_check command again to determine if configuration settings have
administrator been correctly specified.
Symantec has a test webpage, http://testatp.coe.org.uk/, which contains a series of
links. When you click on each of the links, you should see a corresponding incident
in the database. In Inline Block mode, file downloads should be interrupted.
Testing Symantec EDR for successful monitoring or blocking

Virtual switches connect each virtual network adapter to a physical port on the ESXi server. The number of virtual
switches you need depends on the virtual appliance's operating role and operating mode. The virtual switch property
values must match the Destination Network (port group) property values.
The figures in this topic depict the ports that are mapped one-to-one with physical network interface cards (NICs). But
Symantec EDR virtual appliances are compatible with other configurations, such as distributed virtual networks.
16
For instructions on creating virtual switches and configuring Symantec EDR virtual switch properties, refer to the VMware
vSphere Client documentation.
Tap mode | Inline Block or Inline Monitor mode | Management interface
Tap mode
For an all-in-one virtual appliance or network scanner virtual appliance that operates in Tap mode, you need the following
virtual switches:
• One switch for the Management interface
• One switch for the first Monitor interface
• One switch for a second Monitor interface (optional)
NOTE
Do not remove or modify the NIC cards on the VM.
Virtual switch properties for Tap mode Monitor interfaces shows the virtual switch property values that are required for
each Monitor network interface when the appliance operates in Tap mode. Each virtual appliance can monitor up to two
networks. For any property that is not specified in the table, use the default value.
Table 11: Virtual switch properties for Tap mode Monitor interfaces
Property Value
Connection Type Virtual Machine

Promiscuous Mode Accept
Failback No
Notify Switches No
Virtual Tap/Span network configuration shows the network pathway. The pathway runs from the virtual network adapters
to the physical ports and connections to the network for a Tap configuration through the virtual switches.
17
Inline Block or Inline Monitor mode

For an all-in-one virtual appliance or network scanner virtual appliance that operates in Inline Block or Inline Monitor
mode, you need the following virtual switches:
• One switch for each for the Management interface
• One switch for the WAN interface
• One switch for the LAN interface
Virtual switch properties for LAN and WAN interfaces shows the virtual switch property values that are required for the
LAN network interfaces and WAN network interfaces. The switch properties apply when the appliance operates in Inline
Block or Inline Monitor mode. For any property that is not specified in the table, use the default value.
18
Table 12: Virtual switch properties for LAN and WAN interfaces
Property Value
Connection Type Virtual Machine

Promiscuous Mode Accept
Failback No
Notify Switches No
Forged Transmits Accept
Virtual Inline Block or Inline Monitor network configuration shows the network pathway. It runs from the virtual network
adapters to the physical ports and connections to the network for an Inline Block or Inline Monitor configuration through
the virtual switches.
19
Management interface
An appliance operating in the management platform role requires a single virtual switch to support the Management
interface. An all-in-one device or network scanner requires one virtual switch to support the Management interface. This
requirement is in addition to the virtual switches that support scanning in Inline Block, Inline Monitor, or Tap mode.
When you create a virtual switch for a Management interface, use the VMware default value for all properties.
20

You configure each appliance for Symantec EDR with an operating role and an operating mode. Together, these
determine how the device is connected to your network and how it functions to protect your network and to report threats.
Operating roles | Operating modes and network connections
Operating roles
You can deploy the appliance as a management platform, network scanner, or all-in-one device. You assign the operating
role when you run bootstrap on the appliance. These roles have the following functionality:
Management platform If two or more appliances are installed, one should be deployed in the Management platform role.
A management platform hosts the EDR appliance console and displays incidents and endpoints at risk for
all connected scanners. The management platform presents a comprehensive view of malicious activity
on your network. The management platform also centralizes configuration, management, and reporting
functions.
The management platform does not scan network traffic.
Network scanner If two or more appliances are installed, all devices except the management platform should be deployed
as network scanners. Each network scanner can monitor traffic on a different network and send its incident
data to the management platform. Depending on the operating mode, the network scanner may block
malicious traffic in real time.
A network scanner does not have the EDR appliance console. You configure and manage the network
scanner from the management platform. Its incident data is consolidated with the incident data from
other network scanners and reported from the management platform. When your network expands,
additional network scanners can be installed and connected to the management platform to protect the
new networks.
All-in-one If only one appliance is installed, it should be deployed in all-in-one mode. An all-in-one device performs
the functions of both the management platform and network scanner role.
NOTE
An all-in-one device cannot function as a management platform for network scanners. Only an appliance that is
assigned the management platform role can manage a network scanner.
The roles you choose depend upon the throughput of network traffic. For small to medium-sized installations, you should
have one appliance running in the all-in-one role. For larger installations, you would install multiple appliances with one
acting in the management platform role and the remaining appliances acting as network scanners.
To change the operating role of an appliance after initial installation, you must reinstall the appliance software.
Operating modes and network connections
The operating mode controls how your network traffic is processed. It also affects how the appliance is physically
connected to your network.
Symantec EDR operating modes and network connections describes the Symantec EDR modes that are available for
the appliances and the network connections that are required for each role. You must assign a static IP address to each
Symantec EDR network connection.
21
Table 13: Symantec EDR operating modes and network connections
Mode Description Network connections required
Inline Block In Inline Block mode, network traffic passes through the 1 Management
appliance between the endpoints and the Internet. Any file 2 WAN
downloads, accessed websites, and traffic that are considered 2 LAN
malicious are blocked. Only Inline Block mode provides real-
time protection against threats.
The virtual appliance has one Inline interface in Inline Block
mode.
Note: Inline Block mode is not recommended for the virtual
appliances, because bypass mode is not available for a virtual
deployment.
Inline Monitor In Inline Monitor mode, network traffic passes through the 1 Management
appliance between the endpoints and the Internet. Malicious
files, websites, and traffic are logged for visibility but are not
blocked. Any threats that are found in Inline Monitor mode must
be mitigated manually.
Inline Monitor mode is often used as a test for system
performance and to analyze potential behavior for blocking
(from reports) before blocking is implemented. The physical
connections for Inline Block and Inline Monitor modes are
identical, so no re-cabling is necessary when you switch
between these modes.
The virtual appliance has one Inline interface in Inline Monitor
mode.
Note: Inline Monitor mode is not recommended for the virtual
appliances, because bypass mode is not available for a virtual
deployment.
Bypass (Inline • Installed out of the box: Same as Inline Block or Inline Monitor
mode failsafe) Standard NIC mode
• Configured for Inline deployment:
Bypass mode
• Configured for Tap deployment:
Standard NIC mode
• Reimaged (factory reset) after any previous deployment:
Standard NIC mode
The Bypass mode is not available for virtual appliances. If
a virtual appliance cannot function or is turned off, network
communications are interrupted. For this reason, Inline Block
and Inline Monitor modes are not recommended for virtual
appliances.
Tap In Tap mode, the appliance connects to a Tap or Span port on 1 Management
a switch. The appliance monitors a copy of the traffic between 1 Monitor connection for each network
the endpoints and the Internet so monitoring incidents and monitored
logging incidents do not affect network performance. Because
the monitoring and logging engines work at different intervals,
there may be a slight delay in detecting incidents. All threats
must be mitigated manually.
The virtual appliance can monitor up to two monitor ports on
separate networks in Tap mode.
22
Mode Description Network connections required
Management In management platform mode, all communications and 1 Management

platform management go through the management port. Since a
management platform appliance does not scan, only the
management connection is required.
You choose the operating mode for an all-in-one device or network scanner from the EDR appliance console. A
management platform operates in management platform mode automatically.
About network configurations and port connections
Where to place the appliance in your network for best results
About selecting a network scanner

The following factors determine the number of recommended network scanners.
Hardware versus virtual Make this decision based on your current infrastructure. Users with extensive VMware investment
might want to use virtual appliances. Users with little or no VMware investment should use
hardware.
Hardware solutions have bypass NICs, so on failure Symantec EDR continues to pass traffic
when deployed inline. Therefore, real hardware is preferred for inline deployments.
For more information, see the Installation Guide for your respective platform (physical or virtual
appliance).
Available bandwidth The hardware solutions have higher throughput than virtual solutions.
See the Symantec Endpoint Detection and Response Sizing Guide for more information.
Total endpoints in the organization VMs can handle 2K simultaneous connections.
Symantec EDR features If the deployment is to use mostly network scanning, then a separate scanner and management
platform deployment provides room to increase scanning capacity. In this case, the physical
appliance has more storage capacity and is suitable for the management platform. The number
of scanners would depend on the number of ingress and egress points in the network and the
amount of traffic at those points.
An all-in-one deployment needs to be able to handle all the traffic for the projected growth of the
organization for the lifetime of the appliance. If the deployment functions primarily as Symantec
EDR: Endpoint, then select an all-in-one deployment.

The following table describes the ways to connect Symantec Endpoint Detection and Response to your network.
23
NOTE
Port connections vary by appliance model, version, and role.
Connect
Network configuration Description Connect WAN to Connect LAN to
Management to
Simple port span/tap This configuration Port on your LAN switch Connect Monitor1 to Not used
monitors the traffic network tap or port on
between the endpoints your LAN switch that is
and the Internet but does set to span mode
not block file transfers
or websites. Internet-
bound traffic is copied
to the switch port using
port mirroring that is
configured on the switch
itself.
This configuration
uses two monitor ports
and one management
connection. This setup is
easy and is useful as an
initial test of Symantec
EDR.
Port span/tap with This configuration Port on your LAN switch Connect Monitor1 to Connect Monitor2 to
multiple monitor ports uses two monitor ports network tap or port on network tap or port on
and one management your LAN switch that is your LAN switch that is
connection. Extra monitor set to span mode set to span mode
ports allow the same
appliance to connect to
multiple switches from
different subnets. This
configuration does not
block file transfers or
websites.
Simple inline You can block file Port on your LAN switch Internet firewall LAN port Port on your LAN switch
transfers and websites
using this configuration.
Inline configuration
requires more network
connections than port
span/tap. Ideally, you
should deploy Symantec
EDR inline between the
client and the firewall.
If you use a proxy,
you should connect
the appliance should
between the client and
the proxy.
24
Connect
Network configuration Description Connect WAN to Connect LAN to
Management to
Inline with two firewalls, You can connect two Port on your LAN switch Internet firewall LAN port Port on your LAN switch
two proxies, and two appliances to two
appliances firewalls as part of a high-
availability environment.
You can configure the
firewalls in active/active
failover or active/standby
failover. Configure the
appliances identically
except for the network
settings. Both appliances
should be connected to
the same management
platform.
Management platform In a management Port on your LAN switch Not used Not used
platform configuration, an
appliance is configured
to manage other
appliances. This
appliance does not scan,
so it requires only a
management connection.

The placement of your appliance depends upon whether the appliance is a management platform, network scanner,
or all-in-one device. The Symantec Endpoint Detection and Response appliance must be able to perform the following
depending upon its role:
• Scan all network traffic coming into and out of the organization
• Determine the source and destination of all traffic
• Detect internal connection endpoints
• Act as a network proxy for endpoints (if integrating with Symantec Endpoint Protection Manager)
• Have a minimal affect on network performance
If your architecture includes a demilitarized zone (DMZ) and you integrate Symantec EDR with Symantec Endpoint
Protection, don't place the following in the DMZ:
• Management platform appliance
• All-in-one appliance
• SEP
Deploying the appliance between a proxy and firewall prevents Symantec EDR from detecting the IP address of the
source endpoint. So in this scenario, you must enable the X-Forwarded-For: header field. You might also need to
configure your firewall to strip the X-Forwarded-For: header field.
Symantec EDR does not scan traffic between internal computers. The exception is when one of the computers is a proxy
server. The internal traffic that is routed to a proxy server is scanned because it is outbound network traffic.
If you want Symantec EDR to reach the Internet through a proxy server, you must treat the appliance as a trusted device
and disable authentication. Symantec EDR does not support passing Basic Authentication credentials to the proxy.
Symantec EDR supports Basic or Simple Password Authentication to the proxy.
25
You can use the management port for any of the following:
• To access the EDR appliance console.
• For communication to Symantec's servers (e.g., LiveUpdate, cloud-based sandboxing, Insight, telemetry, etc.).
• To facilitate communication to SEPM and endpoints for the endpoint proxy.
The management network should not be open to the Internet as a whole. If you need access to the management network
from outside, a VPN or short-lived Remote Desktop connection is recommended.
In Inline mode, the management port must be on a different subnet from the Inline interface.
The following figures show examples of network configurations.
You might need crossover cables for Inline deployment if devices connected to WAN port and LAN port don't have
automatic MDI/MDI-X configuration.
26
27
28

Required firewall ports

Depending on your network layout, you may need to open some ports on your firewall and edit your firewall rules. These
changes let you access the important web addresses that are essential for Symantec Endpoint Detection and Response
operations.
Symantec EDR web and IP addresses lists the web and IP addresses to which Symantec EDR requires access.
29
Table 14: Symantec EDR web and IP addresses
Web addresses/IP Address Protocol Port Description
• remotetunnel1.edrc.symantec.com HTTPS 443 Permits Symantec Support remote access to

• remotetunnel2.edrc.symantec.com the Symantec EDR appliance.
• remotetunnel3.edrc.symantec.com
https://api-gateway.symantec.com TCP 443 Accesses Symantec's Targeted Attack
Analytics service.
licensing.dmas.symantec.com TCP 443 Used to get the Cynic license.
api.us.dmas.symantec.com TCP 443 Used to perform queries to the Cynic US and
api.eu.dmas.symantec.com UK servers (required).
liveupdate.symantec.com TCP 80 Used to check for and download definitions for
Symantec's detection technologies.
ratings-wrs.symantec.com TCP 443 Used to query Norton Safe Web server to
identify malicious websites.
stnd-avpg.crsi.symantec.com TCP 443 Used to send detection telemetry to Symantec.
stnd-ipsg.crsi.symantec.com
register.brightmail.com TCP 443 Used to register the appliance.
swupdate.brightmail.com TCP 443 Used to check for and download new releases
of Symantec EDR.
shasta-rrs.symantec.com TCP 443 Used to perform reputation lookups for
shasta-mrs.symantec.com Windows executable and APK installable files.
datafeedapi.symanteccloud.com TCP 443 Used to download Email Security.cloud and
EDR: Roaming events.
stats.norton.com TCP 443 When telemetry is configured, used to send
statistics telemetry to Symantec.
EDR appliance console TCP 443 (inbound) or in Access to Symantec EDR public API.
the range of 1024 to
9997
https://sso1.edrc.symantec.com TCP 443 Used for SSO.
Symantec EDR ports and settings describes the ports that Symantec EDR uses for communications, content updates, and
interactions with Symantec.cloud detection services.
Table 15: Symantec EDR ports and settings
Service Protocol Port From To Description
Back up FTP; SSH 20 TCP, UDP Management Configured FTP server: FTP ports 20, 21
21 TCP platform or all-in- backup storage SSH server: SSH port 22
22 TCP, UDP one appliances server
(Internal traffic)
Email notifications SMTP 25 TCP Management SMTP server Communication with the SMTP
587 TCP platform or all-in- (Internal traffic) server.
one appliance
30
Content updates HTTP 80 TCP All appliances Symantec Virus and Vantage definitions,
(External traffic) and other content that
LiveUpdate delivers .
This port is required for proper
functioning of the product.
Statistics delivery HTTP 80 TCP All appliances Symantec Sends the data to Symantec
(External traffic) for statistical and diagnostic
purposes.
Private data is not sent over
this port.
(ECC) 2.0 HTTPS 443 Managed SEP Symantec EDR Communicates commands to
HTTP 80 endpoints the endpoints.
ECC 1.0 HTTPS 8446 Symantec EDR SEPM Commands to SEPM.
RRS/endpoint submissions HTTPS 443 SEP Symantec EDR The SEPM private cloud that
ECC 2.0 HTTP 8080 lets endpoints communicate
with Symantec EDR.
RRS/endpoint submissions HTTPS 443 SEP Symantec EDR The SEPM private cloud that
ECC 1.0 HTTP 80 lets endpoints communicate
HTTP 8443¹ with Symantec EDR.
Symantec cloud detection, If endpoint 443 TCP All appliances Symantec Cloud service queries and
analysis, and correlation activity (External traffic) telemetry data exchanges .
services and telemetry recorder If the endpoint activity recorder
services enabled is enabled SEP sends
If endpoint conviction events directly to
activity Symantec EDR.
recorder
disabled
Antivirus and intrusion HTTPS HTTP 8080 TCP or SEP clients Symantec EDR Information about the files and
prevention conviction HTTPS 443 TCP management the network traffic that SEP
information HTTP 80 TCP or platform detects.
HTTPS 8443 TCP
Antivirus and intrusion HTTPS 443 TCP Symantec EDR Symantec Information about files and
prevention conviction HTTP 80 management (External traffic) the network traffic that SEP
information platform detects.
Product updates HTTPS 443 TCP All appliances Symantec Finds and delivers new
(External traffic) versions of Symantec EDR.
EDR appliance console HTTPS 443 TCP Client connecting Management EDR appliance console access
443 (inbound) or in to manage an platform or all-in- for an all-in-one appliance or
the range of 1024 appliance one appliance management platform.
to 9997 (Internal traffic)
EDR appliance console, SSH 22 Client connecting Management Command-line access for
network scanners, and all- to manage an platform, an all-in-one appliance or
in-one appliance scanner, or all-in- management platform.
one appliance
(Internal traffic)
31
Synapse SEPM JDBC 1433 TCP (default) Management SEPM Microsoft Required if using the Microsoft
connection with Microsoft platform or all-in- SQL Server SQL Server for SEPM and
SQL Server (optional) one appliance (Internal traffic) Synapse.
SEPM administrators can
configure a different port for
this communication.
Communication channel AMQP 5671 TCP Network scanner Management Communications between the
(management platform 5672 TCP appliance platform management platform and
and network scanner (Internal traffic) network scanners.
installations only) Not required for an all-in-one
installation. After the initial
exchange on this port, the
communication is secured.
Blocking page (Inline Block HTTP 8080 TCP Network scanner Protected Sends the blocking page
mode only) endpoints when content is blocked at an
(Internal traffic) endpoint.
Not required for Inline Monitor
or Tap/Span modes.
Synapse SEPM HTTPS 8081 TCP (default) Management SEPM server Required if using the
connection with Embedded platform or all-in- (Internal traffic) embedded database for
DB (optional) one appliance Synapse connection to SEPM.
Supported for SEPM 14.3
MP1 and earlier.
Connection to SEPM HTTPS 2638 TCP (default) Management MS SQL Express
database platform or all-in-
one appliance
Synapse SEPM HTTPS 8446 TCP (default) Management SEPM Server Required if connecting to the
connection with the platform or all-in- SEPM server for executing
SEPM web services one appliance management operations.
Remote Management and For example, adding or
Monitoring (RMM) service removing items from the
(optional) blacklist or placing an endpoint
under quarantine.
Syslog Syslog TCP (preferred) or All appliances Configured If syslog is configured, this
UDP port should Syslog server connection delivers log
be the same as (Internal or messages to remote syslog.
configured in the external traffic
EDR appliance based on your
console for syslog environment)
EDR: Email HTTPS 443 TCP Management Symantec This connection lets Symantec
EDR: Roaming platform or all-in- EDR collect conviction events
one appliance from EDR: Roaming and
EDR: Email when Synapse
Correlation is enabled for either
one of these services.
Active Directory LDAPS 636 Management Active Directory This connection allows
platform or all-in- server Symantec EDR to integrate
one appliance with Active Directory for user
authentication.
32
Security Analytics link HTTPS 443 Management Symantec This connection lets Symantec
TCP/UDP platform or all-in- Security EDR integrate with Symantec
one appliance Analytics Security Analytics to provide
appliance or a link on individual log events
virtual appliance to navigate users to additional
information on related network
motion.
¹ Port 8443 is only available if you were using this port on previous versions of Symantec EDR and have since updated. If
you are installing Symantec EDR for the first time, this port is not available.
Proxy recommendations
The following are Symantec's proxy recommendations:
Network scanning Proxy deployment options are as follows:

• Deploy Symantec EDR between the internal network and the proxy.
This deployment configuration is recommended.
When customers deploy Symantec EDR between the internal network and the proxy, it gives
Symantec EDR full visibility of endpoint information.
You must deploy Symantec EDR when you are load balancing proxies between the internal
network and a farm of proxies. This information ensures Symantec EDR can failover to the proxy.
In this scenario, the LAN port of the proxy is the good place to plug in Symantec EDR inline.
• Deploy Symantec EDR between the proxy and their firewall.
When customers deploy Symantec EDR between the proxy and their firewall, customers must
enable to the X-forwarded-for feature on the proxy. The firewall must have the ability to strip out
the X-forwarded-for tag. Customers should see the documentation for their firewall for instructions
for how to remove this tag. The disadvantage of this deployment is that it requires more effort to
configure.
Management traffic from This proxy traffic does not support SSL interception. If the proxy server has SSL interception enabled,
Symantec EDR to Symantec customers must create a policy to let Symantec traffic bypass. Such a policy prevents the proxy from
back-end servers inspecting Symantec traffic, thereby reducing resource demands.

Use the matrix below to verify that your current installation of Symantec EDR meets the system requirements to support
Symantec EDR's features.
Table 16: Platform support matrix
ECC 2.0 Scanner Only Scanner Only

ECC 2.0
Platform Config Specs ECC 1.0 Default Throughput Throughput
All Events
Events¹ Tap Mode Inline Mode
VM ESXi/ See Symantec 12 Cores 20,000 20,000 Not 300 Mbps 200 Mbps
EDR 3.0 or Memory: 48 endpoints endpoints supported
later VMware GB
specifications Hard drive: 500
GB
33
ECC 2.0 Scanner Only Scanner Only

ECC 2.0
Platform Config Specs ECC 1.0 Default Throughput Throughput
All Events
Events¹ Tap Mode Inline Mode
See Symantec 12 Cores 80,000 80,000 10,000 300 Mbps 200 Mbps²
EDR 3.0 or later Memory: 48 endpoints endpoints endpoints
VMware with GB
HD addition 1.5 TB (1 TB
specifications hard disk in
addition to the
VM's existing
500 GB hard
disk)
¹ Process Launch and Process Terminate events disabled.

² Symantec does not recommend inline mode for the virtual appliance. When you deploy a virtual appliance in inline mode
you run a risk because there is no bypass ability.
Obtaining a Symantec EDR license file and installing it

When you purchase Symantec EDR, Broadcom sends you a fulfillment confirmation "Welcome" email that includes your
serial number and a license key file attachment.
If you did not receive a Broadcom Welcome letter or you cannot locate your license key file, click here to go to the
Broadcom web site where you can access your license key file.
Save your license key file to a location that you can access from the EDR appliance console.
Install the license key file in EDR appliance console for product activation.
1. In the EDR appliance console, click Settings > Global.

2. Scroll down to the Licensing section and click Upload License.
3. In the Upload License dialog box, browse to and select the license file, and then click Upload.
The new license takes effect immediately, although it must be distributed to each of the scanners. If the previous
license had expired, make sure that you enable scanning again on all scanner devices.
Related Links
Symantec to Broadcom Transition Guide - My Entitlements
34
Installing a virtual appliance

Step 1 of the Symantec EDR Virtual appliance installation workflow: Installing the virtual appliance workflow.
Installation of the ISO is not supported for a virtual appliance. Symantec EDR does not support the creation of an OVA
template from the Symantec EDR template. You must deploy the unaltered OVA template.
1. Deploy the OVA template on the VMware ESXi server.
Proceed through the wizard until you reach the Network Mapping panel.
2. In the Deploy OVA Template wizard on the Network Mapping panel, map your Source Network adapters.
The adapters are built into the Symantec EDR OVA with Destination Networks that you already configured on your
network.
For best performance, use thick provisioning.
NOTE
The Destination Networks that are shown are examples only.
3. In the Destination Networks column, choose a network for each Source Network adapter as follows:
See the Installation worksheet for the management network information.
Source Network Destination Network

Management Choose your management network.
This mapping applies to all virtual appliances: all-in-one devices, network
scanners, and management platforms.
35
Monitor1_WAN • For Inline Block or Inline Monitor mode on an all-in-one device or

network scanner, choose the WAN network that you want to protect.
• For Tap mode on an all-in-one device or network scanner, choose a
network that you want to monitor. This network must be connected to
a Tap or Span port on the network switch.
• For a management platform, you can map Monitor1_WAN to any
network. Only the management port is active when an appliance
operates as a management platform.
Monitor2_LAN • For Inline Block or Inline Monitor mode on an all-in-one device or
network scanner, choose the LAN network that you want to protect.
• For Tap mode on an all-in-one device or network scanner, choose
an additional network that you want to protect. This network must be
connected to a Tap or Span port on the network switch.
If you do not want to make this connection, map Monitor2_LAN to
any network. After you complete the OVA deployment, edit the virtual
appliance settings in VMware vSphere Client to disconnect Network
adapter 3. Refer to the VMware documentation for instructions.
• For a management platform, you can map Monitor2_LAN to any
network. Only the management port is active when an appliance
operates as a management platform.
NOTE
For all-in-one devices and network scanner devices, do not map Monitor1_Wan and Monitor2_Lan to the
same network. This configuration might cause bridge-looping, and packets may not properly be sent to the
network.
NOTE
When you deploy a network scanner on a virtual machine and you have mapped the WAN port to a physical
NIC through a vSwitch, change the configuration of the vSwitch to allow all VLAN IDs in the port group
properties. Without this setting, Symantec EDR may not capture some network traffic. See your vSphere
documentation for more information.
4. Uncheck Power on after deployment and click Finish.

IMPORTANT
It is imperative that the VM image is not powered on when you proceed to the next steps of extending
the hard drive and allocating resources. If you are unable to uncheck this option and the virtual appliance
automatically starts, manually stop it before proceeding.

IMPORTANT
It's imperative that your virtual computer has the proper resources allocated. It's also imperative that your virtual
computer is powered off when you make these configurations. The vSphere/ESXi host must have the required
resources physically available and not reserved by any other VMs so that you can allocate them to Symantec
EDR. Otherwise, the VM is in an unsupported configuration and might not function correctly. A broken VM with
unreserved resources is not always recoverable, which may require that the OVA be redeployed to a new VM.
36
To reserve the resources allocated to the VM, edit the VM guest and specify the amount of resources to reserve.
1. To reserve required resources in the vSphere console:
a) In the vSphere console, go to the virtual machine and click Edit Settings.
b) In the Settings window, click the Resources tab.
c) On the Resource tab, configure the CPU to the minimum recommended value to 12000 MHz.
d) Configure the Memory by checking Reserve all guest memory.
e) Save your changes.
2. To reserve required resources in ESXi:
a) In the ESXi console, navigate to the virtual machine.
b) Click Edit.
c) On the Virtual Hardware tab, expand CPU.
d) Configure Reservation to 12 GHz.
e) Expand Memory and check Reserve all guest memory.
f) Save your changes.
3. To reserve required resources in the vSphere web client:
a) In the vSphere web client, navigate to the virtual machine.
b) Click the Actions menu and select Edit Settings.
c) On the Virtual Hardware tab, expand CPU.
d) Configure Reservation to 12 GHz.
e) Expand Memory and check Reserve all guest memory.
f) Save your changes.

After Symantec EDR installation and deployment, you'll need to further extend your hard disk space. That's because the
endpoint activity recorder collects data from your endpoints, which is then stored in Symantec EDR's database. As such,
Symantec EDR requires more system resources and storage space. Otherwise, you will experience disk space issues. If
you intend to use Endpoint Communications Channel features, you'll need to add an additional hard disk.
See the Symantec™ Endpoint Detection and Response Sizing and Scalability Guide for sizing recommendations.
Follow these same instructions to add an additional hard disk when needed after which you'll need to run the
extend_storage command.

37
Running the extend_storage tool

1. In the vSphere console, go to the virtual machine and click Edit Settings.
2. In the Settings window, click the Hardware tab.
3. Click Add.
4. In the Add Hardware panel, click Hard Disk and then click Next.
5. On the Select a Disk panel, click Next.
6. On the Create a Disk panel, change the disk size to 500 GB.
7. On the Advanced Options panel, click Next. Then click Finish.
8. On the Placement Recommendations panel, click Apply Recommendations.
9. Click OK.

You'll need to open the console window to run bootstrap.
During bootstrap, you are prompted to provide appliance configuration information. Your Symantec EDR administrator
provides you this information on the Installation worksheet.
When bootstrap is complete, the system restarts.
You can re-run bootstrap (for example, to change certain IP addresses) after initial installation from the CLI using the
bootstrap command. You cannot re-run bootstrap to change the operating role of the appliance.
1. In the Integrated Remote Access Controller window, click the Virtual Console Preview window, or click the
Launch Console link under this window.
2. To open the console window through the vSphere client, click the Console tab, then in the toolbar menu, click the Play
icon.
3. In the console window at the login prompt, log in as follows:
User name = admin
Password = symantec
Bootstrap begins automatically when you are logged on for the first time before configuration.
Once you complete configuration, you can run bootstrap again using the bootstrap CLI command.
38
4. For each prompt, type a response and then press Enter to specify the required information.
The following table describes the bootstrap prompts:
New password: Type a new, secure password for the console. This password
replaces the default password, symantec.
Weak password A password that is similar to a word in the Dictionary, is too
Try another [y/n]? short, or not complex enough is less secure. Type y to
delete the new password and be prompted to try again. Type
n to keep the new password you previously entered.
Re-enter new password: To confirm the new password, type it again and press
Enter. If the two passwords do not match, you are
prompted to type and retype the password again.
Select one of the following appliance roles: Type the number that corresponds to the role for this
1 = Management platform ..., 2 = Network scanner ..., 3 = All-in- appliance. The prompt describes each of the roles available.
one ... []?
Configure the management port. IPv4 address []: Type a static IP for the management port. For a management
platform or all-in-one appliance, this IP address is used to
access the EDR appliance console from a browser.
IPv4 netmask []: Type the network mask for the management port IPv4
address.
Gateway []: Type the IP address for the gateway (switch or router) that
the appliance can use to communicate with the rest of your
network.
Name server (IPv4) []: Type the IP address of a name server that the appliance can
use to resolve IP addresses.
Configure another nameserver? [y/n] Type y to add an additional name server or n to use only
one name server. If you type y, you are prompted to type the
IP address of a second name server.
Network scanner role only: Type the management port IP address of the management
IP address of the Management Platform: platform appliance that controls this scanner.
Management platform or network scanner roles only: Type a secure password to encrypt communications between
Communication Channel password: the management platform and all its network scanners. This
password must be the same for the management platform
and all network scanners. It should be different from the
management console password. Letters, numbers, periods,
underscores, and hyphens are allowed, and the password
can be up to 50 characters.
Management platform or network scanner roles only: Re-enter To confirm the communication channel password, type it
Communication Channel password: again and press Enter. If the two passwords do not match,
you are prompted to type and retype the password again.
Configure IPv4 static routes? [y/n] Type y to configure an IPv4 static route or n to skip this
configuration step. Static routes may be required. For
example, use static routes to connect a network scanner to its
management platform.
Destination (CIDR allowed): If you choose to configure IPv4 static routes, you are
Gateway: prompted to type the destination IP address and the gateway
IP address.
39
Add another route? [y/n] After you configure an IPv4 static route, type y in response
to this prompt to configure an additional IPv4 static route.
Type n to go to the next prompt.
You can configure up to three IPv4 static routes in bootstrap.
You can configure additional static routes in the EDR
appliance console.
What do you want to call this device? Type a name to identify this system in the EDR appliance
console. Letters, numbers, spaces, periods, and hyphens are
allowed, and the name can be up to 50 characters.
Set NTP server [] Type the IP address or FQDN of the NTP server.
Setting an NTP server ensures that the appliance has an
accurate time to indicate when detections occurred.
5. When configuration is complete, the console displays the settings that you configured and then prompts Save
changes? [y/n]. Type y to save the configuration or n to reject it and make changes.
If you type n, bootstrap restarts from the beginning. Most prompts display the previous value you entered. Press Enter
to accept the previous value (if present), or type a new value to correct the entry.
sshconfig command
Description: Start or stop SSH service. Lets you access the EDR appliance console through services, such as PuTTY.
Synopsis: sshconfig enable | disable
Option or argument Description
enable Start the SSH service immediately and configure the system to start SSH on boot.
disable Stop the SSH service immediately and configure the system to disable SSH on boot.
Running the extend_storage tool

After you increase the storage capacity of your Symantec Endpoint Detection and Response appliance or VM, you must
run the extend_storage tool to complete the upgrade process. The tool does the following:
• Detects and partitions the new drive
• Generates log messages regarding tool execution
• Allots 45% of the new storage to Elasticsearch and 55% to backup and restore
WARNING
A backup of the Symantec EDR database is strongly recommended before running extend_storage.
Caveats
40
Be aware of the following caveats regarding the operation of the tool:

• The tool operates on one disk per tool run. To extend disk space using multiple disks, you must run the tool for each
disk.
• The minimum free disk space that is required on an extendable disk is 10GB.
• The maximum free disk space on an extended disk is 2TB for virtual and 16TB for physical.
• The tool displays up to five disks to choose from at each session.
• The tool only checks for SCSI and SATA controllers.
• Make sure that /var/lib/elasticsearch is not open anywhere else.
• Make sure that you do not run the extend_storage tool from the /var/lib/elasticsearch folder.
1. Open a command-line interface on the upgraded Symantec EDR appliance or VM instance.

2. Type extend_storage and press Enter.
The current datastore size (total and available) appears along with a message that strongly recommends that you to
back up your Symantec EDR data before you extend storage.
3. At the Do you want to proceed? [Y/N] prompt, type Y and then press Enter.
The tool proceeds to convert the backup partition and check the disk(s).
A message appears: Invalid new disks detected, and the new disk is listed along with information about the
available space on the disk.
4. You are prompted to select a new disk. Type the appropriate number and then press Enter.
The tool runs and displays status information and the available space that followed by a message that the tool has run
successfully.
The following screen shot provides an example:
status_check command
41
Description: Check system status and server connectivity. This system status includes things such as management port
status, interface status, incident and event forwarding through the network proxy, and connectivity to Symantec servers in
the cloud.
Synopsis: status_check
Option or argument: None.
Note: By default, Cynic attempts to contact the closest server to the submitting computer's location unless you enable the
option to use the U.K. Cynic Server on the Settings > Global page.
Default Cynic server: https://api.global.dmas.symantec.com
U.K. Cynic server: https://api.eu.dmas.symantec.com
Reinstalling a virtual appliance

To reinstall a Symantec Endpoint Detection and Response virtual appliance, delete the old appliance and deploy the OVA
file again.
NOTE
Reinstalling a virtual appliance from an ISO image is not supported.
1. Download the OVA file from https://support.broadcom.com/download-center/download-center.html.
2. In the VMware vSphere ™ client, deploy the OVA.
3. Open a console window and bootstrap the appliance.
If you are replacing a management platform, type the same IP address and communications channel password you
used during bootstrap. If you change the management port IP address or communications channel password on a
management platform, you must run bootstrap again on each scanner to update this information.
4. If the reinstalled device is an all-in-one appliance or management platform, run the setup wizard.
Running the setup wizard
If the reinstalled device is a network scanner, wait for the scanner to appear on the Appliances page in the EDR
appliance console.
5. Complete setup tasks as you would for a new appliance.
Completing setup tasks
6. If you replaced a network scanner, run the restore command to restore the incident data from the last backup.
42
Setting up Symantec EDR
Running the setup wizard

Step 1 of the Symantec EDR Virtual appliance installation workflow: Setting up Symantec EDR workflow.
The Symantec Endpoint Detection and Response setup wizard guides you through the mandatory configuration steps of an
all-in-one or management platform device.
During bootstrap, you assigned a static IP address to the management port of the appliance. You need this IP address to
access the setup wizard and the EDR appliance console.
The console admin account in bootstrap is independent from the administrative account in the setup wizard.
This setup wizard logon is not available after you complete the setup wizard.
NOTE
The appliance might take a few minutes to boot and start the required services before you can run the setup
wizard. If the IP address of the management port is not responsive, wait a few minutes and try again.
1. On a computer that is accessible to the appliance, open a window on a supported browser and type: https://<IP
address of the management port>.
For example, if you assigned the static IP address 10.20.20.20 to the appliance during bootstrap, type
https://10.20.20.20.
NOTE
You must use the HTTPS protocol when you type the address of the setup wizard. The HTTPS protocol is
required.
2. If the browser displays an untrusted certificate or untrusted connection warning, choose to proceed, and add an
exception, if required.
The Symantec EDR web interface initially includes a self-signed certificate that can be changed to use a customer-
generated certificate after the initial setup.
3. On the logon screen, type the following credentials and then click Sign In or press Enter:
User name: setup
Password: symantec
This account is deactivated when you complete the setup wizard.
4. On the Terms and Conditions screen, read the terms and conditions.
You must accept the Terms and Conditions to continue.
43
The data handling options are enabled by default. You may choose to uncheck these options.
5. Click Next.
6. Respond to the prompts on each screen to complete the mandatory configuration. Click Next to go to the next screen,
or click Previous to return to a screen you completed.
The following table describes the additional prompts in the setup wizard and how to respond to them.
Upload License Click Browse to locate the license file, and select the file. When you click Next, Symantec EDR
uploads the file.
You must upload a license before the Symantec EDR device is functional. You cannot use Symantec
EDR after initial installation without a license. No grace period exists.
Obtaining a Symantec EDR license file and installing it
SMTP Settings You can enter the SMTP settings in the setup wizard, or you can check Skip adding SMTP server
configuration and specify the settings later in the EDR appliance console.
Type the SMTP Server (fully qualified domain name is allowed) and Port number of your secure mail
server.
In the Appliance Email field, type the email address where alerts, such as a license expiration
notification, are sent from.
If your mail server requires a secure logon to receive messages, check Authorize. Then type a user
name and password that Symantec EDR can use to authenticate with the mail server.
Create an Administrative Specify a logon name, password, display name, and user email address for the initial administrator
account account. You need this logon to complete the setup wizard.
This administrator can create additional user accounts, including additional administrator accounts.
7. Click Save.
8. Click Exit to end the setup wizard and display the EDR appliance console logon screen.
Completing setup tasks

Tasks to complete Symantec Endpoint Detection and Response installation lists the tasks that Symantec recommends
you take immediately after you complete the preliminary Symantec Endpoint Detection and Response installation.
Click the context-sensitive help tokens in the EDR appliance console for more information about performing these tasks.
Table 17: Tasks to complete Symantec Endpoint Detection and Response installation
Task Description
Access EDR appliance console. Perform the post-installation tasks and configurations in EDR appliance console.
Accessing the EDR appliance console
Configure the following settings on the Settings > Global page.
Set up Synapse correlation. If SEP or Email Security.cloud protect your network, configure Synapse to correlate incident data
from these sources with Symantec EDR.
44
Task Description
If you intend to use Symantec You can integrate Symantec Endpoint Detection and Response with Symantec Endpoint
Endpoint Protection with Symantec Protection to:
EDR. configure the SEPM • Collect conviction events from your SEPM, and correlate them with events from your other
Controller connection. control points
• Configure Symantec EDR to proxy reputation requests from your endpoints
• Send commands to your SEPM (for example, to update your SEPM deny list)
• Send commands to your endpoints (for example, to delete a file, or quarantine an endpoint)
• Retrieve information from your SEPM (for example, a list of your endpoints and their online
status)
• Retrieve information from your endpoints (for example, a dump of all its events)
Configure backups. Configure one or more backup schedules and locations.
Configure secure access to the Upload a certificate to encrypt EDR appliance console sessions.
EDR appliance console.
For Inline Block operation, you may Blocking pages are used only when you operate in Inline Block mode and scanning is turned on.
also want to customize the blocking When Symantec Endpoint Detection and Response blocks access to a website or prevents the
page. download of a potentially malicious file, a blocking page appears. The blocking page informs the
user that the page is blocked and who to notify for more information.
Configure the following settings on the Settings > Appliance page.
Configure Internal Network When you define internal networks, you specify which computers are part of your network
settings. and which computers belong to the world outside. With this information, Symantec EDR can
distinguish between protected computers and the computers that are outside of the network.
Configure Network Proxy and Symantec EDR supports the following types of proxy configurations:
Enterprise Proxy settings, if • A network proxy. Symantec EDR uses a network proxy to access the external network.
these proxies are present in the • An enterprise proxy within an enterprise environment. Symantec EDR treats the traffic that
environment. is routed to an enterprise proxy (which may have an IP address within an internal network)
differently than the traffic that is routed through a network proxy.
If you use proxies, each Symantec EDR appliance, whether in CIU, standalone, or scanner role,
must have the IP addresses of existing proxies.
Configure syslog server Connect to one or more syslog servers (a SIEM, for example) to capture and report data
connections. externally.
Setup sandboxing services. By default, Symantec EDR submits files to Symantec’s Cynic cloud-based malware detonation
system for analysis. However, you can keep file analysis local and submit your files to a
customer-owned, on-premises Symantec Malware Analysis appliance for detonation and
analysis.
Enable scanning After you configure the appliance settings, you'll want to enable scanning.
Configure the following settings on the Settings > Users page.
Add new EDR appliance console Add additional Admin, Controller, and User accounts for accessing the EDR appliance console.
accounts. Tip: As a best practice, you should set up at least one additional Admin user account
immediately after installation in case there's an issue accessing the EDR appliance console with
the initial Admin account credentials.
Configure the following settings on the Reports page.
Set up reports. Set up the reports that can be generated on a daily, weekly, or monthly schedule.
Accessing the EDR appliance console

Access the EDR appliance console to configure and manage Symantec EDR and to perform threat hunting and
remediation.
Access the EDR appliance console from a web browser on any client computer that can connect to the management port
of your management platform or all-in-one appliance.
45
NOTE
To view Symantec EDR appliance pages or access the Symantec EDR console through the cloud website, you
must be connected via your company LAN or VPN, or provide Symantec EDR with a public IP address that is
accessible from the Internet. Otherwise, the following error message appears: This page can't be displayed.
If you're using self-signed certificate for your EDR installation, you must accept the certificate in your browser.
1. On the computer that can access the network that is connected to the management port, open a web browser.
2. In the web browser, type the following:
https://<IP address>
Where <IP address> is the address that you specified for the appliance during the bootstrap process.
For example, if the IP address that you specified for the appliance is 192.168.42.24, go to the following URL:
https://192.168.42.24
NOTE
You must use the HTTPS protocol to access the EDR appliance console.
For certain web browsers, you might must configure a certificate security exception to access the EDR appliance
console. Typically, this step is only required at the first logon per computer per session.
3. On the Log on page, in the User name field, type the user name assigned to you by your administrator.
4. In the Password field, type your password.
You are locked out after five unsuccessful attempts.
Browser requirements for the EDR appliance console
Testing Symantec EDR for successful monitoring or blocking

Symantec has a website that you can use to test that Symantec Endpoint Detection and Response monitors network data.
1. Open a web browser on a computer in the LAN that is connected to Symantec EDR.
2. On the Internet, go to the following URL:
http://www.broadcom.com
The Broadcom website should display normally without any messages.
3. On the Internet, go to the following URL:
http://testatp.coe.org.uk
4. Click on each of the links on the test page.
You should see a corresponding incident in the database, whether you are in Tap mode or Inline Monitor mode. Cloud-
based sandboxing detections may be delayed during virtual execution.
If you are in Inline Block mode, file downloads (except the cloud-based sandbox new file submission) are interrupted.
Subsequent attempts to download the same file are denied.
46
47
Data migration during upgrade to ATP v.3.1
About the data migration process

When you upgrade to Symantec Advanced Threat Protection (ATP) v.3.1, your operational and non-operational data are
migrated to the product's updated Elasticsearch database. These data are defined as follows:
Operational data
Operational data corresponds to entities in the system such as endpoints, files, domains, and aggregates. This data is
displayed on the dashboard event activity widget.
Operational data is migrated after the product is upgraded to ATP 3.1.0, but before the product is restarted. When the
EDR appliance console is available after restart, the Symantec EDR admin can view all entities and the dashboard, with
the following exceptions:
• Dashboard click-through to corresponding events are not available until migration of non-operational data is in
progress.
• Related entities and incidents are not available until the migration of non-operational data is in progress.
Non-operational data
Non-operational data corresponds to historical events, incidents, command results, command states, and system log. This
data is migrated after the appliance is restarted after upgrade to ATP 3.1.0. This data is migrated in three phases:
• Phase 1
– Migrates the events and incidents from the last 7 days.
– Live response events from last 7 days are not migrated.
– The time to complete this migration depends on size but should complete in the first 12 hours after the upgrade.
– Splunk connector, Service Now, and Public API services are enabled after this phase is complete.
• Phase 2
– Migrates the live response events from the last 7 days.
– The time to complete Phase 2 depends on size but should complete in the first 2 days to 5 days after the upgrade.
– No additional services are enabled after this phase is complete.
• Phase 3
– Migrates all remaining indexes.
NOTE
The migration only moves indexes from the last 3 months.
– The time to complete Phase 3 depends on the amount of data.
– Reports, Criterion, and Backup restore services are enabled after this phase is complete.
NOTE
During the migration, Symantec EDR the System Health Indicator in the upper-right corner of the EDR appliance
console displays as yellow. When the migration is complete, this indicator displays as green.
48

Symantec Endpoint Detection and Response 4.6 Installation Guide For Virtual Appliances

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Endpoint Detection and Response 4.6 Installation Guide For Virtual Appliances

Uploaded by

Copyright:

Available Formats

Symantec™ Endpoint Detection and Response 4.

Running the setup wizard............................................................................................................................................. 43

About Symantec Endpoint Detection and Response

About Symantec Endpoint Detection and Response (EDR)

About virtual appliance installation

About virtual appliance operating modes

About operating roles, operating modes, and network connections

Important information about the Symantec EDR virtual appliance

Before you install your virtual appliance

Virtual appliance installation workflow

About virtual network adapters

Management Required for all appliances for the management connection

System requirements for the virtual appliance

Table 1: System requirements for a virtual appliance installation

Minimum per VM for production

Additional requirements are as follows:

Browser requirements for the EDR appliance console

Table 2: Browser requirements for the EDR appliance console

Mozilla Firefox 86.0 or later (64-bit)

System requirements for SEP integration

Planning for installation

Pre-installation checklists for virtual appliances

Table 3: Symantec EDR administrator

Virtual appliance Installation Worksheet

Table 5: OVA deployment

Configuration Description Value to input

Deploying the OVA template

Table 6: Extending hard disk size

Configuration Description Value to input

Extending the virtual hard disk size

Table 7: Allocating resources

Configuration Description Value to input

Reserving required resources for the virtual appliance

Table 8: Bootstrap configuration

Configuration Description Value to input

Configuration Description Value to input

Table 9: Setup wizard

Configuration Description Value to input

Configuration Description Value to input

Authorize If your mail server requires a secure logon User name:

Installation worksheet completed by:

Virtual appliance installation workflow

Step Action Role Description

Step Action Role Description

Configuring virtual switches

Connection Type Virtual Machine

Inline Block or Inline Monitor mode

Connection Type Virtual Machine

About operating roles, operating modes, and network connections

Table 13: Symantec EDR operating modes and network connections

Mode Description Network connections required

Mode Description Network connections required

Management In management platform mode, all communications and 1 Management

About selecting a network scanner

About network configurations and port connections

Where to place the appliance in your network for best results

Where to place the appliance in your network for best results

About network configurations and port connections

Required firewall ports

Table 14: Symantec EDR web and IP addresses

Web addresses/IP Address Protocol Port Description

• remotetunnel1.edrc.symantec.com HTTPS 443 Permits Symantec Support remote access to

Table 15: Symantec EDR ports and settings