Satp Installation Guide 3.2

Symantec™ Advanced Threat
Protection 3.2 Installation

Guide
Documentation version: 3.2
Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
Symantec Support
All support services will be delivered in accordance with your support agreement and the
then-current Enterprise Technical Support policy.
Knowledge Base Articles and Symantec Connect

Before you contact Technical Support, you can find free content in our online Knowledge Base,
which includes troubleshooting articles, how-to articles, alerts, and product manuals. In the
search box of the following URL, type the name of your product:
https://support.symantec.com
Access our blogs and online forums to engage with other customers, partners, and Symantec
employees on a wide range of topics at the following URL:
https://www.symantec.com/connect
Technical Support and Enterprise Customer Support

Symantec Support maintains support centers globally 24 hours a day, 7 days a week. Technical
Support’s primary role is to respond to specific queries about product features and functionality.
Enterprise Customer Support assists with non-technical questions, such as license activation,
software version upgrades, product access, and renewals.
For Symantec Support terms, conditions, policies, and other support information, see:
https://entced.symantec.com/default/ent/supportref
To contact Symantec Support, see:
https://support.symantec.com/en_US/contact-support.html
Contents
Symantec Support .............................................................................................. 4

Chapter 1 About Symantec Advanced Threat Protection
Platform ............................................................................ 7
About Symantec Advanced Threat Protection (ATP) .............................. 7
Chapter 2 System Requirements ........................................................ 10

System requirements for physical appliance installation ........................ 10
System requirements for a virtual appliance installation ........................ 11
Browser requirements for ATP Manager ............................................ 12
System requirements for ATP integration with Symantec Endpoint
Protection management interfaces and embedded
databases ............................................................................. 13
Chapter 3 Planning for installation .................................................... 14

Preinstallation checklist ................................................................. 14
Installation workflow ...................................................................... 20
About operating roles, operating modes, and network
connections .......................................................................... 23
About selecting a network scanner ................................................... 28
About network configurations and port connections ............................. 29
Where to place the appliance in your network for best results ................ 31
Required firewall ports ................................................................... 35
Proxy recommendations ................................................................ 41
Chapter 4 Installing a physical appliance ......................................... 43

Installing the 8840 appliance .......................................................... 43
Installing the 8880 appliance .......................................................... 45
Chapter 5 Configuring the iDRAC on a physical appliance ........... 48

About the iDRAC on the physical appliance ....................................... 48
Configuring the iDRAC (8880 appliance only) ..................................... 49
Contents 6
Configuring the iDRAC using a monitor, keyboard, and optional

mouse ................................................................................. 50
Chapter 6 Installing a virtual appliance ............................................ 52

About virtual appliance installation ................................................... 52
About configuring virtual switches for virtual appliances ........................ 56
Installing the virtual appliance ......................................................... 57
Chapter 7 Running bootstrap .............................................................. 61

Opening the console window on a physical appliance or virtual
appliance .............................................................................. 61
Running bootstrap to configure the appliance ..................................... 62
Chapter 8 Running the setup wizard ................................................. 66

Running the setup wizard ............................................................... 66
Chapter 9 Completing installation ..................................................... 69
Configuring secure access to ATP Manager ....................................... 69

Accessing ATP Manager ................................................................ 70
Defining internal networks to ATP .................................................... 71
Testing the physical appliance bypass mode ...................................... 72
Testing ATP for successful monitoring or blocking ............................... 73
Chapter 10 Data migration during upgrade to ATP v.3.1 ................ 74

Data migration during upgrade to Symantec Advanced Threat
Protection v.3.1 ...................................................................... 74
About the data migration process ..................................................... 75
Appendix A Ports, connectors, and indicators on the

appliance ........................................................................ 77
About appliance ports, connectors, and indicators ............................... 77
Index .................................................................................................................... 80
Chapter 1
About Symantec Advanced
Threat Protection Platform
This chapter includes the following topics:
■ About Symantec Advanced Threat Protection (ATP)
About Symantec Advanced Threat Protection (ATP)

Symantec Advanced Threat Protection (ATP) performs the critical security tasks that detect,
protect, and respond to threats to your network. ATP: Platform comprises the following control
points:
ATP: Network Processes the network stream in real time across all Internet ports and protocols
and passes it through various filters and detection engines. ATP can detect events
on unmonitored endpoints as traffic passes through the scanner. Since ATP
doesn't have Symantec Endpoint Protection agent's information, ATP cannot
provide all of the information about the endpoint. Such information includes the
user name, last check-in, or Symantec Endpoint Protection Manager group.
ATP: Endpoint Gathers the information by proxying communications between Symantec Endpoint
Protection clients and Symantec and by leveraging Symantec Endpoint
Protection’s Endpoint Detection and Response (EDR) functionality.
ATP: Email Integrates with Symantec Email Security.cloud to uncover the attacks that enter
your organization through email.
ATP: Roaming Collects the events from Symantec ATP: Roaming and correlates them with
events from your other integrated control points.
ATP uses Synapse™ to correlate network event data with email event data, web event data,
and endpoint event data. The Synapse correlation engine automatically matches events with
Symantec Endpoint Protection, Email Security.cloud, Web Security.cloud, and ATP to reduce
About Symantec Advanced Threat Protection Platform 8
the volume of security alerts. As incidents are detected, they are correlated with other incidents
discovered on your network to show overall attack patterns and prioritize the most significant
threats.
ATP employs the following detection technologies:
Vantage Vantage is a signature-based detection engine that finds threats in the network
stream.
Insight Insight accesses the world’s largest reputation database and has reputation
intelligence on over 8 billion files. Insight is a Symantec-owned reputation request
service for Insight reputation queries. This service gathers information about the
Windows executable files that are observed on endpoints.
Mobile Insight Mobile Insight performs similar analyses for Android applications as Insight does
for Windows executable files. In addition to tackling malware detection, Mobile
Insight also detects privacy and performance issues in mobile apps.
Antivirus engine The Antivirus engine is a signature-based technology that detects malware.
Sandboxing Symantec's sandboxing technologies detonate files in a virtual sandbox

environment, analyze the results, and report each step of the observed behavior.
Sandboxes use machine-learning technology to compare the results to known,
bad attributes. They then correlate your data with real-world data provided by the
Symantec Global Intelligence Network to determine if the files are malicious.
Blacklists and Symantec global blacklist and whitelist feeds, which are updated on ATP
Whitelists appliances regularly, accelerate detection and optimize performance. You can
also create custom blacklists and whitelist that you maintain through ATP.
SONAR Symantec Endpoint Protection includes Symantec Online Network for Advanced
Response (SONAR) technology for process behavior detection and remediation.
However, Symantec Endpoint Protection provides no insight into these details.
When you integrate ATP and Symantec Endpoint Protection, ATP can provide
insight into SONAR detections. SONAR detects the system changes that have
occurred on your managed endpoints, the order that they occurred, and related
file attributes. This information gives you greater visibility into the activity that
occurs in your environment.
SONAR uses a heuristics system that leverages Symantec's online intelligence

network with proactive local monitoring on Symantec Endpoint Protection endpoints
to detect emerging threats. SONAR also detects changes or behavior on the
endpoints that you should monitor. SONAR does not make detections on
application type, but on how a process behaves.
About Symantec Advanced Threat Protection Platform 9
Suspicious file ATP uses a file classifier to analyze files with unknown dispositions. The file
classifier classifier breakdowns files by their attributes to determine if the file is good or
malicious. The classifier uses the decision trees that are trained with millions of
files.
This technology uses machine-learning instead of signatures or sandbox

detonation.
Chapter 2
System Requirements
■ System requirements for physical appliance installation
■ System requirements for a virtual appliance installation
■ Browser requirements for ATP Manager
■ System requirements for ATP integration with Symantec Endpoint Protection management
interfaces and embedded databases
System requirements for physical appliance

installation
This release of Symantec Advanced Threat Protection (ATP) runs on the following appliance
models:
■ ATP 8880
■ ATP 8840
ATP appliances include an Integrated Dell Remote Access Controller (iDRAC). The iDRAC
console requires the latest version of the Java Runtime Environment (JRE) installed on your
administrative client.
See “System requirements for a virtual appliance installation” on page 11.
See “Installation workflow” on page 20.
See “Preinstallation checklist” on page 14.
System Requirements 11
System requirements for a virtual appliance installation
System requirements for a virtual appliance

installation
Table 2-1 lists the system requirements for the Symantec Advanced Threat Protection (ATP)
virtual appliance.
Note: These requirements differ based on whether you use ATP's Endpoint Data Recorder
feature. Endpoint Data Recorder lets you search for and collect data from your endpoints,
which is then stored in ATP's database. As such, ATP requires more system resources and
storage space when Endpoint Data Recorder is enabled.
Note: To avoid over-commitment of resources, you must reserve the required resources on
your ATP virtual appliance computer. You must reserve 48 GB of memory and at least 12 GHz
of CPU before you start the VMware computer for the first time.
For more information, see https://support.symantec.com/en_US/article.TECH249635.html.
Table 2-1 System requirements for a virtual appliance installation
Requirement Minimum per VM for production environment
Disk space 1.5 TB (1 TB hard disk in addition to the VM's existing 500 GB
hard disk)
CPU 12 Cores
Memory 48 GB
Required vSphere/ESXi version

The virtual appliance installation requires VMware ESXi version 6.0 U2 or later.
Network interface requirements

Table 2-2 lists the network interface requirements based on the operating mode of the appliance.
Table 2-2 Network interface requirements for the VMware ESXi host
Operating mode Minimum for production Maximum for production

environment environment
Tap (all-in-one or network 2 (1 Management, 1 Monitor) 3 (1 Management, 2 Monitor)

scanner)
Inline Block or Inline Monitor 3 (1 Management, 1 LAN, 1 WAN) 3 (1 Management, 1 LAN, 1 WAN)
(all-in-one or network scanner)
Browser requirements for ATP Manager
Table 2-2 Network interface requirements for the VMware ESXi host (continued)
Operating mode Minimum for production Maximum for production

environment environment
Management platform 1 (Management) 1 (Management)

(management platform devices
only)
Refer to your VMware documentation for VMware system requirements and configuration of
virtual machines.
See “System requirements for physical appliance installation” on page 10.
Browser requirements for ATP Manager

Table 2-3 lists the web browsers that are compatible with ATP Manager. JavaScript must be
enabled in the browser and cookies must be allowed. The minimum resolution for viewing ATP
Manager is 1280x1024.
Table 2-3 Browser requirements for ATP Manager
Browser Version
Microsoft Internet Explorer 11 or later

Note: The ATP quick-filter features are not
supported on Internet Explorer.
Mozilla Firefox 54 or later
Google Chrome 59 or later
Microsoft Edge 41 or later

System requirements for ATP integration with Symantec Endpoint Protection management interfaces and embedded
databases
System requirements for ATP integration with

Symantec Endpoint Protection management
interfaces and embedded databases
Symantec Advanced Threat Protection (ATP) can integrate with Symantec™ Endpoint Protection
for enhancing event information and providing Endpoint Detection and Response (EDR)
functionality. ATP has certain version requirements based on various components of Symantec
Endpoint Protection.
The minimum Symantec Endpoint Protection Manager version is 12.1 RU6 or later. ATP can
connect to multiple Symantec Endpoint Protection sites. But ATP only supports up to ten
connections to Symantec Endpoint Protection Manager hosts and one connection per Symantec
Endpoint Protection site.
ATP can manage the client endpoints that run Symantec Endpoint Protection version 12.1 RU
6 MP3 or later with full EDR functionality. Client endpoints that run versions earlier than
Symantec Endpoint Protection 12.1 RU5 are not supported. Some functionality is limited for
the clients that run on versions between Symantec Endpoint Protection 12.1 RU5 and 12.1
RU6 MP3. The ATP documentation describes any functionality limits based on the version of
the Symantec Endpoint Protection client.
Symantec Endpoint Protection Manager can store logs either in an internal embedded database
or in an external Microsoft SQL Server database. ATP can access external Microsoft SQL
Server database without any special host system requirements. When Symantec Endpoint
Protection Manager uses an embedded database, ATP uses a log collector on the Symantec
Endpoint Protection Manager host. This log collector requires the Symantec Endpoint Protection
Manager host to be running one of the following operating systems:
■ Windows 7 (64-bit only)
■ Windows 8 (64-bit only)
■ Windows Server 2008
■ Windows Server 2012
■ Windows Server 2012 R2 or later (recommended)
See the Symantec Endpoint Protection documentation for Symantec Endpoint Protection
Manager system requirements.
Chapter 3
Planning for installation
■ Preinstallation checklist
■ Installation workflow
■ About operating roles, operating modes, and network connections
■ About selecting a network scanner
■ About network configurations and port connections
■ Where to place the appliance in your network for best results
■ Required firewall ports
■ Proxy recommendations
Preinstallation checklist
Table 3-1 lists the actions to complete and the information to have ready before you install a
physical appliance or virtual appliance.
Table 3-1 Preinstallation checklist
Action/Item Description
Verify system requirements. You can install Symantec Advanced Threat Protection (ATP) as a physical
appliance or virtual appliance. Physical and virtual appliances can co-exist
within the same enterprise network.
See “System requirements for physical appliance installation” on page 10.

Planning for installation 15
Table 3-1 Preinstallation checklist (continued)
For initial setup, have a computer The computer that you use to configure the appliance must have access to
available with an Ethernet port and with the management network the ATP device is on. For example, by connecting
web browser access to: to a switch or router. If you set up a physical appliance, the computer also
must have network access to the iDRAC.
■ The management port network.
■ The iDRAC (physical appliance
only).
Open required ports on the firewall and Make sure that the necessary ports are open on your firewall and other
other network devices. network devices to allow traffic from or to the ATP device. For example,
HTTP 80 and HTTPS 443.
See “Required firewall ports” on page 35.
Have Ethernet cables (up to four normal The number and types of cables depends on your network configuration and
cables and two crossover cables) the number of LAN and WAN ports on the appliance.
available.
You may need crossover cables for an Inline deployment.
Crossover cables aren't required if one or both devices (switch, firewall)

connected to the WAN port and LAN port have automatic MDI/MDI-X.
See “Where to place the appliance in your network for best results”
on page 31.
Download virtual image files (virtual Download the virtual image files from https://fileconnect.symantec.com/ into
appliance only). a single directory that you can access from your VMware application.
Choose the IP address, subnet mask, The integrated Dell Remote Access Controller (iDRAC) on the physical
gateway address, and password for appliance provides console access to the appliance. Although integrated,
iDRAC. iDRAC is a separate device that requires its own network address to function.
The password is required to access the iDRAC's browser-based interface.
Physical appliance only.
Choose an administrator password for You specify a new, secure password for the administrator user that you enter
ATP. when you start bootstrap. This administrator user and password is for the
system console. For example, console access to use bootstrap and the
command-line interface.
Note: No recovery mechanism for this account information exists. Make
certain to safeguard this information for future use.
Choose the operating configuration If one appliance is installed, it operates in all-in-one mode. The appliance
(role): performs all system functions, including scanning network traffic. In this role,
you cannot have the additional network scanners that point to this appliance.
■ All-in-one
■ Management platform If two or more appliances are installed, one appliance can serve as a
■ Network scanner management platform and all other appliances serve as network scanners.
The management platform hosts ATP Manager, centralizes management
functions, stores all detection incidents and convicted files, and communicates
administrative actions. Network scanner appliances monitor traffic and detect
incidents.
You specify the operating configuration during bootstrap.
See “About operating roles, operating modes, and network connections”

on page 23.
See “About network configurations and port connections” on page 29.

Choose the operating mode and connect The operating modes are as follows:
the cables for the desired operating
■ Tap
mode for an all-in-one appliance or
Tap mode monitors traffic in real time. Tap mode requires a dedicated
network scanner appliance.
tap device or a span port on a switch.
■ Inline Block
Inline Block mode blocks malicious files and traffic in real time.
■ Inline Monitor
Inline Monitor mode detects malicious files and traffic in real time, but
does not block.
Note: Inline Block and Inline Monitor modes are not recommended for virtual
appliances because bypass mode is not available. If the appliance has an
issue, network activity may be interrupted.
Because the network cabling configuration is different for the inline modes
versus tap mode, decide the mode before setting up the ATP physical
appliance. You should also decide on the mode before you map the virtual
adapters to physical ones for a virtual appliance.
After you complete the cabling, you enable scanning in ATP Manager for
each network scanner or all-in-one device. (Management platform devices
do not scan.) You must ensure that the cable configuration or virtual adapter
mapping is compatible with your chosen operating mode.
See “About operating roles, operating modes, and network connections”

on page 23.
See “Where to place the appliance in your network for best results”
on page 31.
Choose network settings for the Specify an IPv4 address for each of the following settings.
appliance.
■ Static IP address for the management port
■ Network mask
■ Gateway IP address
■ Primary name server
■ (optional) Secondary name server
■ Static routes, depending on your network configuration
■ NTP server
■ Active Directory server
For each appliance, you need one or more static IP addresses (and
associated subnet mask, default gateway, and DNS addresses for each IP
address). This requirement is contingent upon your configuration:
■ One static IP address for the management port is required for a

management platform that operates in Tap/Span mode. One static IP
address is also required for an all-in-one device or network scanner device
that operates in Tap/Span mode.
■ Two static IP addresses are required for Inline Block or Inline Monitor
mode: one for the management port and one for the inline interface.
■ Three static IP addresses are required for Inline Block or Inline Monitor
mode on the ATP 8880 if you use both LAN/WAN pairs.
Because the management port hosts ATP Manager for all-in-one or

management platform devices, the management port IP addresses must be
on a network that is accessible to the administrators using ATP Manager.
The management port is used for all network communication other than the
traffic ATP monitors. The management port should be on a secure
management network that does not serve protected clients. In Inline Block
or Inline Monitor mode, the management port must be on a different subnet
from the inline interface.
If the appliance operates in Inline Block mode, you configure static routes
to deliver blocking pages to endpoints when websites or files are blocked.
Depending on your network topology, you may also need to configure static
routes to the network where management computers are connected to enable
these computers to access ATP Manager.
Accurate time is critical to the proper functioning of ATP. Setting the Network
Time Protocol (NTP) server ensures that the appliance has an accurate time
to indicate when detections occur. An NTP server is also necessary for
Synapse correlation.
See “Running bootstrap to configure the appliance” on page 62.

Choose a descriptive name for the host. You specify the descriptive host name during bootstrap. The descriptive host
name you choose displays in ATP Manager under Settings > Appliances
and lets you more easily identify appliances in the list.
ATP Manager is accessed using the management IP address, not by using

the management platform host name. The descriptive name for the host is
different from the DNS server.
Choose a password to encrypt the To ensure that data is transferred securely between the management platform
management platform-to-network and its scanners, you specify a password for the communications channel.
scanner communication channel. The management platform and all its scanners must have the same
password. For security reasons, this password should be different from the
default administrator password.
Make sure that the license file is Make sure you can browse to and select the Symantec license file from the
accessible. computer you use to run the setup wizard. A valid license file is required for
installation.
Choose a user name, password, display A user name and password for an ATP Manager administrative account
name, and email address for the initial provides access to ATP Manager. The email address is required to receive
ATP Manager administrative user. communications and reports. The initial user can create additional users,
including additional administrators.
Create an account on an The server uses this account to email notifications, reports, and new
SMTP-compatible mail server for passwords to ATP Manager users and other recipients. You can enter the
notifications and reports from ATP to account information in the setup wizard, or you can choose to enter this
administrators and security operations information later in ATP Manager.
personnel.
Have additional setup information The setup wizard is complete for a management platform appliance or
available to enter in ATP Manager. all-in-one appliance. The wizard appears after you create the first
administrator account. After you complete the setup wizard, you are prompted
to log on using this new administrator account.
As the administrator, you enter additional information later in ATP Manager.

The additional setup includes:
■ Upload or download an SSL certificate for ATP Manager.

■ Configure a syslog server.
■ Check for and download management platform updates.
■ Create additional ATP Manager accounts.
■ Configure management platform backups.
■ Configure connections to Symantec Endpoint Protection and Email
Security.cloud, if you want to integrate ATP with these products.
Installation workflow
Have proxy information available. ATP uses two types of proxies:

■ A network proxy for access to the external network
■ An enterprise proxy on the management port within the enterprise
environment
If you use proxies, each ATP appliance must have the IP addresses of
existing proxies.
Have internal subnet list available. You specify your internal subnets in ATP Manager after you run the setup
wizard.
Table 3-2 provides the workflow for installing a Symantec Advanced Threat Protection (ATP)
physical appliance or virtual appliance.
Table 3-2 ATP physical appliance or virtual appliance installation workflow
Step Action Description
1 Complete all items in the preinstallation Completing the preinstallation checklist ensures that you
checklist. have everything you need to install the physical appliance
or virtual appliance. It also ensures that your firewall is
prepared to allow proper operation.
2 Install the appliance. ■ For a physical appliance, install the hardware in a rack,
and connect the network cables and power cables.
See “Installing the 8840 appliance” on page 43.
■ For a virtual appliance, deploy the OVA template on the
ESXi host, map the ports, and connect the network
cables.
See “Installing the virtual appliance” on page 57.
The appliance's role (all-in-one, management platform, or

network scanner) and operating mode determine the cable
connections and port mappings.
See “About operating roles, operating modes, and network

connections” on page 23.
Table 3-2 ATP physical appliance or virtual appliance installation workflow (continued)
3 Set up the iDRAC. The integrated Dell Remote Access Controller (iDRAC) on
a physical appliance provides remote access to the console.
Physical appliances only.
When you set up the iDRAC, you assign a static IP address
to the iDRAC management port. Although you can use
DHCP to configure the iDRAC, a best practice is to use a
static IP address.
To access the console on the ATP, you open a browser on

the iDRAC's network and enter https://<iDRAC management
port static IP address>.
See “Configuring the iDRAC (8880 appliance only)”

on page 49.
See “Configuring the iDRAC using a monitor, keyboard, and

optional mouse” on page 50.
4 Run bootstrap. Bootstrap begins automatically the first time that you log on
to the console on a physical appliance or virtual appliance
(logon: admin, password: symantec).
During bootstrap, you are prompted to give the appliance

configuration information. This information includes the role
(all-in-one, management platform, or network scanner) and
the static IP address of the management port.
5 Run the status_check command to test the In the appliance console, run the command status_check
network connectivity. to determine if the network connectivity has been set up
properly. The command lists all of the items that are checked
and the status of whether each item is successful or not.
6 Run the setup wizard. After bootstrap is complete, open a web browser and type
https://<management port static IP address> to access ATP
Management platform or all-in-one appliances
Manager and start the setup wizard (logon: setup, password:
only.
symantec). This setup wizard logon is not available after
you complete the setup wizard.
Note: Make certain to use the HTTPS protocol when typing
the address to access ATP Manager.
The setup wizard prompts you to upload your license file,

enter SMTP settings, and establish the first ATP Manager
administrator account.
7 Complete the configuration in ATP Manager. After you exit the setup wizard, you log on to ATP Manager.
You complete the setup from the Settings tab in ATP
Management platform or all-in-one appliances
Manager.
only.
When specifying the configuration options, first navigate to
the Settings > Global page and configure settings in the
order in which they appear on the page. Next, go to the
Settings > Appliances page and apply the configuration
settings in the order in which they appear on that page.
When planning to run the appliance in either Inline Block

mode or Inline Monitor mode, you must assign an IP address
to the LAN/WAN interface. You can configure these settings
in ATP Manager in either the default settings or on individual
appliances in the Internal Network Configuration area.
For Inline Block operation, you may also want to customize
the blocking page. For Tap mode, see the next step.
See Symantec Advanced Threat Protection Administration

Guide for more information on configuration settings.
See “Defining internal networks to ATP” on page 71.
8 Enable scanning on all-in-one or network Before you enable scanning, at a minimum you should do
scanner devices. the following tasks:
For all configurations except management ■ Configure the SEPM Controller connection, if you intend
platform. to use Symantec Endpoint Protection with ATP.
■ Configure Internal Network settings to enable the
appliance to determine what traffic is internal and what
traffic originates from an external source.
■ Define Static Routes. If the appliance operates in Inline
Block mode, you configure static routes to deliver
blocking pages to endpoints when websites or files are
blocked. Depending on your network topology, you might
also need to configure static routes to the network where
management computers are connected. This task lets
these computers access ATP Manager.
■ Configure Network Proxy and Enterprise Proxy settings,
if these proxies are present in the environment.
For an all-in-one device, you enable scanning from the

Appliances page in ATP Manager (Settings > Appliances).
For a network scanner, you enable scanning from the

Appliances page in ATP Manager on the management
platform.
About operating roles, operating modes, and network connections
9 Test the appliance. Run the status_check command again to determine if

configuration settings have been correctly specified.
Symantec has a test webpage,

https://testatp.symanteccloud.com/, that contains a series
of links. When you click on each of the links, you should see
a corresponding incident in the database.
In Inline Block mode, file downloads should be interrupted.
For a physical appliance, you should also test whether

bypass mode works correctly.
About operating roles, operating modes, and network

connections
You configure each Symantec Advanced Threat Protection (ATP) physical appliance or virtual
appliance with an operating role and an operating mode. Together, these determine how the
device is connected to your network and how it functions to protect your network and to report
threats.
Operating roles
You can deploy the physical appliance or virtual appliance as a management platform, network
scanner, or all-in-one device. You assign the operating role when you run bootstrap on the
appliance. These roles have the following functionality:
Management platform If two or more appliances are installed, one should be

deployed in the Management platform role.
A management platform hosts ATP Manager and displays

incidents and endpoints at risk for all connected scanners.
The management platform presents a comprehensive view
of malicious activity on your network. The management
platform also centralizes configuration, management, and
reporting functions.
The management platform does not scan network traffic.

Network scanner If two or more appliances are installed, all devices except the
management platform should be deployed as network
scanners. Each network scanner can monitor traffic on a
different network and send its incident data to the management
platform. Depending on the operating mode, the network
scanner may block malicious traffic in real time.
A network scanner does not have ATP Manager. You

configure and manage the network scanner from the
management platform. Its incident data is consolidated with
the incident data from other network scanners and reported
from the management platform. When your network expands,
additional network scanners can be installed and connected
to the management platform to protect the new networks.
All-in-one If only one appliance is installed, it should be deployed in

all-in-one mode. An all-in-one device performs the functions
of both the management platform and network scanner role.
Note: An all-in-one device cannot function as a management platform for network scanners.
Only an appliance that is assigned the management platform role can manage a network
scanner.
The roles you choose depend upon the throughput of network traffic. For small to medium-sized
installations, you should have one appliance running in the all-in-one role. For larger
installations, you would install multiple appliances with one acting in the management platform
role and the remaining appliances acting as network scanners.
To change the operating role of a physical appliance or virtual appliance after initial installation,
you must reinstall the appliance software.
Operating modes and network connections

The operating mode controls how your network traffic is processed. It also affects how the
appliance is physically connected to your network.
Table 3-3 describes the modes that are available for ATP appliances and the network
connections that are required for each role. You must assign a static IP address to each ATP
network connection.
Table 3-3 ATP operating modes and network connections
Mode Description Network connections required
Inline Block In Inline Block mode, network traffic 1 Management

passes through the appliance between
1 WAN
the endpoints and the Internet. Any file
downloads, accessed websites, and 1 LAN
traffic that are considered malicious are (Model 8880 only: 2 WAN and 2 LAN)
blocked. Only Inline Block mode
provides real-time protection against
threats.
ATP model 8880 has two Inline

interfaces in Inline Block mode. ATP
model 8840 or each ATP virtual
appliance has one Inline interface in
Inline Block mode.
Note: Inline Block mode is not
recommended for ATP virtual
appliances, because bypass mode is
not available for a virtual deployment.
Table 3-3 ATP operating modes and network connections (continued)
Inline Monitor In Inline Monitor mode, network traffic 1 Management

passes through the appliance between
1 WAN
the endpoints and the Internet.
Malicious files, websites, and traffic are 1 LAN
logged for visibility but are not blocked. (Model 8880 only: 2 WAN and 2 LAN)
Any threats that are found in Inline
Monitor mode must be mitigated
manually.
Inline Monitor mode is often used as a

test for system performance and to
analyze potential behavior for blocking
(from reports) before blocking is
implemented. The physical connections
for Inline Block and Inline Monitor
modes are identical, so no re-cabling
is necessary when you switch between
these modes.
ATP model 8880 has two Inline

interfaces in Inline Monitor mode. Model
8840 or each ATP virtual appliance has
one Inline interface in Inline Monitor
mode.
Note: Inline Monitor mode is not
recommended for ATP virtual
appliances, because bypass mode is
not available for a virtual deployment.
Bypass (Inline mode failsafe) An ATP physical appliance that is Same as Inline Block or Inline Monitor
configured for Inline mode automatically
switches to bypass mode if the
appliance cannot function. It also
switches to bypass mode if it is turned
off. In bypass mode, Internet traffic
continues to flow through the LAN port
and WAN port, but no blocking or
monitoring occurs. Normal operations
resume when you restart the appliance
or reenable scanning.
ATP NICs operate in either standard

NIC mode (no bridging between the
LAN port and WAN port) or in bypass
mode (bridging between the LAN port
and WAN port) depending on these
circumstances:
■ Installed out of the box:

Standard NIC mode
■ Configured for Inline deployment:
Bypass mode
■ Configured for Tap deployment:
Standard NIC mode
■ Reimaged (factory reset) after any
previous deployment:
Standard NIC mode
The Bypass mode is not available for

virtual appliances. If a virtual appliance
cannot function or is turned off, network
communications are interrupted. For
this reason, Inline Block and Inline
Monitor modes are not recommended
for virtual appliances.
About selecting a network scanner
Tap In Tap mode, the ATP physical 1 Management

appliance or virtual appliance connects
1 Monitor connection for each network
to a Tap or Span port on a switch. The
monitored
appliance monitors a copy of the traffic
between the endpoints and the Internet
so monitoring incidents and logging
incidents do not affect network
performance. Because the monitoring
and logging engines work at different
intervals, there may be a slight delay in
detecting incidents. All threats must be
mitigated manually.
ATP model 8880 can monitor up to four

monitor ports on separate networks in
Tap mode. ATP model 8840 or each
ATP virtual appliance can monitor up
to two monitor ports on separate
networks in Tap mode.
Management platform In management platform mode, all 1 Management

communications and management go
through the management port. Since a
management platform appliance does
not scan, only the management
connection is required.
You choose the operating mode for an all-in-one device or network scanner from ATP Manager.
A management platform operates in management platform mode automatically.
See “Where to place the appliance in your network for best results” on page 31.
About selecting a network scanner

Several factors determine the number of recommended network scanners:
About network configurations and port connections
Hardware versus virtual Make this decision based on your current infrastructure. Users
with extensive VMware investment might want to use virtual
appliances. Users with little or no VMware investment should
use hardware.
Hardware solutions have bypass NICs, so on failure ATP

continues to pass traffic when deployed inline. Therefore, real
hardware is preferred for inline deployments.
Available bandwidth The hardware solutions have higher throughput than virtual
solutions.
R220 and R330 have a throughput of 1 Gbps in their single

NIC. R720 and R730 have two NICs that can achieve 1Gbps
each.
Total endpoints in the organization While each deployment varies, R220 and R330 have a capacity
of approximately 10K simultaneous connections. R720 and
R730s can support 25K simultaneous connections. These
numbers are for inline mode. In Tap mode, hardware can
support approximately twice the number of connections as
inline. VMs can handle 2K simultaneous connections.
ATP features If the deployment is to use mostly network scanning, then a

separate scanner and management platform deployment
provides room to increase scanning capacity. In this case, an
8880v3 has more storage capacity and is suitable for the
management platform. The number of scanners would depend
on the number of ingress and egress points in the network and
the amount of traffic at those points.
An all-in-one deployment needs to be able to handle all the
traffic for the projected growth of the organization for the lifetime
of the appliance. If the deployment functions primarily as ATP:E,
then select an all-in-one deployment. In this deployment an
8880v3 is recommended because of its greater storage
capacity.

Table 3-4 describes the ways to connect Symantec Advanced Threat Protection (ATP) to your
network.
Table 3-4 ATP network configurations and port connections
Network configuration Description Connect Connect Connect

Management WAN to LAN to
to
Simple port span/tap This configuration monitors the traffic Port on your Connect Not used
between the endpoints and the Internet, but LAN switch Monitor1 to
does not block file transfers or websites. network tap
Internet-bound traffic is copied to the switch or port on
port using port mirroring that is configured your LAN
on the switch itself. switch that is
set to span
This configuration uses two monitor ports
mode
and one management connection. This
setup is easy and is useful as an initial test
of ATP.
Port span/tap with This configuration uses two monitor ports Port on your Connect Connect
multiple monitor ports and one management connection. Extra LAN switch Monitor1 to Monitor2 to
monitor ports allow the same appliance to network tap network tap
connect to multiple switches from different or port on or port on
subnets. This configuration does not block your LAN your LAN
file transfers or websites. switch that is switch that is
set to span set to span
mode mode
Simple inline You can block file transfers and websites Port on your Internet Port on your
using this configuration. LAN switch firewall LAN LAN switch
port
Inline configuration requires more network
connections than port span/tap. Ideally, you
should deploy ATP inline between the client
and the firewall. If you use a proxy, you
should connect the ATP appliance should
between the client and the proxy.
Inline with two firewalls, You can connect two ATP appliances to two Port on your Internet Port on your
two proxies, and two ATP firewalls as part of a high-availability LAN switch firewall LAN LAN switch
appliances environment. You can configure the firewalls port
in active/active failover or active/standby
failover. Configure the ATP appliances
identically except for the network settings.
Both appliances should be connected to the
same management platform.
Where to place the appliance in your network for best results
Table 3-4 ATP network configurations and port connections (continued)
Network configuration Description Connect Connect Connect

Management WAN to LAN to
to
Management platform In a management platform configuration, an Port on your Not used Not used
appliance is configured to manage other LAN switch
appliances. This appliance does not scan,
so it requires only a management
connection.
Where to place the appliance in your network for best

results
The placement of your appliance depends upon whether the appliance is a management
platform, network scanner, or all-in-one device. The Symantec Advanced Threat Protection
(ATP) appliance must be able to perform the following depending upon its role:
■ Scan all network traffic coming into and out of the organization
■ Determine the source and destination of all traffic
■ Detect internal connection endpoints
■ Act as a network proxy for endpoints (if integrating with Symantec Endpoint Protection
Manager)
■ Have a minimal affect on network performance
If your architecture includes a demilitarized zone (DMZ) and you integrate ATP with Symantec
Endpoint Protection, don't place the following in the DMZ:
■ Management platform appliance
■ All-in-one appliance
■ Symantec Endpoint Protection
Deploying the appliance between a proxy and firewall prevents ATP from detecting the IP
address of the source endpoint. So in this scenario, you must enable the X-Forwarded-For:
header field. You might also need to configure your firewall to strip the X-Forwarded-For:
header field.
ATP does not scan traffic between internal computers. The exception is when one of the
computers is a proxy server. The internal traffic that is routed to a proxy server is scanned
because it is outbound network traffic.
If you want ATP to reach the Internet through a proxy server, you must treat the appliance as
a trusted device and disable authentication. ATP does not support passing Basic Authentication
credentials to the proxy. ATP supports Basic or Simple Password Authentication to the proxy.
You can use the management port for any of the following:
■ To access ATP Manager.
■ For communication to Symantec's servers (e.g., LiveUpdate, cloud-based sandboxing,
Insight, telemetry, etc.).
■ To facilitate communication to Symantec Endpoint Protection Manager and endpoints for
the endpoint proxy.
The management network should not be open to the Internet as a whole. If you need access
to the management network from outside, a VPN or short-lived Remote Desktop connection
is recommended.
In Inline mode, the management port must be on a different subnet from the Inline interface.
The following figures show examples of network configurations. You can use the ATP 8840,
8880, or virtual appliance in any of these configurations.
You might need crossover cables for Inline deployment if devices connected to WAN port and
LAN port don't have automatic MDI/MDI-X configuration.
Figure 3-1 Simple port span/tap network configuration
Internet
Firewall
LAN Device Span/Tap Port Monitor1 ATP: Network
Mgmt
Access point
Web UI users on monitored Mobile

management network Monitored computers device
Figure 3-2 Port span/tap with multiple monitor ports
Internet
Firewall Firewall
LAN Device Monitor1 Monitor2 LAN Device
Span/Tap Port ATP: Network Mgmt Span/Tap Port
Corporate
LAN
Access point
Web UI users on monitored Mobile

management network Monitored computers
device
Figure 3-3 Simple inline network configuration
Internet
Firewall
WAN LAN ATP:Network
Mgmt
Corporate
LAN
Access point
Web UI users on protected Mobile

management network Protected computers device
Required firewall ports
Figure 3-4 Inline with firewalls, proxies, and appliances, including a management platform
Internet
Proxy Proxy
Server Server
Firewall Firewall
Switch Switch
LAN ATP: Network ATP: Network

WAN scanner WAN LAN scanner
Mgmt Mgmt
ATP: Network
CIU
Corporate
LAN
Mgmt
Access point
Web UI users on protected Mobile

management network Protected computers device


Depending on your network layout, you may need to open some ports on your firewall and
edit your firewall rules. These changes let you access the important web addresses that are
essential for Symantec Advanced Threat Protection (ATP) operations.
Table 3-5 lists the web and IP addresses to which ATP requires access.
Table 3-5 ATP web and IP addresses
Web addresses/IP Address Protocol Port Description
https://api-gateway.symantec.com TCP 443 Accesses Symantec's Targeted Attack

Analytics service
licensing.dmas.symantec.com TCP 443 Used to get the Cynic license
api.us.dmas.symantec.com TCP 443 Used to perform queries to the Cynic

US and UK servers (required)
api.eu.dmas.symantec.com
liveupdate.symantec.com TCP 80 Used to check for and download

definitions for Symantec's detection
technologies
ratings-wrs.symantec.com TCP 443 Used to query Norton Safe Web server

to identify malicious websites
stnd-avpg.crsi.symantec.com TCP 443 Used to send detection telemetry to

Symantec
stnd-ipsg.crsi.symantec.com
register.brightmail.com TCP 443 Used to register the ATP appliance
swupdate.brightmail.com TCP 443 Used to check for and download new

releases of ATP
shasta-rrs.symantec.com TCP 443 Used to perform reputation lookups

for Windows executable and APK
shasta-mrs.symantec.com
installable files
datafeedapi.symanteccloud.com TCP 443 Used to download ATP:Roaming and

Email Security.cloud events
stats.norton.com TCP 443 When telemetry is configured, used to

send statistics telemetry to Symantec
telemetry.symantec.com TCP 443 When telemetry is configured, used to

send file telemetry and to upload
diagnostic packages to Symantec
synapse.symantec.com TCP 443 When telemetry is configured, used to

send Synapse telemetry
ATP Manager TCP 443 Access to ATP public API

(inbound)
Table 3-5 ATP web and IP addresses (continued)
Web addresses/IP Address Protocol Port Description
198.6.48.16 TCP 443 When Synapse telemetry is

configured, used to send Synapse
telemetry. (The server is accessed
through an IP address and not a
domain.)
Table 3-6 describes the ports that ATP uses for communications, content updates, and
interactions with Symantec.cloud detection services.
Table 3-6 ATP ports and settings
Service Protocol Port From To Description
Back up FTP; SSH 20 TCP, UDP Management Configured FTP server: FTP ports
platform or backup 20, 21.
21 TCP
all-in-one storage
SSH server: SSH port
22 TCP, UDP appliances server
22.
(Internal
traffic)
Email notifications SMTP 25 TCP Management SMTP server Communication with the
platform or SMTP server.
587 TCP (Internal
all-in-one
traffic)
appliance
Content updates HTTP 80 TCP All Symantec Virus and Vantage

appliances definitions, and other
(External
content that LiveUpdate
traffic)
delivers. This port is
required for proper
functioning of the
product.
Statistics delivery HTTP 80 TCP All Symantec Sends the data to

appliances Symantec for statistical
(External
and diagnostic purposes.
traffic)
Private data is not sent
over this port.
Endpoint detection and HTTPS 443 ATP Managed Communicates

response (EDR) 2.0 Symantec commands to the
HTTP 80
Endpoint endpoints.
Protection
endpoints
Table 3-6 ATP ports and settings (continued)
EDR 1.0 HTTPS 8446 ATP Symantec Commands to Symantec

Endpoint Endpoint Protection
Protection Manager.
Manager
RRS/endpoint submissions HTTPS 443 Symantec ATP The Symantec Endpoint

Endpoint Protection Manager
EDR 2.0 HTTP 8080
Protection private cloud that lets
Manager endpoints communicate
with ATP.
RRS/endpoint submissions HTTPS 443 Symantec ATP The Symantec Endpoint

Endpoint Protection Manager
EDR 1.0 HTTP 80
Protection private cloud that lets
HTTP 8443 Manager endpoints communicate
Note: Port with ATP.
8443 is only
available if you
were using this
port on
previous
versions of
ATP and have
since updated.
If you are
installing ATP
for the first
time, this port
is not
available.
Symantec cloud detection, If endpoint 443 TCP All ATP Symantec Cloud service queries
analysis, and correlation data appliances and telemetry data
(External
services and telemetry services recorder exchanges.
traffic)
enabled
If the endpoint data
If endpoint recorder is enabled
data Symantec Endpoint
recorder Protection sends
disabled conviction events directly
to ATP.
Antivirus and intrusion HTTPS HTTP 8080 Symantec ATP Information about the
prevention conviction TCP or HTTPS Endpoint management files and the network
information 443 TCP Protection platform traffic that Symantec
clients Endpoint Protection
HTTP 80 TCP
detects.
or HTTPS
8443 TCP
Antivirus and intrusion HTTPS 443 TCP ATP Symantec Information about files
prevention conviction management (External and the network traffic
HTTP 80
information platform traffic) that Symantec Endpoint
Protection detects.
Product updates HTTPS 443 TCP All Symantec Finds and delivers new
appliances versions of ATP.
(External
traffic)
ATP Manager HTTPS 443 TCP Client Management ATP Manager access for
connecting to platform or an all-in-one appliance
manage an all-in-one or management platform.
appliance appliance
(Internal
traffic)
ATP Manager, network SSH 22 Client Management Command-line access

scanners, and all-in-one connecting to platform, for an all-in-one
manage an scanner, or appliance or
appliance all-in-one management platform.
appliance
(Internal
traffic)
Synapse Symantec Endpoint JDBC 1433 TCP Management Symantec Required if using the
Protection Manager connection (default) platform or Endpoint Microsoft SQL Server for
with Microsoft SQL Server all-in-one Protection Symantec Endpoint
(optional) appliance Manager Protection Manager and
Microsoft Synapse. Symantec
SQL Server Endpoint Protection
Manager administrators
(Internal
can configure a different
traffic)
port for this
communication.
Communication channel AMQP 5671 TCP Network Management Communications

(management platform and scanner platform between the
5672 TCP
network scanner installations appliance management platform
(Internal
only) and network scanners.
traffic)
Not required for an
all-in-one installation.
After the initial exchange
on this port, the
communication is
secured.
Blocking page (Inline Block HTTP 8080 TCP Network Protected Sends the blocking page
mode only) scanner endpoints when content is blocked
at an endpoint. Not
(Internal
required for Inline
traffic)
Monitor or Tap/Span
modes.
Synapse Symantec Endpoint HTTPS 8081 TCP Management Symantec Required if using the
Protection Manager connection (default) platform or Endpoint embedded database for
with Embedded DB (optional) all-in-one Protection Synapse connection to
appliance Manager Symantec Endpoint
server Protection Manager.
(Internal
traffic)
Synapse Symantec Endpoint HTTPS 8446 TCP Management Symantec Required if connecting to
Protection Manager connection (default) platform or Endpoint the Symantec Endpoint
with the Symantec Endpoint all-in-one Protection Protection Manager
Protection Manager web appliance Manager server for executing
services Remote Management Server management operations.
and Monitoring (RMM) service For example, adding or
(optional) removing items from the
blacklist or placing an
endpoint under
quarantine.
Proxy recommendations
Syslog Syslog TCP All Configured If syslog is configured,

(preferred) or appliances Syslog this connection delivers
UDP port server log messages to remote
should be the syslog.
(Internal or
same as
external
configured in
traffic based
ATP Manager
on your
for syslog
environment)
ATP:Roaming HTTPS 443 TCP Management Symantec This connection allows

platform or ATP to collect conviction
ATP: Email
all-in-one events from
appliance ATP:Roaming and ATP:
Email when Synapse
Correlation is enabled for
either one of these
services.
Active Directory LDAPS 636 Management Active This connection allows

platform or Directory ATP to integrate with
all-in-one server Active Directory for user
appliance authentication.
The following are Symantec's proxy recommendations:
Network scanning Proxy deployment options are as follows:
■ Deploy ATP between the internal network and the proxy.

This deployment configuration is recommended.
When customers deploy ATP between the internal network and the proxy,
it gives ATP full visibility of endpoint information.
You must deploy ATP when you are load balancing proxies between the
internal network and a farm of proxies. This information ensures ATP can
failover to the proxy. In this scenario, the LAN port of the proxy is the good
place to plug in ATP inline.
■ Deploy ATP between the proxy and their firewall.
When customers deploy ATP between the proxy and their firewall, customers
must enable to the X-forwarded-for feature on the proxy. The firewall must
have the ability to strip out the X-forwarded-for tag. Customers should see
the documentation for their firewall for instructions for how to remove this
tag. The disadvantage of this deployment is that it requires more effort to
configure.
https://help.symantec.com/cs/atp_3.2/ATP/v113990908_v127300344/
Specifying-the-traffic-that-the-proxy-inspects?locale=EN_US
Management traffic This proxy traffic does not support SSL interception. If the proxy server has SSL
from ATP to Symantec interception enabled, customers must create a policy to let Symantec traffic
back-end servers bypass. Such a policy prevents the proxy from inspecting Symantec traffic,
thereby reducing resource demands.
Chapter 4
Installing a physical
appliance
■ Installing the 8840 appliance
■ Installing the 8880 appliance
Installing the 8840 appliance

You can mount the Symantec Advanced Threat Protection (ATP) 8840 appliance into a 19-inch
(483mm) rack. If you do not have a rack, the appliance can rest on a stable surface.
Figure 4-1 shows the 8840 back panel.
Figure 4-1 8840 back panel
iDRAC
To install the 8840 appliance

1 Install the two included rails in a rack and mount the appliance in the rack.
2 Connect the power cord to a power outlet and then to a power supply on the appliance.
3 Plug an Ethernet cable into the iDRAC port on the back of the server. Then connect the
other end to a LAN switch on your network. The iDRAC port is on the left and is marked
with a wrench icon.
See “Configuring the iDRAC using a monitor, keyboard, and optional mouse” on page 50.
Installing a physical appliance 44
4 Plug an Ethernet cable into the management port and connect the other end to your
Management network.
Mgmt port
iDRAC
Mgmt
5 For Tap mode, you can connect the Monitor1 port to a Tap/Span port on a switch or router.
For a management platform, do not make this connection.
For an appliance to operate in Inline Block or Inline Monitor mode, connect the WAN port
to the server that hosts the firewall.
WAN
INLINE:
TAP: WAN
Monitor1 LAN
Monitor2
6 Connect the LAN port to the corporate LAN for Inline Block or Inline Monitor mode. Connect
it to a Tap/Span port on a switch or router for Tap mode. For a management platform, do
not make this connection.
If the appliance is deployed in Inline Block or Inline Monitor mode, bypass mode starts
operating.
LAN
INLINE:
TAP: WAN
Monitor1 LAN
Monitor2
7 Configure the iDRAC using an external monitor and keyboard.

8 Open a browser from a computer that is on the same network as the appliance, and then
type https://<iDRAC management port static IP address>. The iDRAC default logon is
root; the password is calvin. From the iDRAC management utility, open a console to the
appliance. Log on with the user name admin and the password symantec to start the
bootstrap process. After you complete and accept the bootstrap configuration, the system
restarts.
9 (Required for management platform and all-in-one) Open a browser, and the type https://
<ATP management port static IP address>.
For example, type https://10.10.10.10 if you specified an IP address of 10.10.10.10
during the bootstrap process.
10 (Required for management platform and all-in-one devices) In ATP Manager, enter the
user name setup and password symantec to start and run the setup wizard.
If you plan to install a scanner, log on to ATP Manager on the management platform that
controls the scanner to complete the installation.

You can mount the Symantec Advanced Threat Protection (ATP) 8880 appliance into a 19-inch
(483mm) rack. If you do not have a rack, the appliance can rest on a stable surface.
Figure 4-2 shows the 8880 back panel.
Figure 4-2 8880 back panel

6
INLINE: WAN1 LAN1 WAN2 LAN2
TAP: Monitor1 Monitor 2 Monitor3 Monitor 4
5 7
2
To install the 8880 appliance

1 Install the two included rails in a rack and mount the appliance in the rack.
2 Connect each power cord to a power outlet and then to a power supply on the appliance.
3 Plug an Ethernet Cable into the iDRAC port on the back of the server on the left. Then
connect the other end to a LAN switch on your network. Enable the iDRAC using either
the front panel display or an attached monitor and keyboard.
See “Configuring the iDRAC (8880 appliance only)” on page 49.
4 Plug an Ethernet cable into the management port and connect the other end to the network.
Mgmt port
6
5 7
2
5 For an appliance to operate in Inline Block or Inline Monitor mode, connect the WAN port
to the server that hosts the firewall. For Tap mode, you can connect this port to a Tap/Span
port on a switch or router. You may optionally connect the WAN2 port. In Tap mode, you
can use either port for monitoring traffic.
WAN1
INLINE:
TAP: WAN1
Monit or1 LAN1
Monit or2 WAN2
Monit or3
6
5 7
2
6 Connect the LAN port to the corporate LAN for Inline Block or Inline Monitor mode. Connect
it to a Tap/Span port on a switch or router for Tap mode. You may optionally connect the
LAN2 port.
If the appliance is deployed in Inline Block or Inline Monitor mode, bypass mode starts
operating.
LAN1
INLINE:
TAP: WAN1
Monit or1 LAN1
Monit or2 WAN2
Monit or3
6
5 7
2
7 Open a browser from a computer that is on the same network as the appliance and enter
https://<iDRAC management port static IP address>. The iDRAC default logon is root;
the password is calvin. From the iDRAC management utility, open a console to the
appliance. Log on with the user name admin and the password symantec to start the
bootstrap process. After you complete and accept the bootstrap configuration, the system
restarts.
8 (Required for management platform and all-in-one) Open a browser, and then type
https:// <ATP management port static IP address>.

during the bootstrap process.
9 (Required for management platform and all-in-one) In ATP Manager, type the user name
setup and password symantec to start and run the setup wizard.
If you plan to install a scanner, log on to ATP Manager on the management platform that
controls the scanner to complete the installation.
Chapter 5
Configuring the iDRAC on a
physical appliance
■ About the iDRAC on the physical appliance
■ Configuring the iDRAC (8880 appliance only)
■ Configuring the iDRAC using a monitor, keyboard, and optional mouse
About the iDRAC on the physical appliance

Symantec Advanced Threat Protection (ATP) physical appliances include an integrated Dell
Remote Access Controller (iDRAC). This controller provides (among other features) remote
console access to the appliance. Before you can connect an ATP physical appliance to your
network using bootstrap, you must first assign a network address to the iDRAC.
The following procedures describe how to assign a static IP address to the iDRAC:
On the ATP model 8880, the IP address can be assigned to the iDRAC. Assign the IP address
either by using the front panel controls or by attaching a monitor, keyboard, and optional mouse
to the appliance. Then use the System Set-up utility. ATP Model 8840 does not have front
panel iDRAC controls, so you must configure the IP address using the System Setup utility.
For more information on iDRAC features and operation, refer to the integrated Dell Remote
Access Controller documentation at http://dell.com/support/manuals.
Configuring the iDRAC on a physical appliance 49
Configuring the iDRAC (8880 appliance only)
Configuring the iDRAC (8880 appliance only)

Before you begin to configure iDRAC on the Symantec Advanced Threat Protection (ATP)
8880 appliance, make sure that the appliance is connected to AC power. When you do, it gives
power to the iDRAC even if you do not turn on the appliance. When the service tag number
appears on the iDRAC display, the iDRAC is ready to be configured.
Although you can use DHCP to configure the iDRAC network settings, a best practice is to
assign a static IP address.
The iDRAC front panel has these three buttons for selecting, changing, and entering data:
✓ = Enter
< = Move the selection to the left or decrease the value (depending on the context)
> = Move the selection to the right or increase the value (depending on the context)
To configure the iDRAC
1 Press ✓ to enter the menu system.
2 Press > to highlight Setup and then press ✓.
3 With iDRAC highlighted, press ✓ .
4 Press > to highlight StaticIP and press ✓ .
The front panel displays a default IP address. You need to change only the numbers that
differ from the static IP address you want to assign.
5 Press > until you have highlighted a number that you want to change, and then press
✓ to select it.
6 Press > to increase the value or < to decrease the value. When the correct number is
displayed, press ✓ .
7 Repeat steps 5 and 6 for each additional number you need to change.
8 When the static IP address is correct, press > until » is highlighted, and then press ✓ .
9 The display shows the default subnet mask (Sub). Use the instructions in steps 5 and 6
to modify values as needed.
10 Press > until » is highlighted, and then press ✓ .
11 The display shows the default gateway IP address (Gtw). Use the instructions in steps 5
and 6 to modify values as needed.
12 Press > until » is highlighted, and then press ✓ .
Configuring the iDRAC using a monitor, keyboard, and optional mouse
13 The display asks if you want to set up DNS. Setting up DNS is recommended. Performing
this task lets you program network resources on the iDRAC based on DNS names, rather
than requiring you to enter IP addresses.
To set up DNS, highlight Yes and press ✓ . Go to Step 14.
If you do not want to set up DNS, highlight No and press ✓ . Then highlight Save and
press ✓ . Configuration is complete.
14 The iDRAC displays the default address of the primary DNS server (D1). Use the
instructions in steps 5 and 6 to modify values as needed.
15 The iDRAC then displays the default address for an alternate DNS server (D2). An alternate
server is optional, but provides redundancy in case the primary DNS server fails. Use the
instructions in steps 5 and 6 to modify values as needed. If you do not want to configure
an alternate server, set all values to zeros.
16 When you are prompted to Save, highlight Yes and press ✓.
Note: Settings are not applied until you press Yes to save. If you walk away from the
appliance before you save the settings, the display eventually times out and all unsaved
configuration changes are lost.
For more information on the iDRAC, refer to the Integrated Dell Remote Access Controller
documentation at http://dell.com/support/manuals.
See “About the iDRAC on the physical appliance” on page 48.
Configuring the iDRAC using a monitor, keyboard,

and optional mouse
The Symantec Advanced Threat Protection (ATP) 8840 and 8880 appliances have VGA and
USB ports on the front and on the back of the server. If you want to use the ports on the front,
you must remove the front bezel.
Although you can use DHCP to configure the iDRAC network settings, a best practice is to
assign a static IP address.
To configure the iDRAC using a monitor, keyboard, and optional mouse
1 Plug an Ethernet cable into the iDRAC port on the back of the appliance on the left. Then
plug the other end of the cable into the LAN switch on the network.
2 Attach a monitor to a VGA port on the appliance.
3 Attach a keyboard to a USB port on the appliance.
Configuring the iDRAC using a monitor, keyboard, and optional mouse
4 Press the server power button.

5 When the monitor displays the system BIOS screen, press F2 to select System Settings.
6 From the menu, select iDRAC Settings.
7 On the iDRAC Settings screen select Network.
8 Scroll down to IPV4 Settings, and enter the following for the iDRAC:
■ Static IP address
■ Static Gateway
■ Static IP Subnet Mask
9 (Optional) Enter the IP addresses for the Static Preferred DNS Server and the Static
Alternate DNS Server.
Setting up DNS allows the iDRAC to access network resources using DNS names, instead
of IP addresses. If you do not use DNS, go to step 11.
10 Press Tab to highlight Back, then press Spacebar.
11 Press Tab to highlight Finish, then press Spacebar.
12 Press Spacebar to select Yes to save changes.
13 Press Spacebar to select OK in the Success dialog box.
14 Press Spacebar until Exit is highlighted, and then press Spacebar to confirm that you
want to exit and restart the iDRAC.
15 Open a browser and enter the iDRAC IP address to display the iDRAC logon screen.
16 Log on to the iDRAC with the ID root and the password calvin.
17 At the prompt, change the root password.
For more information on the iDRAC, refer to the Integrated Dell Remote Access Controller
documentation at http://dell.com/support/manuals.
See “About the iDRAC on the physical appliance” on page 48.
Chapter 6
Installing a virtual
appliance
■ About virtual appliance installation
■ About configuring virtual switches for virtual appliances
■ Installing the virtual appliance
About virtual appliance installation

The Symantec Advanced Threat Protection (ATP) virtual appliance is delivered as an OVA
file that runs as a virtual machine on VMware ESXi.
All operating modes that are supported for the physical appliance are supported for the virtual
appliance. However, the virtual appliance does not have a bypass mode. For a virtual appliance
in an Inline Block or Inline Monitor operating mode, network traffic is halted when the virtual
machine is turned off. The network traffic is also halted when the physical host computer is
turned off.
When installing a virtual appliance on an ESXi server, you must connect the virtual network
adapters that are built into the OVA template. Perform this task with the virtual switches that
you configure in VMware. When you configure virtual switches, you associate them with physical
ports on the ESXi server.
Important: You must reserve 48 GB of memory and at least 12 GHz CPU before you start
the VMware computer for the first time.
Warning: ATP does not support inline mode for the virtual appliance. As such, you run a risk
when you deploy a virtual appliance in inline mode because there is no bypass ability.
Installing a virtual appliance 53
The figures in this section depict the ports that are mapped one-to-one with physical network
interface cards (NICs). But ATP virtual appliances are compatible with other configurations,
such as distributed virtual networks.
Virtual Machine Configuration

When you run ATP in a virtual environment, it is important to properly configure the virtual
computers on which your ATP appliances run. The following are some configuration notes:
■ Make certain your virtual computer has the proper resources allocated. Also, make sure
to reserve VM resources (CPU, memory, disk) for the ATP appliance or you may experience
disk space or high-memory usage errors.
■ Use the proper block size, depending upon the VMFS version of your system. If your ESXi
server uses VMFS-2, then your block size must be set to 4 MB or greater. If you use a file
system later than VMFS-2, set your block size to 8 MB. If the block size is not properly set,
the deployment of the OVA can fail. The failure message indicates that the disk capacity
of the computer is greater than the amount available on the datastore.
■ When you deploy a network scanner on a virtual machine and you have mapped the WAN
port to a physical NIC through a vSwitch, change the configuration of the vSwitch to allow
all VLAN IDs in the port group properties. Without this setting, ATP may not capture some
network traffic.
For virtual machines intended to function as ATP network scanners, enable Promiscuous
mode on the WAN and LAN virtual switches. This setting permits ATP to scan all network
traffic.
About virtual network adapters

The OVA template includes three virtual network adapters:
Management Required for all appliances for the management connection
Monitor1_WAN ■ Establishes a monitor connection when the appliance operates in Tap

mode
■ Establishes the WAN connection when the appliance operates in either
Inline Block or Inline Monitor mode
Monitor2_LAN ■ Establishes a second monitor connection when the appliance operates

in Tap mode
■ Establishes the LAN connection when the appliance operates in either
Inline Block or Inline Monitor mode
When you deploy the OVA, map each virtual adapter to your network.
About virtual switch requirements

Virtual switches connect each virtual network adapter to a physical port on the ESXi server.
The number of virtual switches you need depends on the virtual appliance's operating role
and operating mode.
For an all-in-one virtual appliance or network scanner virtual appliance that operates in Tap
mode, you need two or three virtual switches. One switch is for the Management interface,
one is for the first Monitor interface, and one is for a second Monitor interface. Figure 6-1
shows the network pathway. The pathway runs from the virtual network adapters to the physical
ports and connections to the network for a Tap configuration through the virtual switches.
Figure 6-1 Virtual Tap/Span network configuration
ESXi
Virtual ATP: Network
Management Monitor1_WAN Monitor2_LAN
Virtual
Network adapters
Virtual
switches
Physical ports
on EXSi host
Corporate
LAN
to SPAN/TAP to SPAN/TAP
port on LAN Switch port on LAN Switch
For an all-in-one virtual appliance or network scanner virtual appliance that operates in Inline
Block or Inline Monitor mode, you need three virtual switches. You need one each for the
Management, WAN, and LAN interfaces. Figure 6-2 shows the network pathway. It runs from
the virtual network adapters to the physical ports and connections to the network for an Inline
Block or Inline Monitor configuration through the virtual switches.
Figure 6-2 Virtual Inline Block or Inline Monitor network configuration
ESXi
Virtual ATP: Network

Management Monitor1_WAN Monitor2_LAN
Virtual
Network
adapters
Virtual
switches
Physical ports
on EXSi host
Corporate Corporate
LAN LAN
Firewall
For a management platform, you need only one virtual switch for the Management interface.
To configure each virtual adapter and associate it with a physical port, follow the instruction
in the VMware documentation. But set certain values for the ATP virtual appliance.
See “About configuring virtual switches for virtual appliances” on page 56.
About configuring virtual switches for virtual appliances
Connecting the ESXi ports to your network

The cable connections between the ports on the ESXi server and the network are the same
for virtual appliances as they are for physical appliances.
About configuring virtual switches for virtual

appliances
The following sections describe the virtual switch property values that must be configured for
appliances. The properties you configure for each virtual switch depend on the virtual appliance's
operating mode. The virtual switch property values must match the Destination Network (port
group) property values.
This section has the following topics:
■ Virtual switch properties for Tap mode
■ Virtual switch properties for the Management interface
For instructions on creating virtual switches and configuring Symantec Advanced Threat
Protection (ATP) virtual switch properties, refer to the VMware vSphere Client documentation.
Virtual switch properties for Tap mode

Table 6-1 shows the virtual switch property values that are required for each Monitor network
interface when the appliance operates in Tap mode. Each virtual appliance can monitor up to
two networks. For any property that is not specified in the table, use the default value.
Table 6-1 Virtual switch properties for Tap mode Monitor interfaces
Property Value
Connection Type Virtual Machine
Promiscuous Mode Accept
Failback No
Notify Switches No
Devices operating in Tap mode also require a virtual switch for the Management interface.
Installing the virtual appliance
Virtual switch properties for Inline Block or Inline Monitor mode

Table 6-2 shows the virtual switch property values that are required for the LAN network
interfaces and WAN network interfaces. The switch properties apply when the appliance
operates in Inline Block or Inline Monitor mode. For any property that is not specified in the
table, use the default value.
Table 6-2 Virtual switch properties for LAN and WAN interfaces
Property Value
Connection Type Virtual Machine
Promiscuous Mode Accept
Failback No
Notify Switches No
Forged Transmits Accept
Devices operating in Inline Block or Inline Monitor mode also require a virtual switch for the
Management interface.
Virtual switch properties for the Management interface

An appliance operating in the management platform role requires a single virtual switch to
support the Management interface. An all-in-one device or network scanner requires one virtual
switch to support the Management interface. This requirement is in addition to the virtual
switches that support scanning in Inline Block, Inline Monitor, or Tap mode.
When you create a virtual switch for a Management interface, use the VMware default value
for all properties.
See “About virtual appliance installation” on page 52.

Install a Symantec Advanced Threat Protection (ATP) virtual appliance on an ESXi server
using a VMware vSphere Client to deploy the OVA template.
Note: Installation of the ISO is not supported for a virtual appliance. In addition, Symantec
Advanced Threat Protection (ATP) does not support the creation of an OVA template from the
ATP template. You must deploy the unaltered OVA template.
To install the virtual appliance

1 Make sure that you have a supported version of VMware.
2 Create the required VMware ESXi virtual switches and configure the virtual switches in
VMware vSphere.
3 Make sure that you have proper mapping ready so that you can assign static IP addresses
to each ATP network connection.
4 Make the physical connections from the ESXi server physical adapters to your network.
These are the same connections as for a physical appliance.
■ Plug an Ethernet cable into the management physical adapter and connect the other
end to your Management network.
■ When planning to operate the appliance in Inline Block or Inline Monitor mode, connect
the WAN physical adapter to the server that hosts the firewall. For Tap mode or for a
management platform, do not make this connection.
■ For Inline Block or Inline Monitor mode, connect the LAN physical adapter to the
corporate LAN. For Tap mode, connect the LAN physical adapter to the Tap/Span port
on a switch or router. For a management platform, do not make this connection.
5 Map the virtual switches to physical adapters on the ESXi server. Refer to the VMware
vSphere documentation for instructions.
6 If you have not already done so, download the OVA template from
https://fileconnect.symantec.com/ into a directory that you can browse to from VMware
vSphere Client.
7 Deploy the OVA template on the VMware ESXi server.

During the deployment, the Deploy OVA Template wizard prompts you to map Source
Network adapters. The adapters are built into the ATP OVA with Destination Networks
that you already configured on your network.
For best performance, use thick provisioning.
Note: The Destination Networks that are shown are examples only.
8 From the Destination Networks menu, choose a network for each Source Network adapter
as follows:
Source Network Destination Network
Management Choose your Management network.
Monitor1_WAN ■ For Inline Block or Inline Monitor mode on an all-in-one device or network
scanner, choose the WAN network that you want to protect.
■ For Tap mode on an all-in-one device or network scanner, choose a network
that you want to monitor. This network must be connected to a Tap or Span
port on the network switch.
■ For a management platform, you can map Monitor1_WAN to any network.
Only the management port is active when an appliance operates as a
management platform.
Monitor2_LAN ■ For Inline Block or Inline Monitor mode on an all-in-one device or network
scanner, choose the LAN network that you want to protect.
■ For Tap mode on an all-in-one device or network scanner, choose an
additional network that you want to protect. This network must be connected
to a Tap or Span port on the network switch.
If you do not want to make this connection, map Monitor2_LAN to any
network. After you complete the OVA deployment, edit the virtual appliance
settings in VMware vSphere Client to disconnect Network adapter 3. Refer
to the VMware documentation for instructions.
■ For a management platform, you can map Monitor2_LAN to any network.
Only the management port is active when an appliance operates as a
Note: For all-in-one devices and network scanner devices, do not map Monitor1_Wan
and Monitor2_Lan to the same network. This configuration might cause bridge-looping,
and packets may not properly be sent to the network.
9 Reminder: If you have not already done so, you must reserve the required resources on
your ATP appliance virtual machine. You must reserve 48 GB of memory and at least 12
GHz CPU before you start the VMware computer for the first time.
10 In VMware vSphere Client, start the newly-created virtual appliance.
11 Open a console to the appliance and log on with the user name admin and the password
symantec to start bootstrap. After you complete and accept the bootstrap configuration,
the appliance restarts.
12 From a computer that is on the same network as the appliance management port, open
a browser, and type https://<management port static IP address>.
during bootstrap.
Required for management platform and all-in-one.
13 In ATP Manager, type the user name setup and password symantec to start and run the
setup wizard.
Required for management platform and all-in-one.
14 If you install a management platform or all-in-one appliance, log on to ATP Manager to
complete the installation. If you install a network scanner, log on to ATP Manager on the
management platform that controls the network scanner to complete the installation.
See “About virtual appliance installation” on page 52.
Chapter 7
Running bootstrap
■ Opening the console window on a physical appliance or virtual appliance
■ Running bootstrap to configure the appliance
Opening the console window on a physical appliance

or virtual appliance
During initial setup, run bootstrap (and all other command-line utilities) from a console window.
The process differs depending on whether you are on the physical appliance or the virtual
appliance.
To open the console window on a physical appliance
1 Press the power button on the front of the appliance.
The appliance takes several minutes to start.
2 Launch a supported browser and type the following into the address line:
https://<static IP address of the iDRAC>
For example, if you assigned the address 10.10.10.10 to the iDRAC, type
https://10.10.10.10 into the address line.
3 On the logon screen, type the ID root and the password that you assigned to the iDRAC.
4 In the Integrated Remote Access Controller window, click the Virtual Console Preview
window, or click the Launch Console link under this window.
To open a console window on a virtual appliance
1 Make sure that the virtual appliance is powered on.
2 Right-click the virtual appliance and choose Open Console.
Running bootstrap 62
Running bootstrap to configure the appliance
Refer to the VMware documentation for complete information.


Bootstrap configures your physical Symantec Advanced Threat Protection (ATP) appliance
or virtual Symantec Advanced Threat Protection (ATP) appliance. You can configure the
appliance as a management platform, a network scanner, or an all-in-one appliance
(management platform and scanner functionality on the same appliance). It assigns a static
IP address for the management port and sets up communication between the appliance and
your network. After you complete bootstrap, the system automatically restarts.
To run bootstrap
1 Open a console window on the appliance.
See “Opening the console window on a physical appliance or virtual appliance” on page 61.
2 In the console window, log on as follows:
User name = admin
Password = symantec
Bootstrap begins automatically when you are logged on for the first time before
configuration.
Once you complete configuration, you can run bootstrap again using the bootstrap CLI
command.
3 For each prompt, type a response and then press Enter to specify the required information.
The following table describes the bootstrap prompts:
New password: Type a new, secure password for the console.

This password replaces the default password,
symantec.
Weak password A password that is similar to a word in the

Dictionary, is too short, or not complex
Try another [y/n]?
enough is less secure. Type y to delete the
new password and be prompted to try again.
Type n to keep the new password you
previously entered.
Re-enter new password: To confirm the new password, type it again

and press Enter. If the two passwords do not
match, you are prompted to type and retype
the password again.
Select one of the following appliance roles. 1 = Type the number that corresponds to the role
Management platform ..., 2 = Network scanner for this appliance. The prompt describes each
..., 3 = All-in-one ... []? of the roles available.
Configure the management port. IPv4 Address Type a static IP for the management port. For
[]: a management platform or all-in-one
appliance, this IP address is used to access
ATP Manager from a browser.
IPv4 Netmask []: Type the network mask for the management
port IPv4 address.
Gateway []: Type the IP address for the gateway (switch

or router) that the appliance can use to
communicate with the rest of your network.
Nameserver (IPv4) []: Type the IP address of a name server that

the appliance can use to resolve IP
addresses.
Configure another nameserver? [y/n] Type y to add an additional name server or

n to use only one name server. If you type y,
you are prompted to type the IP address of a
second name server.
Network scanner role only: IP address of the Type the management port IP address of the
Management Platform: management platform appliance that controls
this scanner.
Management platform or network scanner roles only: Type a secure password to encrypt
Communication Channel password: communications between the management
platform and all its network scanners. This
password must be the same for the
management platform and all network
scanners. It should be different from the
management console password. Letters,
numbers, periods, underscores, and hyphens
are allowed, and the password can be up to
50 characters.
Management platform or network scanner roles only: To confirm the communication channel
Re-enter Communication Channel password: password, type it again and press Enter. If
the two passwords do not match, you are
prompted to type and retype the password
again.
Configure IPv4 static routes? [y/n] Type y to configure an IPv4 static route or n
to skip this configuration step. Static routes
may be required. For example, use static
routes to connect a network scanner to its
Destination (CIDR allowed): If you choose to configure IPv4 static routes,

you are prompted to type the destination IP
Gateway:
address and the gateway IP address.
Add another route? [y/n] After you configure an IPv4 static route, type
y in response to this prompt to configure an
additional IPv4 static route. Type n to go to
the next prompt.
You can configure up to three IPv4 static

routes in bootstrap. You can configure
additional static routes in ATP Manager.
What do you want to call this device? Type a name to identify this system in ATP
Manager. Letters, numbers, spaces, periods,
and hyphens are allowed, and the name can
be up to 50 characters.
Set NTP server. []? Type the IP address of the NTP server.
Setting an NTP server ensures that the

appliance has an accurate time to indicate
when detections occurred.
4 When configuration is complete, the console displays the settings that you configured and
then prompts Save changes? [y/n]. Type y to save the configuration or n to reject it and
make changes.
If you type n, bootstrap restarts from the beginning. Most prompts display the previous
value you entered. Press Enter to accept the previous value (if present), or type a new
value to correct the entry.
When bootstrap is complete, the system restarts. After the restart, the console displays the
logon prompt. You are now ready to run the setup wizard.
You can re-run bootstrap (for example, to change certain IP addresses) after initial installation
from the CLI using the bootstrap command. You cannot re-run bootstrap to change the
operating role of the appliance.
Chapter 8
Running the setup wizard
■ Running the setup wizard

The Symantec Advanced Threat Protection (ATP) setup wizard guides you through the
mandatory configuration steps of an all-in-one or management platform device. This set up
includes uploading the product license and creating the first administrator account so that you
can log on to ATP Manager.
You run the setup wizard after you bootstrap the device. During bootstrap, you assign a static
IP address to the management port of the appliance. This IP address is required to access
the setup wizard and later, ATP Manager.
The console admin account in the bootstrap is independent from the administrative account
in the setup wizard.
Note: The appliance may take a few minutes to boot and start the required services before
the setup wizard can be run. If the IP address of the management port is not responsive, wait
a few minutes before attempting to connect and proceeding with the setup wizard.
Running the setup wizard 67
To run the setup wizard

1 On a computer that is accessible to the appliance, open a window on a supported browser
and type: https://<IP address of the management port>.
For example, if you assigned the static IP address 10.20.20.20 to the appliance during
bootstrap, type https://10.20.20.20.
Note: You must use the HTTPS protocol when you type the address of the setup wizard.
The HTTPS protocol is required.
2 If the browser displays an untrusted certificate or untrusted connection warning, choose

to proceed, and add an exception, if required.
The ATP web interface initially includes a self-signed certificate that can be changed to
use a customer-generated certificate after the initial setup.
See “Configuring secure access to ATP Manager” on page 69.
3 On the logon screen, type the following credentials and then click Sign In or press Enter:
User name: setup
Password: symantec
This account is deactivated when you complete the setup wizard.
4 On the Terms and Conditions screen, read the terms and conditions.
You must accept the Terms and Conditions to continue.
The data handling options are enabled by default. You may choose to uncheck these
options.
5 Click Next.
Running the setup wizard 68
6 Respond to the prompts on each screen to complete the mandatory configuration. Click
Next to go to the next screen, or click Previous to return to a screen you completed.
The following table describes the additional prompts in the setup wizard and how to
respond to them.
Upload License Click Browse to locate the license file, and select
the file. When you click Next, ATP uploads the
file.
You must upload a license before the ATP device

is functional. You cannot use ATP after initial
installation without a license. No grace period
exists.
SMTP Settings You can enter the SMTP settings in the setup
wizard, or you can check Skip adding SMTP
server configuration and specify the settings
later in ATP Manager.
Type the SMTP Server (fully qualified domain

name is allowed) and Port number of your secure
mail server.
In the Appliance Email field, type the email

address where alerts, such as a license expiration
notification, are sent from.
If your mail server requires a secure logon to

receive messages, check Authorize. Then type
a user name and password that ATP can use to
authenticate with the mail server.
Create an Administrative account Specify a logon name, password, display name,

and user email address for the initial administrator
account. You need this logon to complete the
setup wizard.
This administrator can create additional user

accounts, including additional administrator
accounts.
7 Click Save.
8 Click Exit to end the setup wizard and display the ATP Manager logon screen.
Chapter 9
Completing installation
■ Configuring secure access to ATP Manager
■ Accessing ATP Manager
■ Defining internal networks to ATP
■ Testing the physical appliance bypass mode
■ Testing ATP for successful monitoring or blocking
Configuring secure access to ATP Manager

When you start the setup wizard from a browser, Symantec Advanced Threat Protection (ATP)
generates a self-signed SSL certificate for ATP Manager. You can use this certificate to encrypt
all ATP Manager sessions. For better security, however, Symantec recommends that you
install a certificate that is created specifically for your ATP appliance. Make sure a trusted
Certificate Authority signs the certificate.
The following procedure describes how to import a trusted Certificate Authority certificate.
Each physical appliance or virtual appliance must have its own unique certificate.
Certificates may be CRT or CER format, with DER or PEM encoding. Only certificates with
RSA keys are supported. Keys should not be pass phrase protected. They are encrypted within
ATP.
Validation is done after the bundle is uploaded. To complete the validation, the following are
required:
■ Self-signed server certificate
■ Server certificate that root CA signed. Bundle of (server cert + root CA)
■ Server certificate that an intermediate CA signed – can be multiple intermediate CA. Bundle
of (server cert + intermediate CAs + root CA)
Completing installation 70
Accessing ATP Manager
To secure access to ATP Manager

1 Copy the certificate and key to a location that you can browse to from ATP Manager.
2 In ATP Manager on the Settings > Global page, scroll down to SSL Certificate.
3 Click Edit Certificate.
4 Click Browse beside the Certificate field. Navigate to and select your certificate.
5 Click Browse beside the Unencrypted Private Key field. Navigate to and select your
key.
6 Click Upload.
7 Repeat steps 3 through 6 on each browser that is used to access ATP Manager.
See “Accessing ATP Manager” on page 70.
Accessing ATP Manager

Access ATP Manager from a web browser on any client computer that can connect to the
management port of your management platform or all-in-one appliance. You first access ATP
Manager to run the setup wizard after you run bootstrap. Thereafter, you use ATP Manager
to configure Symantec Advanced Threat Protection (ATP) and perform security operations.
To access ATP Manager
1 On the computer that can access the network that is connected to the management port,
open a web browser.
2 In the web browser, type the following:
https://<IP address>
Where <IP address> is the address that you specified for the ATP appliance during the
bootstrap process.
For example, if the IP address that you specified for the appliance is 192.168.42.24, go
to the following URL:
https://192.168.42.24
Note: Ensure that you use the HTTPS protocol to access ATP Manager.
3 For certain web browsers, you may need to configure a certificate security exception to
access ATP Manager.
Typically, this step is only required at the first logon per computer per session.
See “Configuring secure access to ATP Manager” on page 69.
Defining internal networks to ATP
Defining internal networks to ATP

Define your internal networks to specify which computers are part of your network. Any traffic
that originates from somewhere other than these internal networks is considered "outside the
network." Symantec Advanced Threat Protection (ATP) can thereby differentiate between the
malware infections that affect internal computers and the attacks that originate from outside
the network.
To define the default internal network
1 In ATP Manager, click Settings > Appliances, and then click Edit Default Appliance.
2 In the Internal Network Configuration panel, click +Add Internal Network.
3 In the Subnet field, type the IP address of your internal subnet.
For example, if your internal computers are in the range 10.42.24.0 to 10.42.24.255, type
10.42.24.0.
4 In the Netmask field, type the netmask for the subnet.
For example, if your internal computers are in the range 10.42.24.0 to 10.42.24.255, type
255.255.255.0.
ATP supports the wide subnets that are also known as supernets. If portions of your
network are in a contiguous wide range, it is not necessary to list separate internal network
entries for each range. A single wide range is sufficient.
For example, if you have a list of internal subnets as follows:
■ 10.42.1.0/255.255.255.0
■ 10.42.2.0/255.255.255.0
■ ...
■ 10.42.20.0/255.255.255.0
■ 10.42.30.0/255.255.255.0
You can combine the subnets into one internal network of 10.42.0.0/255.255.0.0.
5 Optionally, in the Description field, type a description of the internal network.
6 If your internal network has computers in separate network ranges, specify additional
networks.
7 Click Save.
Testing the physical appliance bypass mode
To define a custom internal network configuration for an individual device

1 In ATP Manager, click Settings > Appliances, and then select the appliance name in
the Appliances list.
2 In the Internal Network Configuration panel, uncheck Use Default if it is checked.
3 Follow steps 2 through 7 of the previous procedure.
To apply the default internal network configuration to a device
1 In ATP Manager, click Settings > Appliances, then select the appliance name in the
Appliances list.
2 In the Internal Network Configuration panel, check Use Default.
Note: Use Default is not available until you configure the default internal network
configuration.
Testing the physical appliance bypass mode

When the Symantec Advanced Threat Protection (ATP) appliance is in Inline mode, the
appliance enters bypass mode if it cannot function or is turned off. In bypass mode, Internet
traffic is routed through the LAN port and the WAN port, but no monitoring or blocking occurs.
For bypass mode to function properly, ensure that you use the proper type of Ethernet cables
to connect to the LAN. LEDs on the back of the appliances indicate bypass mode if the appliance
is not turned off.
Note: In the bypass mode, the Ethernet cables on the LAN port and the WAN port are
interconnected. You must ensure that the total length of the interconnected cables does not
exceed the maximum Ethernet cable length. The Ethernet cable length per ANSI/TIA/EIA
cabling standards is 100m for Cat5e and Cat6. For more information on the Ethernet cable
length, refer the ANSI/TIA/EIA cabling standards.
To test the physical appliance bypass mode

1 In ATP Manager, click Settings > Appliances, and then double-click an appliance from
the list.
2 In the Network Interface Settings panel, click the toggle switch in the Scanning field to
set scanning to the Off position. Click Ok if a warning dialog appears asking if you are
sure that you want to disable scanning.
With scanning disabled, the physical appliance should now operate in bypass mode.
Testing ATP for successful monitoring or blocking
3 Try to access the Internet from a computer in the LAN that the device monitors or protects.
You should be able to access the Internet. The bypass LEDs on the back of the ATP
appliance should be on, but not blinking.
4 In ATP Manager, click Settings > Appliances, select the device from the list. Then click
the toggle switch in the Scanning field to set scanning to the On position. Click Ok if a
warning dialog appears asking if you want to proceed.
5 Test ATP to ensure that it functions properly.
See “Testing ATP for successful monitoring or blocking” on page 73.
Testing ATP for successful monitoring or blocking

Symantec has a website that you can use to test that Symantec Advanced Threat Protection
(ATP) monitors network data.
To test ATP for successful monitoring or blocking
1 Open a web browser on a computer in the LAN that is connected to ATP.
2 On the Internet, go to the following URL:
www.symantec.com
The Symantec website should display normally without any messages.
3 On the Internet, go to the following URL:
https://testatp.symanteccloud.com
4 Click on each of the links on the test page.
You should see a corresponding incident in the database, whether you are in Tap mode
or Inline Monitor mode. Cloud-based sandboxing detections may be delayed during virtual
execution.
If you are in Inline Block mode, file downloads (except the cloud-based sandbox new file
submission) are interrupted. Subsequent attempts to download the same file are blacklisted.
See “About operating roles, operating modes, and network connections” on page 23.
Chapter 10
Data migration during
upgrade to ATP v.3.1
■ Data migration during upgrade to Symantec Advanced Threat Protection v.3.1
■ About the data migration process
Data migration during upgrade to Symantec Advanced

Threat Protection v.3.1
When you upgrade to Symantec Advanced Threat Protection (ATP) version 3.1, your existing
data is migrated to a new version of the Elasticsearch database. The following list provides
important notes about the data migration process:
Warning: Rollback is not supported. You should perform a remote backup of your data before
you proceed with the upgrade.
■ During the upgrade procedure, your ATP installation is unavailable for normal operation.
The length of time the installation is down varies depending on the amount of migrated
data. In most cases, downtime is expected to be 4 hours or less.
■ Data migration to version 3.1 is more extensive than previous migrations. For this reason,
you should schedule the migration to occur during off-peak or non-operational hours.
■ You are asked to verify the upgrade.
■ The system health status displays Warning during the migration process.
■ Progress updates and error messages are available in the portal under Logging > System
Activity. The quick filter Features > Data Migration, provides data migration statistics.
Data migration during upgrade to ATP v.3.1 75
About the data migration process
■ Only the last 90 days of data are migrated.

■ Operational data is migrated first. Other data may be migrated in the background after the
rest of the upgrade completes.
■ The following features are not available during the migration of non-operational data:
■ Splunk
■ Public API
■ Service Now
■ Reports
■ Criterion
■ Backup restore
■ See “About the data migration process” on page 75. This topic provides additional
information about service availability during the migration process, and the data migration
sequence.
■ Clear your browser cache after the upgrade.

When you upgrade to ATP v.3.1 your operational and non-operational data are migrated to
the product's updated Elasticsearch database. These data are defined as follows:
Operational data
Operational data corresponds to entities in the system such as endpoints, files, domains, and
aggregates. This data is displayed on the dashboard event activity widget.
Operational data is migrated after the product is upgraded to version 3.1.0, but before the
product is restarted. When the ATP Manager is available after restart, the ATP admin can view
all entities and the dashboard, with the following exceptions:
■ Dashboard click-through to corresponding events are not available until migration of
non-operational data is in progress.
■ Related entities and incidents are not available until the migration of non-operational data
is in progress.
Non-operational data
Non-operational data corresponds to historical events, incidents, command results, command
states, and system log. This data is migrated after the appliance is restarted after upgrade to
3.1.0. This data is migrated in three phases:
■ Phase 1
Data migration during upgrade to ATP v.3.1 76
■ Migrates the events and incidents from the last 7 days.

■ Live response events from last 7 days are not migrated.
■ The time to complete this migration depends on size, but should complete in the first
12 hours after the upgrade.
■ Splunk connector, Service Now, and Public API services are enabled after this phase
is complete.
■ Phase 2
■ Migrates the live response events from the last 7 days.
■ The time to complete Phase 2 depends on size, but should complete in the first 2 days
to 5 days after the upgrade.
■ No additional services are enabled after this phase is complete.
■ Phase 3
■ Migrates all remaining indexes.
Note: The migration only moves indexes from the last 3 months.
■ The time to complete Phase 3 depends on the amount of data.

■ Reports, Criterion, and Backup restore services are enabled after this phase is complete.
Note: During the migration, ATP the System Health Indicator in the upper-right corner of ATP
Manager displays as yellow. When the migration is complete, this indicator displays as green.
See “Data migration during upgrade to Symantec Advanced Threat Protection v.3.1” on page 74.
Appendix A
Ports, connectors, and
indicators on the appliance
This appendix includes the following topics:
■ About appliance ports, connectors, and indicators
About appliance ports, connectors, and indicators

Table A-1 describes the ports, connectors, and indicators on the back of Symantec Advanced
Threat Protection (ATP) appliances.
Table A-1 Ports, connectors, and indicators on ATP appliances
Port, connector, or Description

indicator
USB port You can use this port to attach a keyboard or a mouse to use for the
command-line interface.
VGA port You can use this port for a monitor.
WAN/Monitor1 Ethernet port In tap mode, connect the Monitor1 port to the network tap device or a
(ATP 8840) monitoring port on a switch for SPAN.
In inline mode, connect the WAN port to a switch toward your Internet
connection or to your firewall.
LAN/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device
(ATP 8840) or a monitoring port on a switch for SPAN.
In inline mode, connect the LAN port to a switch that is connected to your
internal network.
Ports, connectors, and indicators on the appliance 78
Table A-1 Ports, connectors, and indicators on ATP appliances (continued)
Port, connector, or Description

indicator
WAN1/Monitor1 Ethernet port In tap mode, connect the Monitor1 port to the network tap device or a
(ATP 8880) monitoring port on a switch for SPAN.
In inline mode, connect the WAN1 port to a switch toward your Internet
LAN1/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device
In inline mode, connect the LAN1 port to a switch that is connected to

your internal network.
WAN2/Monitor3 Ethernet port In tap mode, you may connect the Monitor3 port to the network tap device
In inline mode, connect the WAN2 port to a switch toward your Internet
LAN2/Monitor4 Ethernet port In tap mode, you may connect the Monitor4 port to the network tap device
In inline mode, connect the LAN2 port to a switch that is connected to

your internal network.
Management (Mgmt) Ethernet Connect the management port to a switch that is connected to your
port internal network.
The management port must have access to the following:
■ Domain Name Server (DNS)

■ Required Internet services
Power This connector provides power to the appliance. Your appliance may
have an extra, redundant power connector.
iDRAC Ethernet port You can connect the iDRAC port to a port on a switch or to a PC during
initial bring up.
Bypass NIC LED indicators Three pairs of LED indicators appear on the bypass NIC card.
The Link/Activity pair is solid green, and blinks green on activity when
bypass mode is off. It is off when bypass mode is on.
The Bypass pair is solid green when the appliance is running in bypass
mode, and is off when bypass mode is off.
The DISC pair is always off (not used).

Ports, connectors, and indicators on the appliance 79

Index
A D
all-in-one device DHCP 21, 49–50
about 24 DNS server 18, 63
setting the role in bootstrap 63
antivirus 8 E
ATP
ESXi server 52, 54, 56, 58
about 7
ATP Manager 69
See also certificates F
See also password firewall 35
accessing 69–70
creating initial administrator account 68 I
screen resolution 12 iDRAC 10, 48–50
supported browsers 12 Inline Block/Monitor mode 25
See also bypass mode
B See also static routes
Blacklist 8 about 25–26
bootstrap 62 cable configurations 30, 55
browsers, supported 12 Insight 8
bypass mode internal networks 71
about 27 ISO file
NIC LED indicators 78 not supported for virtual appliance 57
testing 72
unavailable in virtual appliance 27, 52 L
license 68
C login credentials
cabling ATP Manager initial administrator 68
crossover 32 bootstrap 62
for Inline Block/Monitor mode 46 console 61, 63
for Tap/Span mode 32–33, 46 iDRAC 51, 61
physical appliance 43, 46 setup wizard 67
virtual appliance 58
certificates M
about 69 management network 32
third-party 69 management platform/network scanner
console access about 23
physical appliance 61 setting the role in bootstrap 63–64
virtual appliance 61 management port 32
Cynic 8 mirroring, in tap mode 30
Mobile Insight 8
Index 81
N T
network configuration diagrams 32, 54 Tap/Span mode
network scanner. See management platform/network about 28
scanner cable configurations 30, 32–33, 54
NIC card 27, 78 testing 73
NTP server 65 Targeted Attack Analytics 36
testing
O bypass mode 72
monitoring mode 73
operating mode 17
operating role 23
See also all-in-one device V
See also management platform/network scanner Vantage 8
changing the operating role 24 virtual appliance
OVA template 52, 57 about 52
installing 57
P system requirements 11
virtual adapters 53, 59
password
virtual switches 54, 56, 58
bootstrap 62
communications channel 64
console 61, 63 W
iDRAC 51, 61 web browsers
setup wizard 67 requirements 12
physical appliance screen resolution for ATP Manager 12
iDRAC 10, 48–50 supported 12
installing ATP 8840 43 Whitelist 8
installing ATP 8880 45
system requirements 10
ports
connections to 29
on firewall 35
on physical appliance 43, 46, 77
on virtual appliance 56
used by ATP 35
proxy server
placement in network 32
recommendations 41
S
setup wizard 66
SMTP 68
SONAR 8
static routes 18, 64
Symantec Advanced Threat Protection. See ATP
Symantec Email Security.cloud 7
Symantec Endpoint Protection 7
Synapse correlation
system requirements 13

Satp Installation Guide 3.2

Uploaded by

Copyright:

Available Formats

Satp Installation Guide 3.2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Satp Installation Guide 3.2

Uploaded by

Copyright:

Available Formats

Symantec™ Advanced Threat

Protection 3.2 Installation

Knowledge Base Articles and Symantec Connect

Technical Support and Enterprise Customer Support

Symantec Support .............................................................................................. 4

Chapter 2 System Requirements ........................................................ 10

Chapter 3 Planning for installation .................................................... 14

Chapter 4 Installing a physical appliance ......................................... 43

Chapter 5 Configuring the iDRAC on a physical appliance ........... 48

Configuring the iDRAC using a monitor, keyboard, and optional

Chapter 6 Installing a virtual appliance ............................................ 52

Chapter 7 Running bootstrap .............................................................. 61

Chapter 8 Running the setup wizard ................................................. 66

Chapter 9 Completing installation ..................................................... 69

Configuring secure access to ATP Manager ....................................... 69

Chapter 10 Data migration during upgrade to ATP v.3.1 ................ 74

Appendix A Ports, connectors, and indicators on the

About appliance ports, connectors, and indicators ............................... 77

■ About Symantec Advanced Threat Protection (ATP)

About Symantec Advanced Threat Protection (ATP)

Sandboxing Symantec's sandboxing technologies detonate files in a virtual sandbox

SONAR uses a heuristics system that leverages Symantec's online intelligence

This technology uses machine-learning instead of signatures or sandbox

■ System requirements for physical appliance installation

■ System requirements for a virtual appliance installation

■ Browser requirements for ATP Manager

System requirements for physical appliance

System requirements for a virtual appliance

Table 2-1 System requirements for a virtual appliance installation

Requirement Minimum per VM for production environment

Required vSphere/ESXi version

Network interface requirements

Operating mode Minimum for production Maximum for production

Tap (all-in-one or network 2 (1 Management, 1 Monitor) 3 (1 Management, 2 Monitor)

Operating mode Minimum for production Maximum for production

Management platform 1 (Management) 1 (Management)

Browser requirements for ATP Manager

Table 2-3 Browser requirements for ATP Manager

Microsoft Internet Explorer 11 or later

Mozilla Firefox 54 or later

Google Chrome 59 or later

Microsoft Edge 41 or later

See “Installation workflow” on page 20.

System requirements for ATP integration with

■ About operating roles, operating modes, and network connections

■ About selecting a network scanner

■ About network configurations and port connections

■ Where to place the appliance in your network for best results

■ Required firewall ports

Table 3-1 Preinstallation checklist

See “System requirements for physical appliance installation” on page 10.

See “System requirements for a virtual appliance installation” on page 11.

Table 3-1 Preinstallation checklist (continued)

See “Required firewall ports” on page 35.

Crossover cables aren't required if one or both devices (switch, firewall)

Table 3-1 Preinstallation checklist (continued)

You specify the operating configuration during bootstrap.

See “About operating roles, operating modes, and network connections”

See “Installation workflow” on page 20.