Connecting and configuring external storage for traffic dump files

The application saves traffic received through the monitoring points as traffic dump files. The application uses the internal storage of each node for online storage of files and analysis of traffic saved in these files. The application saves and deletes files in the internal storage in accordance with the internal storage settings specified for the node. Connect and configure the external storage on the node to ensure long-term storage of the traffic dump files. Traffic dump files stored in the external storage can be used to download traffic to PCAP files, for example, to download traffic from the network sessions if the dump files of this traffic are already deleted from the internal storage on the node.

Use a directory in the local file system of the node computer as the external storage. This directory must be mounted on a hard drive having sufficient free space and not containing the /var/ directory. For external storage, you can also use a directory where a shared network resource of another computer is mounted, for example, a directory similar to the directory for exporting events to a network resource. A directory in the local file system must be granted permissions for the kics4net account, including the permissions to create nested directories.

Actions for creating and mounting a directory for the external storage are performed using the standard operating system tools of the node computer.

To connect and configure the external storage for the traffic dump files on a node:

1. Connect to the Kaspersky Industrial CyberSecurity for Networks Server through the web interface using the Administrator account.
2. Select Settings → Deployment.
3. Select the tile of the relevant node.

   The details area appears in the right part of the web interface window.

4. Click the Edit button.

   The details area will show the tabs for configuring the node parameters.

5. Select the External storage tab and enable the external storage usage mode by the Connect external storage for traffic dump files switch.
6. Specify the path in the local file system of the node to the directory intended for external storage.
7. Set the space limit for storing the traffic dump files in the Maximum size group of settings.

   You can select the unit of measure for the space limit: MB or GB.

8. If necessary, in the Filtering stored traffic section, enable filtering and enter a filtering expression using the Berkeley Packet Filter (BPF) technology based on the address settings of the network packets.

   Filtering reduces the volume of the stored traffic by skipping the network packets that do not match the filter. However, in this case, when you later view the traffic dump files or download traffic from these files, you are not able to download the network packets skipped when the traffic was saved.

9. If necessary, in the Storage time limit section, enable a limit on the minimum storage time for the files and specify the required number of days.
10. Click Save.