Recommendations for the Web Threat Protection and ‎Network Threat Protection tasks

To reduce the impact of the Web Threat Protection and ‎Network Threat Protection components on the performance of your applications, we recommend taking the following steps.

• Configure the firewall of the operating system. If the system has its own network rules (or firewalld rules) with Drop policies, then for the application to work correctly, you need to add an accept rule to allow incoming connections from the local device (loopback):

  Example command for iptables:

  iptables -A INPUT -i lo -j ACCEPT

• To ensure the compatibility of a REDIRECT rule (for example, redirection from port 443 to 8443) with the Network Threat Protection component interception rules:
  1. Delete a rule such as the following:

     iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

  2. Replace it with the following rules:

     iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -m mark ! --mark 0x400/0x400 -j REDIRECT --to-ports 8443

     iptables -t nat -A OUTPUT -p tcp --dport 443 -m mark --mark 0x400/0x400 -m addrtype ! --src-type LOCAL -j DNAT --to-destination :8443

• Configure certificate verification policy. By default, the Web Threat Protection component decrypts and scans network traffic sent over encrypted connections. When doing so, the component can use the internet for the verification and download missing chains required to verify the certificate. If the device does not have direct internet access, you must select a local certificate verification method (without using the internet) or use a proxy server for internet access.

  You can select a local certificate verification method in the network traffic scan settings:

  • In the policy using the Web Console or Administration Console: set Certificate verification policy to Local check.
  • Locally on the device using the following command:

    kesl-control --get-net-settings CertificateVerificationPolicy=LocalCheck

  The application will not use the internet to verify certificates.

  You can configure a proxy server in a policy using the Web Console, Administration Console, or locally on the command line.

• Limit the list of network ports monitored by the application. By default, the application only monitors selected network ports. If the device uses an SMB connection, make sure the default value is used:
  • In the policy in the Web Console or Administration Console: in the network traffic scan settings, the Monitor selected network ports only option is selected.
  • Locally on the device: the MonitorNetworkPort network traffic scan setting is set to Selected.

When using the application together with the HAProxy load balancer, we recommend taking the following steps:

1. Open the /var/opt/kaspersky/kesl/common/kesl.ini configuration file, create the [Environment] section and add the TcpSynInterceptDisabled=1 setting to it.
2. Restart the application:

   systemctl restart kesl

Using the Web Threat Protection and ‎Network Threat Protection components together with Kubernetes containerization requires additional painstaking fine-tuning of the operating system firewall. The components cannot be used with Kubernetes if Cillium CNI is also used.

Page top