1. In the main window of Kaspersky Security Center Web Console, select Devices → Policies and policy profiles.

   A list of policies and policy profiles opens.

2. Select the administration group containing the SVMs to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens. The new policy will determine the operating settings of Protection Servers installed on SVMs in the selected administration group.
3. Click the Add button located above the list of policies and profiles.

   The New Policy Wizard starts.

4. At the first step of the wizard, select Kaspersky Security for Virtualization 6.0 Light Agent – Protection Server from the list.

   Proceed to the next step of the wizard.

5. Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:
   • I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement

     If you select this option, you agree to the terms and conditions set forth in the Kaspersky Security Network Statement. If the KSN Proxy service is enabled in the properties of the Kaspersky Security Center Administration Server, the use of KSN in the operation of the Protection Server will be enabled. KSN services are used when protecting virtual machines and when running scan tasks on virtual machines.

     The Kaspersky Security Center Administration Server properties are where the KSN infrastructure type (KSN or KPSN) is selected and the use of KPSN is configured. See Kaspersky Security Center help for more information.

     By default, KSN is used in extended mode. If needed, you can disable the use of extended KSN in the Protection Server policy properties.

   • I do not accept the terms and conditions of the Kaspersky Security Network Statement

     If this option is selected, you decline to use Kaspersky Security Network.

     KSN services will not be used in the operation of the Protection Server.

   If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.

   If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server settings section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.

   KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. You can configure the use of KSN in the operation of Light Agents using Kaspersky Endpoint Security for Linux commands or in the Kaspersky Endpoint Security for Linux policy. For more details, see the Kaspersky Endpoint Security for Linux Help. It is recommended to specify the same KSN usage settings for the Protection Server and the Light Agent that interacts with this Protection Server.

   Proceed to the next step of the wizard.

6. Configure the connection of SVMs to the Integration Server:
   1. Click the Settings button.
   2. In the Connection to the Integration Server window that opens, enter the following settings:
      • Address

        IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

        If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

      • Port

        Port for connecting to the Integration Server.

        By default, port number 7271 is specified.

   3. Click the Validate button.

      The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains errors or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window. Click View the received certificate to view information about the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

   4. To save the received certificate and continue connecting to the Integration Server, in the Select an action block, select the Ignore option.
   5. Specify the password of the Integration Server administrator (password of the admin account) and click the Validate button.

      The New Policy Wizard connects to the Integration Server. If the connection fails, an error message appears in the window. If the connection succeeds, the Connection to the Integration Server window closes, and the Connection to the Integration Server field of the New Policy Wizard window shows the Connected status.

   Proceed to the next step of the wizard.

7. On the General tab, specify the name of the new policy, define its status (Active or Inactive) and configure inheritance settings. For details, please refer to the Kaspersky Security Center help.
8. If required, modify the default policy settings on the Application settings tab.
9. Click Save to complete the policy creation.

The created policy will be displayed in the list of policies on the Policies and policy profiles tab.

The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.

If Network Agent is not running on the SVM, the created policy is not applied on it.

If on the General tab you specified the Inactive policy status, the created policy is not applied to the SVMs.

1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVMs on which the policy should be applied. The policy will determine the operating settings of the Protection Servers installed on these SVMs.

   On the Devices tab of the folder with the name of the administration group, you can view a list of SVMs that belong to this administration group.

2. In the workspace, select the Policies tab.
3. Click the New policy button to start the New Policy Wizard.

   You can also start the wizard using the New → Policy option in the context menu of the policy list.

4. At the first step of the wizard, select Kaspersky Security for Virtualization 6.0 Light Agent – Protection Server from the list.

   Proceed to the next step of the wizard.

5. Enter a name for the new policy.
6. To use the settings from the policy for the Protection Server of the previous version of Kaspersky Security in the policy being created, select the Use policy settings for the earlier application version check box.

   Proceed to the next step of the wizard.

7. Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:
   • I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement

     If you select this option, you agree to the terms and conditions set forth in the Kaspersky Security Network Statement. If the KSN Proxy service is enabled in the properties of the Kaspersky Security Center Administration Server, the use of KSN in the operation of the Protection Server will be enabled. KSN services are used when protecting virtual machines and when running scan tasks on virtual machines.

     The Kaspersky Security Center Administration Server properties are where the KSN infrastructure type (KSN or KPSN) is selected and the use of KPSN is configured. See Kaspersky Security Center help for more information.

     By default, KSN is used in extended mode. If needed, you can disable the use of extended KSN in the Protection Server policy properties.

   • I do not accept the terms and conditions of the Kaspersky Security Network Statement

     If this option is selected, you decline to use Kaspersky Security Network.

     KSN services will not be used in the operation of the Protection Server.

   If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.

   If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.

   KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. You can configure the use of KSN in the operation of Light Agents using Kaspersky Endpoint Security for Linux commands or in the Kaspersky Endpoint Security for Linux policy. For more details, see the Kaspersky Endpoint Security for Linux Help. It is recommended to specify the same KSN usage settings for the Protection Server and the Light Agent that interacts with this Protection Server.

   Proceed to the next step of the wizard.

8. If you want to receive updates of the solution's application modules together with the solution database update package, select the Update solution modules check box.

   Enables/disables receiving updates for Kaspersky Security application modules along with updates to the solution databases.

   If the check box is selected, during execution of the Database update task the Protection Server receives updates of application modules for Kaspersky Security components along with database updates from the Kaspersky Security Center Administration Server storage.

   This check box is cleared by default.

   Proceed to the next step of the wizard.

9. If you want to get SVM status using a network management system that uses the SNMP protocol, select the Enable SNMP monitoring of SVM status check box.

   Enabling / disabling SNMP monitoring of SVM status.

   If the check box is selected, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.

   If the check box is cleared, no information about SVM state is sent.

   This check box is cleared by default.

   Proceed to the next step of the wizard.

10. If you have enabled display of additional Protection Server policy settings, configure the additional Protection Server settings.
    • Maximum number of simultaneous scan requests

      Maximum number of scan requests from Light Agents simultaneously processed by the Protection Server. Light Agents generate scan requests during protection of virtual machines and while running scan tasks.

      By default, the Protection Server can process 75 scan requests simultaneously.

    • Maximum number of scan tasks started by schedule

      Maximum number of simultaneous scan tasks running on the Protection Server that have been started according to the Light Agent schedule. These scan tasks are low-priority tasks for the Protection Server.

      By default, five low-priority scan tasks are performed simultaneously.

    • Maximum number of scan tasks started manually

      Maximum number of simultaneous scan tasks running on the Protection Server that were started manually. These scan tasks are high-priority tasks for the Protection Server.

      By default, five high-priority scan tasks are performed simultaneously.

    • Trace level

      Drop-down list where you can select the trace level for the Protection Server (scanserver service on the SVM). The trace levels are arranged so that each level includes all of the levels below it.

      The following items are available from the drop-down list:

      • Default value. Default value.
      • Tracing is disabled (0). Creation of trace files is disabled.
      • Starting and stopping components (100). Informational messages about starting and stopping the Protection Server.
      • Critical errors (200). Messages about critical errors in the operation of the Protection Server.
      • Errors (300). Messages about errors and critical errors in the operation of the Protection Server.
      • Critical warnings (400). Critical warnings and messages about ordinary and critical errors.
      • Warnings (500). All warnings and messages about ordinary and critical errors.
      • Important messages (600). Important messages, all warnings and messages about ordinary and critical errors.
      • Informational messages (700). Informational messages, important messages and all warnings and messages about ordinary and critical errors.
      • Debugging messages (800). Debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • Detailed debugging messages (900). Debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • All messages (1000). All possible messages and warnings.
    • Restore default settings

      Restores the default settings.

    Proceed to the next step of the wizard.

11. Configure the connection of SVMs to the Integration Server.
    • Address

      IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the device on which Kaspersky Security Center Administration Console is installed is part of a domain, the field indicates the domain name of this device by default.

      If the device on which the Kaspersky Security Center Administration Console is installed is not part of a domain or the Integration Server is installed on another device, the field must be filled in manually.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    • Port

      Port for connecting to the Integration Server.

      By default, port number 7271 is specified.

    Proceed to the next step of the wizard.

    If the device hosting the Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the KLAdmins local or domain group or to the local administrator group, in the Connection to the Integration Server window that opens, specify the Integration Server administrator password (password of the admin account).

    The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, the Verify Integration Server certificate window opens. You can view information about the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.

12. If required, enable the use of encryption to protect the connection between Light Agents and Protection Servers.
    • Encrypt data channel between Light Agent and the Protection Server

      Encrypt the connection between Light Agents and Protection Servers.

      If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.

      If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.

      This check box is cleared by default.

    • Allow nonsecure connection if secure connection cannot be established

      Allow an unsecure connection between Light Agents and Protection Servers.

      If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.

      If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.

      This check box is cleared by default.

    Proceed to the next step of the wizard.

13. If you want to control Light Agents' connection to SVMs using connection tags, configure the settings for using connection tags:
    • Allow connection of Light Agents with specified tags

      Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.

      If the check box is selected, only Light Agents with the specified tags can connect to the SVM.

      If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.

      The check box is cleared by default.

    • Tag list

      Only Light Agents that are assigned the tags specified in this field can connect to the SVM.

      You can specify one or more tags separated by semicolons.

14. If required, Enable optimization for protection of large infrastructures.

    Proceed to the next step of the wizard.

15. Exit the Policy Wizard.

The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.

If Network Agent is not running on the SVM, the created policy is not applied on it.

If you selected the Inactive policy option during the previous step of the New Policy Wizard, the newly created policy is not applied on the SVM.