[Topic 275815]

Kaspersky SD-WAN Help

New features

What's new in each version of Kaspersky SD-WAN

Hardware and software requirements

Review the hardware and software requirements

Getting started

• Deploying Kaspersky SD-WAN
• Managing the corporate infrastructure
• Managing users and their access permissions
• Multitenancy

  
  

Monitoring and reports

• Configuring logs on CPE devices
• Monitoring traffic packet information using the NetFlow protocol
• Diagnosing CPE devices
• Monitoring solution components
  
  

Updating

Update Kaspersky SD-WAN from a previous version

Additional features

• Managing the firewall
• Quality of Service (QoS)
• Traffic mirroring
  
  

Appendices

Get information about Kaspersky SD-WAN from additional guides

Page top

[Topic 237477]

About Kaspersky SD-WAN

Kaspersky SD-WAN is used to build Software-Defined Wide Area Networks (Software Defined WAN; SD-WAN). In such networks, routes with the lowest latency and the greatest bandwidth are determined automatically. Traffic is routed using the SDN (Software Defined Networking) technology.

The SDN technology separates the

from the and allows managing the network infrastructure using an and the API. Separating the control plane from the data plane makes it possible to virtualize network functions (Network Function Virtualization; NFV), wherein network functions such as firewalls, routers, and load balancers are deployed on standard equipment. Network function virtualization in the solution is compliant with the NFV MANO specification (NFV Management and Network Orchestration) standards of the European Telecommunications Standards Institute (ETSI).

Building an SD-WAN network does not depend on transport technologies. You can also send traffic over multiple links based on application requirements regarding bandwidth and quality of service. The following underlay network types are supported:

• MPLS transport networks
• Broadband links for connecting to the Internet
• Leased communication lines
• Wireless connections including 3G, 4G, and LTE
• Satellite links

The solution is intended for service providers and organizations with a large branch network; it replaces standard routers in distributed networks with Customer Premise Equipment devices (hereinafter referred to as CPE devices, CPEs).

Kaspersky SD-WAN lets you do the following:

• Intelligent traffic management
• Automatic CPE device configuration
• Central management of solution components using the web interface
• Network monitoring
• Automatically responding to changes in QoS policies to meet requirements of applications

The figure below shows a diagram of an SD-WAN network built using the Kaspersky SD-WAN solution.

SD-WAN network diagram

In this Help section Distribution kit Hardware and software requirements Ensuring security What's new

Page top

[Topic 249139]

Distribution kit

To learn more about purchasing the solution, please visit the Kaspersky website (https://www.kaspersky.com) or contact partner companies.

The distribution kit includes the following components:

• knaas-installer_<version> in the TAR.GZ format (hereinafter also referred to as the installation archive) for solution deployment.
• Docker containers for deploying Kaspersky SD-WAN components:
  • knaas-ctl
  • knaas-orc
  • knaas-www
  • knass-vnfm
  • knaas-vnfm-proxy
  • mockpnf

  You must download the following containers from the common Docker repository:

  • mariaDB
  • mongo
  • redis
  • syslog-ng
  • zabbix-proxy-mysql
  • zabbix-server-mysql
  • zabbix-web-nginx-mysql
• CPE device firmware.
• A file with the text of the End User License Agreement, which stipulates the terms and conditions that you must accept to use the solution.
• Kaspersky SD-WAN Online Help files that let you read documentation without an Internet connection.

The content of the distribution kit may differ depending on the region in which the solution is distributed.

Page top

[Topic 239105]

Hardware and software requirements

Kaspersky SD-WAN has the following hardware and software requirements:

Hardware requirements depend on the number of CPE devices being managed (see the table below). If you need to connect more than 250 CPE devices, you need to deploy additional controllers. If you need to calculate hardware requirements for a specific deployment scheme more precisely, we recommend contacting Kaspersky Technical Support.

Third-party solution requirements

The following third-party solutions are necessary to deploy the solution:

• The Zabbix monitoring system versions 5.0.26 or 6.0.0. For details, please refer to the official documentation of the Zabbix solution.
• The Docker cloud platform version 1.5 or later for deploying Docker containers of solution components. For details, please refer to the official documentation of the Docker cloud platform.
• The OpenStreetMap service for viewing the transport service topology overlaid on a map. If the infrastructure of your organization does not provide for an Internet connection, you can use offline maps. Offline maps take up additional disk space:
  • The offline map (central-fed-district-latest.osm.pbf) takes up approximately 100 GB.
  • Geocoding data takes up approximately 10 GB.

  For detailed information, please refer to the official documentation of the OpenStreetMap service.

Operating system requirements

The following 64-bit operating systems are supported:

• Ubuntu 20.04 LTS or 22.04 LTS
• Astra Linux 1.7 (security level: "Orel").
• RED OS 8.

Requirements for deployment environments of central components of the solution

The following deployment environments are supported for central components of the solution:

• Bare-metal servers:
  • CPU Intel Xeon E5-2600 v2 or later or an equivalent CPU.
  • IOPS 3000 or later.
• VMWare virtualization environment:
  • Version 7.0 or later.
  • The openvm-tools agent must be installed.
  • IOPS 3000 or later.
• KVM virtualization environment:

  Only the original KVM virtualization environment without additional orchestration tools is supported.

  • Kernel version 5.15 or later.
  • qemu-guest-agent must be installed.
  • The CPU must be in host mode.
  • IOPS 3000 or later.

Requirements for links between nodes of solution components

When deploying Kaspersky SD-WAN, you can deploy multiple nodes of solution components. The following requirements apply to links between nodes of solution components:

• Requirements for links between controller nodes:
  • Bandwidth: 1 Gbps
  • RTT (Round Trip Time): 200 ms
  • Packet loss: 0%
• Requirements for links between MongoDB database nodes:
  • Bandwidth: 1 Gbps
  • RTT: 50 ms
  • Packet loss: 0%
• Requirements for links between Redis database nodes:
  • Bandwidth: 1 Mbps
  • RTT: 50 ms
  • Packet loss: 0%

Browser requirements

The following browsers are supported for managing the orchestrator web interface:

• Google Chrome 100 or later
• Firefox 100 or later
• Microsoft Edge 100 or later
• Opera 90 or later
• Safari 15 or later

Requirements for the data storage system

We recommend using your own data storage system for fault tolerance. The following requirements apply to the data storage system:

• Support for simultaneous read and write from multiple hosts.
• The size of the data storage system depends on the size of the files being stored, but at least 40 GB of available protected space that supports further expansion.
• The bandwidth of the link between the storage system and the orchestrator must be at least 1 Gbps; 10-Gigabit Ethernet or 8-Gigabit FC (Fiber Channel) is recommended.
• At least 250 IOPS, at least 400 is recommended.
• The following types of data storage systems are supported:
  • NFS
  • iSCSI
  • FC
  • CephFS
• The data storage system must be mounted.
• Must stay available if the host restarts.

Administrator device requirements

The administrator device for deploying the solution must satisfy the following requirements:

• Operating system:
  • Ubuntu 20.04 LTS or 22.04 LTS
  • RED OS 8.

  The operating system must support internet access or contain a mounted disk image.

• 4 virtual CPU cores.
• 8 GB of RAM.
• 32 GB of free disk space.
• The name and password of the root account must be the same on the administrator device and the virtual machines on which you want to deploy solution components.

CPE device requirements

The following CPE device models are supported:

• KESR-M1-R-5G-2L-W
• KESR-M2-K-5G-1L-W
• KESR-M2-K-5G-1S
• KESR-M3-K-4G-4S
• KESR-M4-K-2X-1CPU
• KESR-M4-K-8G-4X-1CPU
• KESR-M5-K-8G-4X-2CPU
• KESR-M5-K-8X-2CPU

CPE devices of the KESR model are based on x86 (Intel 80x86) and MIPS (Microprocessor without Interlocked Pipeline Stages) processor architectures.

Kaspersky experts carried out tests to confirm the functionality of CPE devices when providing the L3 VPN service (see the table below). DPI (Deep Packet Inspection) was not used on the tested devices, and traffic encryption was disabled.

For detailed information about the characteristics of CPE devices, please refer to the official page of the solution.

You can deploy uCPE devices on servers with x86 (Intel 80x86) or ARM64 processor architecture.

You can use the vKESR-M1 model as a vCPE device. The following virtualization environments are supported for vCPE devices:

• VMware 7.0 or later
• KVM with kernel version 5.15 or later

  Only the original KVM virtualization environment without additional orchestration tools is supported.

vCPE devices of the vKESR-M1 model have the following specifications:

• CPU: 2x vCPU. We recommend using the Intel(R) Xeon(R) Gold 5318Y CPU.
• Virtual RAM: 512 MB.
• HDD: 1024 MB.

Page top

[Topic 239165]

Ensuring security

Security in Kaspersky SD-WAN is ensured in the data plane, control plane, and orchestration plane. The security level of the solution as a whole is determined by the security level of each of these planes, as well as the security of their interaction. The following processes take place in each plane:

• User authentication and authorization
• Use of secure management protocols
• Encryption of control traffic
• Secure connection of CPE devices

Secure management protocols

We recommend using HTTPS when communicating with the SD-WAN network through the orchestrator web interface or API. You can upload your own certificates to the web interface or use automatically generated self-signed certificates. The solution uses several protocols to transmit control traffic to components (see the table below).

Secure connection of CPE devices

The solution uses the following mechanisms for secure connection of CPE devices:

• Discovery of CPE device by DPID.
• Deferred registration. You can select the state of the CPE device after successful registration: Enabled or Disabled. A disabled CPE device must be enabled after making sure it is installed at the location.
• Two-factor authentication.

Using virtual network functions

You can provide an additional layer of security with virtual network functions deployed in the data center and/or on

. For example, traffic can be relayed from a CPE device to a virtual network function that acts as a firewall or proxy server. Virtual network functions can perform the following SD-WAN protection functions:

• Next-Generation Firewall (NGFW)
• Protection from DDoS (Distributed Denial of Service) attacks
• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• Anti-Virus
• Anti-Spam
• Content Filtering and URL filtering system
• DLP (Data Loss Prevention) system for preventing confidential information leaks
• Secure Web Proxy

Page top

[Topic 248911]

What's new

Kaspersky SD-WAN has the following new and improved functionality:

• Centralized firewall management is supported with firewall template and DPI support. Now you can disable or enable DPI when specifying basic firewall settings and specify DPI marks to apply firewall rules to application traffic packets.
• Now you can create DNAT and SNAT rules for firewall management if you want to use the Source Network Address Translation (SNAT), Destination Network Address Translation (DNAT), and Port Address Translation (PAT) mechanisms. You can centrally manage these mechanisms using firewall templates.
• You can use up to 100 virtual routing and forwarding tables (VRF) on CPE devices. You can put BGP routes into one of the virtual routing and forwarding tables.
• Now you can install certificate chains on CPE devices
• Now you can monitor traffic packet information using the NetFlow protocol versions 1, 5, and 9. You can centrally manage the protocol using NetFlow templates.
• Information about the following events is now sent to the Syslog server that you can specify:
  • A user logging in or out of the orchestrator web interface.
  • A user entering the password incorrectly when logging in to the orchestrator web interface.
  • A user conducting a brute-force attack.
  • An attempt to log in to the orchestrator web interface using a non-existent account.
• Two-factor authentication of users is now supported using the Time-based-one-time password (TOTP) algorithm.
• Support for upgrading Kaspersky SD-WAN from version 2.1.3 to 2.2.0. If you are using a version lower than 2.1.3, you must first upgrade the solution to version 2.1.3, and then to 2.2.0. You must first upgrade the central components of the solution, and then the CPE devices.
• The installation archive for quick deployment of Kaspersky SD-WAN is now available. The installation archive lets you modify elements of the orchestrator web interface, such as the displayed logo of your organization.
• Sending notifications about events and problems on CPE devices to user emails is now supported.
• Now you can diagnose CPE devices using the following utilities:
  • ping
  • traceroute
  • tcpdump
  • iperf
  • sweep
• Version 6.0.0 of the Zabbix monitoring system is supported.
• The OVF template for vCPE devices is supported. You can use an OVF template to deploy a vCPE device on the VMware virtualization platform and automatically register it.
• Optimized performance of the Controller and CPE devices.
• Optimized recovery of a failed Controller node.
• Now you can create IP address and subnet ranges for CPE devices (IPAM). You can use these ranges to centrally assign IPv4 addresses to network interfaces of CPE devices. You can also use IP address ranges to centrally assign IPv4 addresses to CPE router IDs.
• CPE device names are now displayed in Zabbix monitoring system.
• Now you can place CPE, VNF, and PNF device hosts into automatically created groups on the Zabbix server. Groups correspond to tenants to which VNFs, PNFs, and CPE devices belong.
• The RED OS 8 operating system is supported for central components of the solution.
• Users with the tenant role can now change the password.
• Assigned IPv4 addresses can now be displayed in the table of network interfaces of a CPE device.
• Now you can create network interfaces for connecting to a PPPoE server.
• CPE devices can now relay multicast traffic using the PIM and IGMP protocols.

Page top

[Topic 237688]

Architecture of the solution

Kaspersky SD-WAN includes the following main components:

• The orchestrator controls the solution infrastructure, functions as an NFV orchestrator (NFVO), and manages network services and distributed VNFMs. You can manage the orchestrator via the web interface or REST API when using external northbound systems.
• The Controller centrally manages the overlay network:
  • Builds the network topology.
  • Creates transport services.
  • Manages CPE devices using the OpenFlow protocol.
  • Balances traffic between links.
  • Monitors link and automatically switches traffic to a backup link if the primary link fails.

  To deploy the Controller, you need to deploy the physical network function of the Controller, which is contained in the installation archive. The Controller is managed by the orchestrator.

• CPE devices are installed at remote locations to relay traffic and form an SDN fabric in the form of an overlay network. You can assign the SD-WAN Gateway role or the standard CPE device role o the CPE device. SD-WAN Gateways establish links with all standard CPE devices and other SD-WAN Gateways. Standard CPE devices establish connections only with SD-WAN Gateways. By default, all CPE devices have assigned the standard CPE device role.

  If you want a link to be established between two standard CPEs, you need to assign the same topology tag to these standard CPEs. You can also make a standard CPE device a transit device to allow other CPE devices to make links through that CPE device.

• The VNFM (Virtual Network Functiion Manager) manages the lifecycle of virtual network functions using SSH, Ansible playbooks, scripts, and Cloud-init attributes.

If virtual network functions are used, the architecture includes a Virtual Infrastructure Manager (VIM) that manages compute, network, and storage resources within the NFV infrastructure. A VIM connects VNFs using virtual links, subnets, and ports. The OpenStack cloud platform is used as the VIM.

Kaspersky SD-WAN has a distributed microservice architecture based on Docker containers (see the figure below). A Controller can include one, three, or five nodes. Controller nodes are deployed on separate virtual machines, which you can run on different physical servers for fault tolerance. When deploying the solution, you can specify virtual machines on which you want to deploy Controller nodes.

Architecture of Kaspersky SD-WAN

Page top

[Topic 273495]

Deploying Kaspersky SD-WAN

You can deploy Kaspersky SD-WAN using the knaas-installer_<version information> installation archive that is part of the distribution kit.

Before following this procedure, you must prepare a solution deployment scenario. If you have any problems with preparing a deployment scenario, we recommend contacting Kaspersky Technical Support.

A solution deployment scenario consists of the following steps:

1. Preparing the administrator device

   Prepare the administrator device for solution deployment. You can use a local or remote virtual machine, or a personal computer as the administrator device. When deploying a Kaspersky SD-WAN testbed in accordance with the all-in-one deployment scenario, you must use a virtual machine as the administrator device.

2. Ensuring network connectivity between the administrator device and solution components

   Ensure network connectivity between the administrator device and the virtual machines or physical servers on which you want to deploy Kaspersky SD-WAN components. If you plan to deploy multiple nodes of solution components, make sure that the links between virtual machines or physical servers satisfy the hardware and software requirements.

3. Manually generating passwords

   If necessary, manually generate passwords to ensure the security of Kaspersky SD-WAN components and their SSL certificates.

4. Preparing the configuration file

   Prepare the configuration file in accordance with the chosen deployment scenario. You can use example configuration files for typical deployment scenarios in the /inventory/external/pnf and /inventory/external/vnf directories of the installation archive.

5. Replacing the graphics of the orchestrator web interface

   If necessary, replace the graphics of the orchestrator web interface. For example, you can replace the image that is displayed in the background when an error occurs while logging into the orchestrator web interface.

6. Deploying Kaspersky SD-WAN

   Do the following on the administrator device:

   1. Accept the End User License Agreement by running the following command:

      export KNAAS_EULA_AGREED="true"

   2. Go to the directory with the extracted installation archive.
   3. If you want to deploy Kaspersky SD-WAN in attended mode, do one of the following:
      • If you have generated passwords manually, run the command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K --ask-vault-pass knaas/knaas-install.yml

        When running the command, enter the root account password and the generated master password.

      • If you have not generated passwords manually, run the command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K knaas/knaas-install.yml

   4. If you want to deploy Kaspersky SD-WAN in unattended mode, do one of the following:

      We only recommend using this mode in a trusted environment because it makes intercepting your passwords easy for a malicious actor.

      • If you have generated passwords manually, run the command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" --vault-password-file ./passwords/vault_password.txt knaas/knaas-install.yml

      • If you have not generated passwords manually, run the command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" knaas/knaas-install.yml

The Kaspersky SD-WAN components are deployed on the virtual machines or physical servers that you specified in the configuration file. A successful deployment message is displayed in the console of the administrator device.

If a network connectivity issue occurs with one of the virtual machines or physical servers during the deployment of solution components, an error message is displayed in the administrator device console, and the solution is not deployed. In that case, you need to restore network connectivity, clean up the virtual machines or physical servers, and then run the deployment command again.

In this section Redundancy of solution components About the installation archive About the attended, unattended, and partially attended action modes Preparing the administrator's device Managing passwords Setting up the configuration file Replacing the graphics of the orchestrator web interface Replacement of a failed controller node Upgrading Kaspersky SD-WAN Removing Kaspersky SD-WAN

See also About the attended, unattended, and partially attended action modes Scenario: Deploying an SD-WAN instance for a tenant

Page top

[Topic 239027]

Redundancy of solution components

Expand all | Collapse all

About redundancy schemes for solution components

Kaspersky SD-WAN supports two deployment scenarios for solution components:

• In the N+1 deployment scenario, you deploy two nodes of the solution component. If one node fails, the second node provides the functionality of the solution component.
• In the 2N+1 deployment scenario, you deploy multiple nodes of the solution component. One node is the primary node and the rest are secondary nodes. If the primary node fails, a randomly chosen secondary node takes its place. This redundancy scheme allows solution components to remain operational even when multiple failures occur in a row.

The table below lists the solution components and the deployment scenarios that are applicable to them.

You can specify the number of nodes you want to deploy for each solution component in the configuration file.

When you configure the deployment settings for the MongoDB database or the controller node in accordance with the 2N+1 deployment scenario, the last node you specify becomes the arbiter node. The arbiter node is linked to other nodes and is used to choose the primary node. A node that has lost contact with the arbiter node enters standby mode. One of the nodes that have retained contact with the arbiter node stays or becomes the primary node. An arbiter node cannot become a primary node and does not store data.

Failure scenarios of solution component nodes

The figure below shows a diagram of Kaspersky SD-WAN deployed on three virtual machines in a data center. The diagram uses the following symbols:

• 'www' is the frontend part of the solution
• 'orc' is the orchestrator
• 'mongo' is the MongoDB database
• 'redis-m' is a Redis replica server
• 'redis-s' is a Redis Sentinel system
• 'vnfm-proxy' is a virtual network functions manager proxy
• 'vnfm' is a Virtual Network Function Manager
• 'ctl' is the controller and its database
• 'zabbix-www' is the frontend part of the Zabbix monitoring system
• 'zabbix-proxy' is the Zabbix proxy server
• 'zabbix-srv' is the Zabbix server
• 'zabbix-db' is the database of the Zabbix monitoring system
• 'syslog' is the Syslog server

Users and CPE devices gain access to the web interface of the orchestrator and the web interface of the Zabbix monitoring system using a virtual IP address. The virtual IP address is assigned to virtual machine 1.

Solution deployed on three virtual machines

In this deployment scenario, the following failure modes are possible:

• Failure of virtual machine 1 or its link.

  If virtual machine 1 or its link fails, the solution remains operational. The following changes occur in the state of the nodes of solution components:

  • The virtual IP address is assigned to virtual machine 2.
  • The www-1 node of the frontend part of solution is unavailable; www-2 is available. The orchestrator web interface is displayed in the browser.
  • The orc-1 orchestrator node is unavailable; orc-2 is available. The backend part of the solution is functional, users can log into the orchestrator web interface and manage it.
  • The mongo-1 node of the MongoDB database is unavailable; mongo-2 and mongo-3 are available; mongo-2 becomes the primary node because mongo-3 is the arbiter node and cannot become the primary node. The orchestrator continues using the MongoDB database.
  • State of the Redis database:
    • The redis1-m node of the Redis replica server is unavailable; redis2-m and redis3-m are available.
    • The redis1-s node of the Redis Sentinel system is unavailable; redis2-s and redis3-s are available; redis2-s becomes the primary node and randomly assigns either the redis2-m or the redis3-m node of the Redis replica server as the primary node.

    The orchestrator continues using the Redis database.

  • States of the Virtual Network Function Manager:
    • The vnfm-proxy-1 node of the virtual network function manager proxy is unavailable; vnfm-proxy-2 is available.
    • The vnfm-1 Virtual Network Function Manager node is unavailable; vnfm-2 is available.

    SSH consoles of the solution components are operational.

  • The ctl-1 node of the controller is unavailable; ctl-2 and ctl-3 are available; ctl-2 becomes the primary node because ctl-3 is the arbiter node and cannot become the primary node. Physical connectivity between CPE devices is maintained.
  • State of the Zabbix monitoring system:
    • The zabbix-www-1 node of the frontend part of solution is unavailable; zabbix-www-2 is available.
    • The zabbix-proxy-1 node of the Zabbix proxy server is unavailable; zabbix-proxy-2 is available.
    • The zabbix-srv-1 node of the Zabbix server is unavailable; zabbix-srv-2 is available.
    • The zabbix-db-1 node of the Zabbix monitoring system database is unavailable; zabbix-db-2 is available.

    The Zabbix monitoring system is operational.

• Failure of virtual machine 2 or 3, or its link.

  If virtual machine 2 or 3 or its link fails, nodes of solution components that are deployed on virtual machine 1 stay primary, and the solution remains operational.

• Simultaneous failure of virtual machines 1 and 3 or 2 and 3, or their links.

  If virtual machines 1 and 3 or virtual machines 2 and 3, or their links fail simultaneously, the solution stops working. The following changes occur in the state of the nodes of solution components:

  • The orchestrator web interface is not displayed in the browser. Users cannot log into the orchestrator web interface and manage it.
  • The Zabbix monitoring system stops working.
  • Network connectivity between CPE devices and the network devices connected to them is maintained; traffic continues to be transmitted.
  • Network connectivity within the P2P services and TAP services is maintained.
  • Network connectivity within P2M services and M2M services is maintained for established sessions. For new sessions, network connectivity is maintained if, when creating the P2P service or M2M service, in the MAC learn mode drop-down list, you selected Learn and flood.
  • CPE devices use a reordering compensation mechanism to reduce the number of duplicate packets on network devices connected to these CPE devices.
  • The load on the CPE devices and the SD-WAN network increases proportionately to the number of CPE devices and links.

  If links are restored, the solution is also restored and resumes normal operation.

  If virtual machines 1 and 3 or virtual machines 2 and 3 fail simultaneously, the configuration of solution components is lost. To restore the configuration of solution components, you can contact Kaspersky Professional Services.

• Simultaneous failure of virtual machines 1 and 2

  If virtual machines 1 and 2 fail simultaneously, the configuration of the solution components is irreversibly lost because virtual machine 3 has arbiter that do not store data. To avoid this situation, we recommend deploying databases and controllers on separate virtual machines or physical servers and making regular backups.

Page top

[Topic 274086]

About the installation archive

The knaas-installer_<version information> installation archive has the TAR format and is used for solution deployment. You can download the installation archive from the root directory of the distribution kit. The installation archive has the following structure:

We do not recommend editing system files because this may cause errors when deploying the solution.

• ansible.cfg file is a system file with Ansible settings.
• CHANGELOG.md is the file change log in YAML format.
• /docs contains the installation archive documentation.
• /images contains images of the solution components.
• /inventory:
  • /external:
    • /pnf contains example configuration files for typical solution deployment scenarios with the controller as a physical network function.
    • /vnf contains example configuration files for typical solution deployment scenarios with the controller as a virtual network function.
• /generic contains common system files.
• /knaas contains system files with playbooks for deploying the solution.
• /oem contains default graphics of the orchestrator web interface.
• /pnfs contains physical network functions for deployment of one, three, or five controller nodes.
• README.md contains instructions for deploying the solution using the installation archive.
• requirements.txt is a system file with Python requirements.

See also Preparing the configuration file Scenario: Deploying an SD-WAN instance for a tenant

Page top

[Topic 275281]

About the attended, unattended, and partially attended action modes

When you perform actions on the administrator device when deploying Kaspersky SD-WAN, you may need to enter the root password as well as the master password. How the passwords are entered depends on the mode in which you are performing the action. The following action modes are supported:

• In the attended mode, an employee must take part in the action. To perform an action, you must manually enter the root password and the master password. This is the safest mode that avoids saving any passwords on the administrator device.
• In the unattended mode, the action is performed without involving an employee. To perform an action, the root password and the master password are entered automatically. In this mode, you can run automated tests.

  We only recommend using this mode in a trusted environment because it makes intercepting your passwords easy for a malicious actor.

• In the partially attended mode, the action is performed with partial involvement of an employee. When performing an action, you must enter the root password, but the master password is entered automatically.

See also Managing passwords

Page top

[Topic 273496]

Preparing the administrator device

You can use a local or remote virtual machine, or a personal computer as the administrator device. When deploying a Kaspersky SD-WAN testbed in accordance with the all-in-one deployment scenario, you must use a virtual machine as the administrator device.

If you experience any problems while preparing the administrator device, we recommend contacting Kaspersky Technical Support.

To prepare the administrator device:

1. Make sure the administrator device satisfies the hardware and software requirements.
2. Make sure that the same root account is used on the administrator device and the virtual machines or physical servers on which you want to deploy Kaspersky SD-WAN components. After deploying the solution, you can use a different root account on the virtual machines or physical servers.
3. Download the knaas-installer_<version information> installation archive from the root directory of the distribution kit and extract the installation archive on the administrator device.
4. Go to the directory with the extracted installation archive and prepare the administrator device:
   1. Make sure the pip package management tool is installed by running the command:

      python3 -m pip -V

   2. If the pip package management tool is not present, do one of the following:
      • If the administrator device is running Ubuntu:

        apt-get install python3-pip

      • If the administrator device is running RED OS 8:

        yum install python3-pip

   3. Install the Ansible tool and its dependencies:

      python 3 -m pip install -U --user -r requirements.txt

   4. Update the PATH variable:
      1. echo 'export PATH=$PATH:$HOME/.local/bin' >> ~/.bashrc
      2. source ~/.bashrc
   5. Verify that the Ansible tool is ready for use:

      ansible --version

   6. Install the operating system packages for Kaspersky SD-WAN deployment on the administrator device:

      ansible-playbook -K knaas/utilities/toolserver_prepare/bootstrap.yml

      Enter the root password when running the command.

   You only need to complete this step when initially deploying the solution.

5. Make sure the administrator device is ready for use:
   1. Restart the administrator device.
   2. Go to the extracted installation archive and start the automatic check of the administrator device:

      ansible-playbook knaas/utilities/pre-flight.yml

6. If you want to deploy Kaspersky SD-WAN on multiple virtual machines or physical servers:
   1. Make sure SSH keys have been generated on the administrator device. If the SSH keys do not exist, generate them.
   2. Place the SSH keys on virtual machines or physical servers:

      ssh-copy-id user@<IP address of the virtual machine or physical server>

   If you are deploying a Kaspersky SD-WAN testbed in accordance with the all-in-one deployment scenario, skip this step.

The administrator device is prepared for Kaspersky SD-WAN deployment.

Page top

[Topic 273591]

Managing passwords

Passwords help ensure the security of deployed Kaspersky SD-WAN components. You can manually generate the passwords. If you do not manually generate the passwords, they are generated automatically when you deploy the solution.

Passwords are contained in the following files:

• keystore.yml contains passwords of Kaspersky SD-WAN components and their SSL certificates.
• vault_password.txt contains the master password.

We recommend storing password files in a protected directory because they can be used to gain access to the deployed solution.

After deployment, the generated passwords are automatically placed in the Docker containers of Kaspersky SD-WAN components. Solution components exchange passwords when interacting with each other.

In this section Manually generating passwords Changing passwords

Page top

[Topic 273556]

Manually generating passwords

To manually generate the passwords:

1. Create the /passwords directory on the administrator device. Specify the path to the created directory in the external section of the configuration file using the vault_password_dirname setting.
2. Create a keystore.yml file and in that file, specify the passwords using the following settings:
   • ZABBIX_DB_SECRET is the root password of the Zabbix monitoring system database.
   • MONGO_ADMIN_SECRET is the administrator password of the MongoDB database.
   • MONGO_USER_SECRET is the user password of the MongoDB database. This password is used by the orchestrator.
   • CTL_CERT_SECRET is the password of the controller SSL certificate.
   • ORC_CERT_SECRET is the password of the orchestrator SSL certificate.
   • ORC_ENC_SECRET is the password for encrypting confidential data in the MongoDB database. Minimum length: 32 characters.
   • VNFM_CERT_SECRET is the password of the VNFM SSL certificate.

   For all passwords except ORC_ENC_SECRET, we recommend specifying at least 16 characters.

3. Create the vault_password.txt file and in that file, specify the master password.
4. Encrypt the keystore.yml file:
   • If you want to encrypt the keystore.yml file in attended mode:

     ansible-vault encrypt --ask-vault-pass keystore.yml

   • If you want to encrypt the keystore.yml file in unattended mode:

     ansible-vault encrypt --vault-password-file vault_password.txt keystore.yml

The passwords are generated and encrypted.

See also About the attended, unattended, and partially attended action modes

Page top

[Topic 273592]

Changing passwords

To change the passwords:

1. Decrypt the keystore.yml file:
   • If you want to decrypt the keystore.yml file in attended mode:

     ansible-vault decrypt --vault-password-file vault_password.txt keystore.yml

   • If you want to decrypt the keystore.yml file in unattended mode:

     ansible-vault encrypt --ask-vault-pass keystore.yml

2. Change the following passwords in the keystore.yml file:
   • ZABBIX_DB_SECRET is the root password of the Zabbix monitoring system database.
   • MONGO_ADMIN_SECRET is the administrator password of the MongoDB database.
   • MONGO_USER_SECRET is the user password of the MongoDB database. This password is used by the orchestrator.
   • CTL_CERT_SECRET is the password of the controller SSL certificate.
   • ORC_CERT_SECRET is the password of the orchestrator SSL certificate.
   • ORC_ENC_SECRET is the password for encrypting confidential data in the MongoDB database. Minimum length: 32 characters.
   • VNFM_CERT_SECRET is the password of the VNFM SSL certificate.

   For all passwords except ORC_ENC_SECRET, we recommend specifying at least 16 characters.

3. Encrypt the keystore.yml file:
   • If you want to encrypt the keystore.yml file in attended mode:

     ansible-vault encrypt --ask-vault-pass keystore.yml

   • If you want to encrypt the keystore.yml file in unattended mode:

     ansible-vault encrypt --vault-password-file vault_password.txt keystore.yml

The passwords are changed and encrypted.

Page top

[Topic 273509]

Preparing the configuration file

Specify the Kaspersky SD-WAN deployment settings in the YAML configuration file on the administrator device. The path to the configuration file must be specified when deploying the solution. You can use example configuration files for typical deployment scenarios in the inventory/external/pnf and inventory/external/vnf directories of the installation archive.

The configuration file consists of two main sections:

• The nodes section specifies virtual machines or physical servers for deploying Kaspersky SD-WAN components. When deploying the solution to virtual machines or physical servers, iptables rules for interaction between solution components are automatically generated.
• The external section specifies Kaspersky SD-WAN deployment settings.

We do not recommend changing the default settings.

The nodes section has the following structure:

The external section has the following structure:

Example of configuration file

See also Preparing the administrator device Scenario: Deploying an SD-WAN instance for a tenant

Page top

[Topic 273937]

Replacing the graphical elements of the orchestrator web interface

To replace the graphics of the orchestrator web interface:

1. Configure the frontend part of the solution in the www section of the configuration file.
2. On the administrator's device, go to the /oem directory of the extracted installation archive. This directory contains the default graphics of the orchestrator web interface. You can replace the following files:
   • favicon.png and favicon.svg is the icon that is displayed on the orchestrator web interface tab.

     

   • login_logo.svg is the icon that is displayed in the upper part of the window when logging in to the orchestrator web interface.

     

   • logo_activation.svg is the icon that is displayed during the automatic registration of a CPE device.

     

   • logo.svg and title.svg are the icon and title that are displayed in the upper part of the navigation pane of the orchestrator web interface.

     

See also User interface of the solution

Page top

[Topic 287139]

Replacement of a failed controller node

You can deploy a new controller node to replace a controller node that has failed beyond repair. If a controller node fails while in a cluster with other nodes, the new controller node is automatically added to that cluster and synchronized with the existing nodes.

Before running this script, make sure that the IP address of the virtual machine or physical server on which you are deploying the new controller node is the same as the IP address of the virtual machine or physical server where the failed controller node was deployed. You specified the IP addresses of the virtual machines or physical servers for deployment of controller nodes when you deployed the solution, in the ctl section of the configuration file.

The scenario for replacing a failed controller node involves the following steps:

1. Preparing the administrator device

   Prepare the administrator device for deployment of the new controller node. You can use a local or remote virtual machine, or a personal computer as the administrator device. When deploying a Kaspersky SD-WAN testbed in accordance with the all-in-one deployment scenario, you must use a virtual machine as the administrator device.

2. Ensuring network connectivity between the administrator device, solution components, and the new controller node

   Ensure network connectivity between the administrator device, solution components, and the virtual machine or physical server on which you want to deploy the new controller node. You must make sure that the links between virtual machines or physical servers satisfy the hardware and software requirements.

3. Deploying a controller node

   Do the following on the administrator device:

   1. Accept the End User License Agreement by running the following command:

      export KNAAS_EULA_AGREED="true"

   2. Go to the directory with the extracted installation archive.
   3. If you want to deploy the new controller node in attended mode, do one of the following:
      • If you have generated passwords manually while deploying the solution, run the following command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K --ask-vault-pass knaas/knaas-install.yml

        When running the command, enter the root account password and the generated master password.

      • If you have not generated passwords manually while deploying the solution, run the following command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K knaas/knaas-install.yml

   4. If you want to deploy the controller node in unattended mode, do one of the following:

      We only recommend using this mode in a trusted environment because it makes intercepting your passwords easy for a malicious actor.

      • If you have generated passwords manually while deploying the solution, run the following command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" --vault-password-file ./passwords/vault_password.txt knaas/knaas-install.yml

      • If you have not generated passwords manually while deploying the solution, run the following command:

        ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" knaas/knaas-install.yml

The new controller node is deployed to replace the failed controller node. A successful deployment message is displayed in the console of the administrator device.

If a network connectivity problem occurs with a virtual machine or physical server while deploying the controller node, an error is displayed in the console of the administrator device, and the new controller node is not deployed. In that case, you need to restore network connectivity, clean up the virtual machine or physical server, and then run the deployment command again.

See also About the attended, unattended, and partially attended action modes

Page top

[Topic 274129]

Upgrading Kaspersky SD-WAN

Before updating Kaspersky SD-WAN, make sure that none of the CPE devices have the Error status. You can view the status of CPE devices in the CPE device table. We also recommend creating backup copies of solution components before updating Kaspersky SD-WAN:

• If your solution components are deployed on virtual machines, take snapshots of the virtual machines. After updating Kaspersky SD-WAN, you can delete the snapshots of the virtual machines. For details on how to take snapshots of virtual machines, please refer to the official documentation of your virtualization environments.
• If your solution components are deployed on physical servers, you need to make backups of hard drives of the physical servers.

The Kaspersky SD-WAN upgrade scenario involves the following steps:

1. Preparing the administrator device

   Prepare the administrator device for solution upgrade. You can use a local or remote virtual machine, or a personal computer as the administrator device. When deploying a Kaspersky SD-WAN testbed in accordance with the all-in-one deployment scenario, you must use a virtual machine as the administrator device.

2. Preparing the configuration file

   Set up the configuration file in accordance with the changes that have been made to the new version of Kaspersky SD-WAN. You can view the changes in the in the CHANGELOG.md file in the root directory of the installation archive.

   When upgrading Kaspersky SD-WAN, make sure that you keep the files with passwords and SSL certificates.

3. Upgrading Kaspersky SD-WAN

   Upgrade Kaspersky SD-WAN in one of the following ways:

   • If you want to upgrade the solution in attended mode:

     ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K --ask-vault-pass knaas/knaas-install.yml

     When running the command, enter the password of the root account on the administrator device and the generated master password.

   • If you want to upgrade the solution in partially attended mode:

     ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K --vault-password-file ./passwords/vault_password.txt knaas/knaas-install.yml

     Enter the root password o the administrator device when running the command.

   • If you want to upgrade the solution in unattended mode:

     ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" --vault-password-file ./passwords/vault_password.txt knaas/knaas-install.yml

The Kaspersky SD-WAN components are upgraded on the virtual machines or physical servers that you specified in the configuration file. A successful upgrade message is displayed in the console of the administrator device.

If a network connectivity issue occurs with one of the virtual machines or physical servers during the upgrade of solution components, an error message is displayed in the administrator device console, and the solution is not upgraded. In that case, you need to restore network connectivity and then run the upgrade command again.

After upgrading the solution, you must clear your Bash command history.

See also About the attended, unattended, and partially attended action modes

Page top

[Topic 274132]

Removing Kaspersky SD-WAN

The removal of Kaspersky SD-WAN cannot be rolled back.

To remove Kaspersky SD-WAN:

1. On the administrator device, go to the extracted installation archive.
2. Remove Kaspersky SD-WAN in one of the following ways:
   • If you want to remove the solution in attended mode:

     ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -K knaas/knaas-teardown.yml

   • If you want to remove the solution in unattended mode:

     ansible-playbook -i inventory/generic -e "@<path to configuration file>" -e "@inventory/external/images.yml" -e "ansible_become_password=yourSudoPassword" knaas/knaas-teardown.yml

Kaspersky SD-WAN components are removed from the virtual machines or physical servers. A successful removal message is displayed in the console of the administrator device.

If a network connectivity issue occurs with one of the virtual machines or physical servers during the removal of solution components, an error message is displayed in the administrator device console, and the solution is not removed. In that case, you need to restore network connectivity and then run the removal command again.

See also About the attended, unattended, and partially attended action modes

Page top

[Topic 239565]

Logging in and out of the orchestrator web interface

Logging in to the orchestrator web interface

To log in to the orchestrator web interface:

1. In the address bar of your browser, enter the IP address of the virtual machine on which your orchestrator is deployed. You specified the IP address of the orchestrator virtual machine in the orc_<1–2> section of the configuration file while deploying the solution.
2. This opens the authentication page; on that page, enter a user name and password. The password must contain at least one uppercase Latin letter (A–Z), one lowercase letter (a–z), one numeral, and one special character. Password length: 8 to 50 characters.
3. Click Log in. If two-factor authentication is enabled for your account:
   1. Scan the displayed QR code with a physical or software authenticator that supports the RFC 6238 standard.
   2. Enter and confirm the unique code generated by the authenticator.

After successful authentication, you are taken to the section or subsection that you set as the default page.

Logging out of the orchestrator web interface

To log out of the orchestrator web interface:

1. In the lower part of the menu, click .
2. In the confirmation window, click OK.

You are logged out of the orchestrator web interface.

Page top

[Topic 246872]

Licensing of Kaspersky SD-WAN

This section covers basic concepts of Kaspersky SD-WAN licensing. If you need to scale the solution, you can purchase additional software and hardware licenses.

In this Help section About the End User License Agreement About data provision

Page top

[Topic 246870]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the program. The text of the End User License Agreement in supported languages is located in the license <language code>.rtf files included in the Kaspersky SD-WAN distribution kit.

Read through the terms of the End User License Agreement carefully before you start using Kaspersky SD-WAN.

By confirming that you agree with the End User License Agreement, you signify your acceptance of the terms of the End User License Agreement. You can do this in one of the following ways:

• Initialize the KNAAS_EULA_AGREED environment variable before starting the Kaspersky SD-WAN Docker container:

  export KNAAS_EULA_AGREED=yes

  In this case, when starting the Kaspersky SD-WAN Docker container, pass the KNAAS_EULA_AGREED environment variable using the -e option:

  docker run -e KNAAS_EULA_AGREED [OPTIONS] IMAGE [COMMAND] [ARG...]

• Initialize the KNAAS_EULA_AGREED environment variable directly when starting the Kaspersky SD-WAN Docker container:

  docker run -e KNAAS_EULA_AGREED=yes [OPTIONS] IMAGE [COMMAND] [ARG...]

If the KNAAS_EULA_AGREED environment variable is not initialized or is initialized with the value no (KNAAS_EULA_AGREED=no), this means that you do not agree with the terms of the End User License Agreement. In this case, when starting the Kaspersky SD-WAN Docker container, an error message is displayed, and Kaspersky SD-WAN does not start.

Page top

[Topic 246869]

About data provision

The following third-party solutions are integrated into Kaspersky SD-WAN:

• Zabbix monitoring system
• OpenStack platform for creating cloud services and storage
• OpenStreetMap geographic maps

Personal information that might be introduced to Zabbix, OpenStack, or OpenStreetMap as a result of integration is not sent outside the perimeter of the organization's infrastructure.

Kaspersky protects received information in accordance with requirements stipulated by applicable law and Kaspersky policies.

Page top

[Topic 240002]

User interface of the solution

Kaspersky SD-WAN is managed using the orchestrator web interface. You can use the menu sections to configure the components of the solution. When you navigate to a section, an additional menu with subsections is displayed in a collapsed form. To expand the menu, hover your mouse cursor over the icon of one of the subsections. You can click the expand icon to disable the automatic minimization of the menu.

Two variants of the orchestrator web interface are supported:

• The administrator portal gives administrators full access to managing the solution components.
• The self-service portal gives tenants access to managing the SD-WAN instances that are deployed for them.

Administrators can log in to the self-service portal of a tenant.

Administrator portal

Main menu of the administrator portal

The controller has a separate configuration menu.

Controller configuration menu on the administrator portal

Self-service portal

Main menu of the self-service portal

The controller has a separate configuration menu.

In this Help section Setting and resetting the default page Switching between light and dark modes of the orchestrator web interface Changing the language of the orchestrator web interface Managing solution component tables

Page top

[Topic 251907]

Setting and resetting the default page

The default page is a section or subsection of the menu that is automatically displayed after you log into the orchestrator web interface.

To set or reset the default page:

1. In the menu, go to the section or subsection of the orchestrator web interface that you want to set as the default page.
2. In the lower part of the menu, click the settings icon → Set as default page.
3. If you want to reset the default page, click the settings icon → Reset default page.

   In the upper part of the page, the Default page is reset message is displayed. The Dashboard section becomes the default page.

Page top

[Topic 248912]

Switching between light and dark modes of the orchestrator web interface

To switch between light and dark modes of the orchestrator web interface:

In the lower part of the menu, click the settings icon  → Dark mode or Light mode.

Page top

[Topic 262120]

Changing the language of the orchestrator web interface

The orchestrator web interface supports English and Russian languages.

To change the language of the orchestrator web interface,

in the lower part of the menu, click one of the following buttons:

• EN to switch the language of the orchestrator web interface to English.
• RU to switch the language of the orchestrator web interface to Russian.

Page top

[Topic 270040]

Managing solution component tables

Solution components such as users, network interfaces, and BGP peers are displayed in tables. You can use the following controls to manage tables:

• The settings icon , which you can use to do the following:
  • Refresh the table by clicking the settings icon → Reload. You can also refresh the table using the refresh icon .
  • Restore default widths of table columns by clicking the settings icon → Reset columns width.
  • Select which columns are displayed in the table. To do so, click the settings icon and select the check boxes next to the columns you want to display.
• The search icon which you can click and enter your search criteria. After entering the search criteria, the table displays the relevant entries.
• Status filters to display entries with the selected status.
• Time filters to display entries for the selected period:
  • All time
  • Last year
  • Last month
  • Last week
  • Last day

  You can manually specify the period using the fields in the upper part of the table.

• The Actions button for applying an action simultaneously to all entries with selected check boxes. For example, in the CPE devices table, you can delete multiple CPE devices at the same time.

You can adjust the width of each column of the table using the three-dot icons between the names of the columns.

Page top

[Topic 251933]

Navigating to the orchestrator API

To navigate to the orchestrator API,

in the lower part of the menu, click the API button .

This opens a list of API commands that can be used to manage the orchestrator.

Page top

[Topic 266243]

Managing the Kaspersky SD-WAN infrastructure

Locations where you deploy all Kaspersky SD-WAN components other than CPE devices are called data centers. You need to add the data centers to the orchestrator web interface to manage controllers and VIMs, and to specify the Zabbix proxy server to configure solution component monitoring.

If you have a large number of data centers, you can add them to domains. Domains are logical groupings of data centers based on a certain criterion, such as geographic location. Before adding data centers, you must create at least one domain. You can move data centers between domains.

In each data center, you must create at least one management subnet to assign IP addresses, DNS servers, and static routes to CPE devices and virtual network functions.

The figure below shows a diagram of an organization. Kaspersky SD-WAN components are deployed in four data centers (Data centers 1–4). The organization is providing the solution to two clients, each of which has an SD-WAN instance deployed. Two data centers are used to deploy each instance of SD-WAN. Data centers have been added to domains that correspond to clients (Client 1 domain and Client 2 domain).

Example of an organization with domains and data centers

In this Help section Managing domains Managing data centers Managing management subnets Managing controllers Managing a VIM

Page top

[Topic 271061]

Managing domains

The list of domains is displayed in the Infrastructure section, in the Resources pane. Under the domains, the list displays data centers added to the domains.

In this section Creating a domain Editing a domain Deleting a domain

Page top

[Topic 267420]

Creating a domain

To create a domain:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the upper part of the page, click + Domain.
3. This opens a window; in that window, in the Name field, enter the name of the domain. The maximum length of the name is 50 characters.
4. If necessary, in the Description field, enter a brief description of the domain. The maximum length of the description is 100 characters.
5. Click Create.

The domain is created and displayed in the Resources pane.

You can add data centers to a domain when you add data centers.

Page top

[Topic 256064]

Editing a domain

To edit a domain:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, click the settings icon → Edit next to the domain that you want to edit.
3. This opens a window; in that window, edit the name and/or description of the domain, if necessary.
4. Click Save.

The domain is modified and displayed in the Resources pane.

Page top

[Topic 256065]

Deleting a domain

Before deleting a domain, you need to delete data centers that have been added to the domain.

Deleted domains cannot be restored.

To delete a domain:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, click the settings icon → Delete next to the domain that you want to delete.
3. In the confirmation window, click Delete.

The domain is deleted and is no longer displayed in the Resources pane.

Page top

[Topic 271064]

Managing data centers

Lists of data centers are displayed in the Infrastructure in the Resources pane under domains. Before adding data centers, you must create at least one domain.

In this section Adding a data center Editing a data center Moving a data center to a different domain Deleting a data center

Page top

[Topic 267425]

Adding a data center

To add a data center:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the upper part of the page, click + Data center.
3. This opens a window; in that window, in the Name field, enter the name of the data center. The maximum length of the name is 50 characters.
4. If necessary, in the Description field, enter a brief description of the data center. The maximum length of the description is 100 characters.
5. In the Domain drop-down list, select the created domain to which you want to add the data center. After adding the data center, you can move it to a different domain.
6. If you want to deploy virtual network functions and run scripts on CPE devices, in the VNFM URL field, enter the web address of the virtual network function manager to which the orchestrator connects. To verify that the VNFM is available, you can click Test connection.
7. If necessary, in the Location field, enter the geographical address of the data center.
8. Click Create.

The data center is added and displayed in the Resources pane.

See also Scenario: Deploying an SD-WAN instance for a tenant

Page top

[Topic 256071]

Editing a data center

To edit a data center:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, click the settings icon → Edit next to the data center you want to edit.
3. This opens a window; in that window, if necessary, edit the following settings:
   • Name of the data center
   • Brief description of the data center
   • Web address of the Virtual Network Function Manager
   • Address of the data center
4. Click Save.

The data center is modified and updated in the Resources pane.

Page top

[Topic 256073]

Migrating a data center to a different domain

To migrate a data center to a different domain:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, click the settings icon → Migrate next to the data center you want to migrate to a different domain.
3. This opens a window; in that window, select the created domain to which you want to migrate your data center.
4. Click Migrate.

The data center is migrated to the new domain and displayed under the new domain in the Resources pane.

Page top

[Topic 256072]

Deleting a data center

Deleting a data center makes managing controllers, VIMs, and management subnets impossible. You also no longer can specify the Zabbix proxy server for configuring solution component monitoring.

Deleted data centers cannot be restored.

To delete a data center:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, click the settings icon → Delete next to the data center you want to delete.
3. In the confirmation window, click Delete.

The data center is deleted and is no longer displayed in the Resources pane.

Page top

[Topic 271067]

Managing management subnets

To display the table of management subnets, go to the Infrastructure menu section, click the added data center, and select the IPAM → Subnet tab. Information about management subnets is displayed in the following columns of the table:

• Name is the name of the management subnet.
• Type is the type of the subnet. Only management subnets are presently supported.
• CIDR is the IPv4 prefix of the management subnet.
• Gateway are IPv4 addresses of gateways that the management subnet assigns to virtual network functions.
• IP range are IP address ranges from which the management subnet assigns IP addresses to CPE devices and virtual network functions.
• DNS are IPv4 addresses of the DNS servers that the management subnet assigns to virtual network functions.
• Static routes are source and destination IPv4 addresses of static routes that the management subnet assigns to virtual network functions.
• Usage is the number of IP addresses that the management subnet has assigned to CPE devices and virtual network functions.

The table of CPE devices and virtual network functions to which the management subnet has assigned IP addresses is displayed on the Usage tab. Information about CPE devices and virtual network functions is displayed in the following table columns:

• Name is the name of the management subnet that assigned an IP address to the CPE or virtual network function.
• IP is the IP address assigned to the CPE device or virtual network function.
• Client name is the name of the CPE device or virtual network function.
• Client type is information about whether the control subnet has assigned an IP address to the CPE device or virtual network function:
  • VNF
  • CPE
• Tenant is the tenant to which the CPE device was added or virtual network function was assigned.

The actions you can perform with the tables are described in the Managing solution component tables instructions.

In this section Creating a management subnet Editing a management subnet Deleting a management subnet

Page top

[Topic 268342]

Creating a management subnet

To create a management subnet:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, select the created domain, then select the added data center in which you want to create the management subnet. After the management subnet is created, it cannot be moved to a different data center.
3. Select the IPAM tab.

   A table of management subnets is displayed.

4. In the upper part of the page, click + Subnet.
5. In the Name field, enter the name of the management subnet.
6. In the IP version drop-down list, select the version of IP addresses in the management subnet:
   • IPv4 Default value.
   • IPv6
7. In the CIDR field, enter the IPv4 prefix of the management subnet.
8. If you want the management subnet to assign a particular gateway to virtual network functions, enter the IPv4 address of the gateway in the Gateway field.
9. Specify the IP address range from which the management subnet assigns IP addresses to CPE devices and virtual network functions. To do so, under IP range, click + Addand in the displayed fields, enter the starting and ending values of the IP address range.

   The IP address range is specified and displayed in the IP range section. You can specify multiple IP address ranges or delete an IP address range. To delete an IP address range, click the delete icon next to it.

10. Specify the DNS server that the management subnet assigns to virtual network functions. To do so, under DNS, click + Add and in the displayed field, enter the IPv4 address of the DNS server.

    The DNS server is specified and displayed in the DNS section. You can specify multiple DNS servers or delete a DNS server. To delete a DNS server, click the delete icon next to it.

11. Specify the static route that the management subnet assigns to virtual network functions. To do so, under Static routes, click + Add and in the displayed fields, enter the source and destination IPv4 addresses of the static route.

    The static route is specified and displayed in the Static routes section. You can specify multiple static routes or delete a static route. To delete a static route, click the delete icon next to it.

12. Click Create.

The management subnet is created and displayed in the table.

Page top

[Topic 256086]

Editing a management subnet

To edit a management subnet:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, select the created domain, then select the added data center in which you created the management subnet.
3. Select the IPAM tab.

   A table of management subnets is displayed.

4. Click Management → Edit next to the management subnet that you want to edit.
5. This opens a window; in that window, edit the following settings, if necessary:
   • Name of the management subnet
   • IPv4 prefix of the management subnet
   • IPv4 addresses of gateways that the management subnet assigns to virtual network functions
   • IP address ranges from which the management subnet assigns IP addresses to CPE devices and virtual network functions
   • DNS servers that the management subnet assigns to virtual network functions
   • Static routes that the management subnet assigns to virtual network functions
6. Click Save.

The management subnet is modified and updated in the table.

Page top

[Topic 256089]

Deleting a management subnet

Deleted management subnets cannot be restored.

To delete a management subnet:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. In the Resources pane, select the created domain, then select the added data center in which you created the management subnet.
3. Select the IPAM tab.

   A table of management subnets is displayed.

4. Click Management → Delete next to the management subnet that you want to delete.
5. In the confirmation window, click Delete.

The management subnet is deleted and is no longer displayed in the table.

Page top

[Topic 257182]

Managing controllers

To display the table of controllers, go to the Infrastructure menu section, click the created data center, and select the Network resources tab. Information about controllers is displayed in the following columns of the table:

• Name is the name of the controller.
• Transport/service strategy is the
  transport strategy

  A transport service encapsulation mechanism that includes the algorithm for adding a stack of traffic packet header tags and the type of these tags. Kaspersky SD-WAN temporarily supports one transport strategy, Generic VNI Swapping Transport.

  being used.
• Controller nodes are IP addresses of controller nodes.
• Connection type is the type of connection of CPE devices to the controller:
  • Unicast
  • Multicast
• Cluster status is the status of the cluster of controller nodes:
  • Up means the cluster is operating normally.
  • DEGRADED means an error occurred during the operation of the cluster.
  • Down means the cluster is not operational.
• Node statuses is the status of controller nodes:
  • Connected (primary) means the node is connected to the controller and is the primary node in the cluster.
  • Connected (single) means the node is connected to the controller and is the only node in the cluster.
  • Connected (secondary) means the node is connected to the controller and is a secondary node in the cluster.
  • Disconnected means the node is not connected to the controller.
  • Not in cluster means the node is not added to a cluster.
  • Unavailable means the node is not available.
  • Unknown means the status of the node is unknown.

The actions you can perform with the table are described in the Managing solution component tables instructions.

In this section Editing a controller Reprovisioning a controller Restoring a controller Enabling or disabling the maintenance mode on a controller Deleting a controller Managing controller properties Viewing information about controller nodes

Page top

[Topic 257145]

Editing a controller

To edit a controller:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. Click Management → Edit next to the controller that you want to edit.
3. This opens a window; in that window, in the Name field, enter the name of the controller. Range of values: 1 to 128 characters.
4. If necessary, in the Description field, enter a brief description of the controller.
5. In the Controller installation on <1>/<3>/<5> servers field, select the number of controller nodes.
6. In the Connection type drop-down list, select the type of connection of CPE devices to the controller:
   • Unicast
   • Multicast
7. Configure the controller node:
   1. In the Address (IP or hostname) field, enter the IP address or hostname of the controller node.
   2. In the gRPC port field, enter the gRPC port number of the controller node.
   3. In the JGroups port field, enter the jGroups port number of the controller node.
   4. If you want to make the controller node the primary node, select the Primary option.

   You can configure multiple controller nodes.

8. Click Save.

The controller is modified and updated in the table.

Page top

[Topic 257150]

Reprovisioning a controller

During reprovisioning, controller properties are reset to their default values. This may help resolve errors.

To reprovision the controller:

1. In the menu, go to the Infrastructure section.

   This opens the resource management page. By default, the Network resources tab is selected, which displays the table of controllers.

2. Click Management → Reprovision next to the controller that you want to reprovision.
3. In the confirmation window, click Reprovision.

The controller is reprovisioned.

Page top