About Kaspersky Security policies
December 13, 2023
When configuring virtual infrastructure protection, it is recommended to account for the specific features of Kaspersky Security policies.
The policy scope, which is a set of virtual machines for which a policy can be used for protection, depends on the type of policy and the protected infrastructure that was selected during configuration of the policy and policy scope (set of SVMs on which the policy is applied).
Kaspersky Security policy types
The following types of policies are provided for Kaspersky Security:
- Main policy. This policy lets you configure the settings for virtual machine file threat protection using protection profiles, network threat protection settings, and the following application settings:
- Settings of notifications about events in application operation.
- Backup settings.
- Kaspersky Security Network usage settings.
- SNMP monitoring settings.
If the application operates in multitenancy mode, the main policy determines the Network Threat Protection settings for all virtual machines and the File Threat Protection settings for the virtual machines that are not part of Cloud Director organizations.
It is recommended to create main policies on the main Administration Server of Kaspersky Security Center. Main policies are created using the Kaspersky Security main administration plug-in.
- Tenant policy (used only if the application is operating in multitenancy mode). This policy lets you configure protection settings for virtual machines that are part of Cloud Director organizations. You can use this policy to define the following settings:
- Settings of notifications about events that occur when protecting and scanning virtual machines of a tenant (only in a policy that was created on the main Administration Server of Kaspersky Security Center).
- Individual file protection settings for virtual machines of the tenant.
- KSN usage settings for the tenant organization.
You can create tenant policies on the main Administration Server or on virtual Administration Servers of Kaspersky Security Center by using the Kaspersky Security administration plug-in for tenants.
Protected infrastructure of a policy
Depending on the protected infrastructure that you select when configuring a policy, the following policies are distinguished as follows:
- Policy for one VMware vCenter Server – lets you configure the settings for protecting a virtual infrastructure managed by one VMware vCenter Server.
- Policy for the entire protected infrastructure – lets you configure the settings for protecting a virtual infrastructure managed by all VMware vCenter Servers to which the Integration Server connects.
Policy application scope
In Kaspersky Security, a policy is applied on SVMs. Each SVM can protect only the virtual machines running on the same hypervisor where the SVM is deployed. Therefore, the policy protection scope (set of virtual machines for which a policy can be used for protection) depends on the policy application scope (set of SVMs on which the policy is applied).
The policy application scope is determined by the location of the policy within the hierarchy of Kaspersky Security Center administration groups. A policy is applied on SVMs as follows:
- The main policy in an administration group containing a KSC cluster is applied on all SVMs of this KSC cluster.
- The main policy in an administration group or folder that is the parent in relation to the groups containing KSC clusters is applied on all SVMs of child KSC clusters.
- The tenant policy on a virtual Administration Server created in the group of the "VMware Cloud Director Agentless" cluster corresponding to VMware Cloud Director is applied on all SVMs of this KSC cluster.
Inheriting policy settings
According to the order of inheritance of Kaspersky Security Center policies, by default the settings of policies are transferred to policies of nested administration groups and subordinate Administration Servers (for more details, please refer to the Kaspersky Security Center documentation). The settings and settings groups of policies have a "lock" attribute, that shows whether or not you are allowed to change these settings in nested policies. If a setting or a group of settings in a policy is "locked" (), the values of these settings are defined in nested policies and cannot be redefined.