Agent settings

Deep Security Agent-related settings are located on Administration > System Settings > Agents. They include the following.

You can automate agent-related system setting changes using the Deep Security API. For examples, see Configure Policy, Computer, and System Settings.

Hostnames

Update the "Hostname" entry if an IP is used as a hostname and a change in IP is detected on the computer after Agent/Appliance-initiated communication or discovery: Updates the IP address displayed in the computer's "Hostname" property field if an IP change is detected.

Deep Security Manager identifies protected computers by using a unique fingerprint, not their IP addresses or hostnames.

Agent-initiated activation (AIA)

You can activate new agents in the Deep Security Manager using a cloud connector or by manually adding a new computer on Computers. Alternatively, you can allow agents to automatically activate themselves. See also Activate and protect agents using agent-initiated activation and communication.

Allow Agent-Initiated Activation: Allow agents to connect to the manager to activate themselves. Then select which computers are allowed to perform agent-initiated activation.

  • For Any Computers: Any computer, whether it is already listed on Computers or not.

    To prevent unauthorized agent activations, don't enable this option if your network allows connections to Deep Security Manager from untrusted networks such as the Internet. To similarly protect Deep Security Agent from unauthorized managers, only allow agent activation with your authenticated manager.
  • For Existing Computers: Only computers already listed on Computers.
  • For Computers on the following IP List: Only computers whose IP address has a match on the specified IP list.

Also configure initiation behavior:

  • Policy to assign (if Policy not assigned by activation script): Security policy to assign to the computer during activation. This setting only applies if no policy is specified in the agent's activation script or an AIA event-based task.
  • Allow Agent to specify hostname: Allow the agent to specify its hostname by providing it to Deep Security Manager during activation.
  • If a computer with the same name already exists: How to handle the activation attempt if the new computer is trying to use the same agent GUID or certificate as an existing computer:

    • Do not allow activation: Don't activate the computer.
    • Activate a new Computer with the same name: Using a new name, create a new computer object and activate the computer.
    • Re-activate the existing Computer: Keeping the same name, reuse the existing computer object and activate the computer.

    This setting only applies to physical computers, Azure virtual machiness (VMs), Google Cloud Platform (GCP) VMs, or VMware VMs. (AWS provides a unique instance ID that Deep Security Manager uses to differentiate all AWS instances, so this setting is ignored for those computers.)

  • Reactivate cloned Agents: Reactivate clones as new computers; assign the the policy selected in Policy to assign (if Policy not assigned by activation script). This can be useful when re-imaging computer hard disks, or deploying new VM instances or AMI, using a "golden image" that has an already-activated Deep Security Agent. It ensures that each computer has a unique agent GUID, despite being deployed by copying the same software image.

    Clones are detected after the initial activation, during their first heartbeat. If the same agent GUID is being used on different computers, the manager detects the clones and reactivates those computers.

    If you disable this option, clones will not be automatically reactivated. You'll need to activate them either manually through the manager or using an activation script.

    This setting only applies to AWS instances, Azure virtual machines (VMs), Google Cloud Platform (GCP) VMs, or VMware VMs that you added using Computers > Add Account.

  • Reactivate unknown Agents: Reactivate deleted (but previously activated) computers as new computers if they connect again. The original computer's assigned policies or rules will not be assigned to the computer again by default. You should assign it again manually or use a tool such as an event-based task to assign it automatically. This setting is useful together with inactive agent cleanup: any accidentally removed computers can automatically re-activate. See also Automate offline computer removal with inactive agent cleanup.

    Previously known agents are detected after the initial activation, during their next heartbeat. If a heartbeat has an agent GUID (indicating prior activation) but its computer is not currently listed on Computers, the manager reactivates the computer.

    Previous event messages will still link to the old computer object, not this new one.
  • Agent activation token: Optional. Agent activation secret. If specified, agents must provide the same value when activating.

    If Deep Security Manager is multi-tenant, this setting applies only to the primary tenant.

    To configure this, you can use the token parameter in the agent activation script such as:

    /opt/ds_agent/dsa_control -a dsm://172.16.0.5:4120/ "token:secret"

Agent Upgrade

Automatically upgrade agents on activation: During activation, upgrade Deep Security Agent to the latest software version that's compatible with Deep Security Manager. Linux computers only. See also Automatically upgrade agents on activation.

Inactive Agent Cleanup

If you have many offline computers (that is, computers not communicating with Deep Security Manager), you can automatically remove them from Computers using inactive agent cleanup. This setting is useful together with reactivating currently unknown agents. See also Automate offline computer removal with inactive agent cleanup.

Delete Agents that have been inactive for: How much time a computer must be inactive in order to be removed.

Data Privacy

Allow packet data capture in network events: This setting determines whether the agent captures and sends packet data to Deep Security Manager as part of Intrusion Prevention and Firewall events. The options for this setting are:

  • Yes (excluding encrypted traffic): This is the default option. All unencrypted packet data is sent to Deep Security Manager.
  • Yes (all traffic): All packet data is sent to Deep Security Manager, including encrypted packet data. The resource requirements for capture of packet data on encrypted connections is higher than for unencrypted connections. If you select this option and encounter problems with performance on your workloads, consider switching to the option that excludes encrypted traffic.
  • No: Packet data is not captured or transmitted from the agent to Deep Security Manager. Customers in regulated environments or who are concerned about the transmission of network content to Deep Security Manager can disable this setting. For more information about data transmitted to Deep Security Manager, see the Deep Security Data Collection Notice.

This feature is supported with Deep Security Agent 12.5.0.1001 or later.

Agentless vCloud Protection

Allow Appliance protection of vCloud VMs: Allow virtual machines in VMware vCloud to be protected by Deep Security Virtual Appliance instead of (or in addition to) Deep Security Agent. If Deep Security Manager is multi-tenant, tenants configure the security policies of those VMs.