Title
Create new category
Edit page index title
Edit category
Edit link
Manager Configuration
The Manager Configuration section of the Administration page holds the sixteen global settings that govern the MetaDefender NDR Manager itself. This chapter documents each setting, its place in the user interface, the validation behavior applied when the setting is saved, and the restart requirement if any. It also walks three common configuration procedures and closes with a quick-start checklist operators use when bringing a new deployment online.
This chapter is written for system administrators and Site Reliability Engineers (SREs) who maintain a MetaDefender NDR Manager. It assumes an installed Manager, an administrator account, and familiarity with the Administration page layout described in the Administration Page.
First-use acronym expansions in this chapter: DNS (Domain Name System), NTP (Network Time Protocol), SMTP (Simple Mail Transfer Protocol), SSL (Secure Sockets Layer), TLS (Transport Layer Security), SNMP (Simple Network Management Protocol), MOTD (Message of the Day), HTTP (Hypertext Transfer Protocol), SIEM (Security Information and Event Management), UI (user interface), API (application programming interface), MVP (Minimum Viable Product), REST (Representational State Transfer), IANA (Internet Assigned Numbers Authority).
Overview
Administrators reach the Manager Configuration section from the Administration page by selecting the Configuration tab. The tab presents a left-rail navigation drawer grouped by category (Network, Security, System, Integrations) and a scrollable right-hand stack of configuration cards. Each card is a form bound to one setting group — DNS, NTP, SMTP, and so on. Each card has its own Save and Reset buttons that activate only when a field in that card has been edited, and every save round-trip routes through the central configuration pipeline so that validation, version history, and audit logging apply uniformly.
Not every setting ships with a graphical form in the current release. Several of the sixteen FRD-scoped settings are API-first in MVP and will grow a user-interface surface in a subsequent release; those settings are still fully configurable through the REST API of the Manager's server-manager service and are flagged as such in the reference table below. The functional behavior documented here — validation rules, restart behavior, propagation, audit — is identical whether a setting is reached through the UI or the API.
Settings Reference
The table below enumerates the sixteen Manager Configuration settings defined in the Administration Functional Requirements Document (FRD). "Required restart" indicates whether the Manager or an affected service must be restarted for the change to take effect; settings marked "No" apply live within seconds of confirmation.
| Setting | Purpose | Required restart | Notes |
|---|---|---|---|
| Hostname | Sets the Manager's network hostname and display name. | Yes (Manager) | Surfaces in dashboards, audit records, and outbound SIEM events. |
| MOTD | Sets the Message of the Day shown on the login screen. | No | Plain text; no Markdown. |
| Notice and Consent Banner | Sets the legal and consent banner shown above the login form. | No | Customers with regulatory requirements commonly use this surface. |
| Data Management and Retention | Sets retention periods for alerts, sessions, files, flows, and packet captures. | No | Deep dive in (Link Removed) |
| Syslog Configuration | Forwards Manager and sensor logs to one or more remote syslog collectors. | No | User Datagram Protocol (UDP) syslog in MVP; deep dive in (Link Removed). |
| Automatic Update Settings | Controls the cadence for OPSWAT InSights feed and signature updates. | No | Default cadence is one hour; deep dive in (Link Removed) |
| Upstream HTTP Proxy | Routes outbound Manager traffic (updates, cloud enrichments) through a corporate proxy. | Yes (affected services) | Broadcast reaches every enrichment service, the updater, and the Elasticsearch bridge. |
| SMTP | Configures an external SMTP relay for email notifications. | Yes (Manager) | Manager-local; not broadcast to sensors. |
| DNS | Sets primary and secondary DNS resolvers. | Yes (Manager and sensors) | Broadcast reaches every service. |
| NTP Server | Sets one or two NTP servers for time synchronization. | Yes (Manager and sensors) | Optional keyed authentication. |
| Timezone | Sets the system timezone used for UI rendering and log timestamps. | Yes (Manager) | IANA timezone names (for example, America/Chicago). |
| Password Complexity | Enforces password length, complexity, expiration, and history rules. | No | Policy is evaluated at user-save time; deep dive in (Link Removed) |
| Account Logon Access Control | Governs account lockout, session timeout, and concurrent-login limits. | No | Lockout thresholds apply on the next failed login after save. |
| Integration Settings | Wires in MetaDefender Core, MetaDefender Cloud, Recorded Future, and SIEM destinations. | No | Deep dive in integrations. |
| SSL Certificate | Uploads the server certificate and private key used by the Manager UI over HTTPS. | Yes (Manager) | Multipart upload against the REST API in MVP. |
| SNMP | Exposes Manager health metrics over SNMP for external monitoring. | Yes (Manager) | SNMPv2c and SNMPv3 supported. |
Setting Details
Hostname
Short description: the Manager's fully-qualified network hostname. The hostname is written to outbound syslog, SNMP traps, and any audit export, which makes a consistent naming scheme across a multi-Manager deployment worthwhile.
UI location: Configuration → System → Hostname.
Validation: the value is checked against RFC-1123 hostname rules (labels of 1–63 characters, alphanumeric plus hyphen, not starting or ending with a hyphen, total length at most 253). A rename triggers a Manager restart and, in deployments where the hostname appears in issued certificates, may require a new SSL certificate upload.
MOTD
Short description: the Message of the Day rendered above the login form. Operators use it to communicate maintenance windows, escalation contacts, or shift notes.
UI location: Configuration → System → Message of the Day.
Validation: plain-text, length-bounded. The banner is rendered verbatim — no Markdown, no HTML — to avoid injection risk on an unauthenticated page.
Notice and Consent Banner
Short description: the legal or consent banner displayed above the login form. Common content includes regulatory warnings (for example, banking or critical-infrastructure consent text) and terms-of-use statements.
UI location: Configuration → System → Notice and Consent Banner.
Validation: plain-text, length-bounded. The banner must be acknowledged before the login form accepts credentials when the "require explicit acknowledgement" toggle is on.
Data Management and Retention
Short description: retention periods for each category of stored data — alerts, sessions, files, flow records, and packet captures. The retention policy caps how long each category lives in its storage backend before age-off.
UI location: Configuration → System → Data Retention.
Validation: each category has its own lower bound (days or hours depending on category) and an upper bound derived from the deployment's storage capacity. Out-of-range values are rejected on save. Deep dive in (Link Removed).
Syslog Configuration
Short description: forwards Manager logs (audit, system, engine) and enriched alert events to one or more remote syslog collectors. Administrators use this surface to feed MetaDefender NDR events into a SIEM.
UI location: API-first in MVP. Administrators drive the surface through the REST endpoints GET/POST /api/server/syslog-forward and test it with POST /api/server/syslog-forward/test. A graphical form is planned for a subsequent release.
Validation: each destination is validated for a resolvable host, a port in the 1–65535 range, and — where TLS is enabled — a matching client certificate that has been uploaded to the syslog-forward certificate store. A connectivity test can be run before saving. Deep dive in (Link Removed).
Automatic Update Settings
Short description: the cadence at which the Manager polls OPSWAT InSights for new intelligence feeds and new signature packs. The default interval is one hour for feeds and one day for signatures.
UI location: Configuration → System → Automatic Updates.
Validation: the interval is bounded by the product ontology at a minimum frequency (to avoid excessive polling) and a maximum frequency (to avoid feed staleness). Deep dive in (Link Removed).
Upstream HTTP Proxy
Short description: routes outbound Manager traffic through a corporate HTTP/HTTPS proxy. Applies to intelligence feed downloads, cloud-backed enrichment lookups, and the update channel.
UI location: Configuration → Network → Upstream Proxy.
Validation: the host is checked for resolvability, the port for the 1–65535 range, and credentials are stored encrypted. The configuration change is broadcast to the enrichment services, the updater, and the Elasticsearch bridge; each affected service restarts its outbound HTTP client to pick up the new proxy.
SMTP
Short description: the outbound SMTP relay used for email notifications — password-reset emails, administrative alerts, and license-expiry notices.
UI location: Configuration → Network → SMTP.
Validation: the host must be reachable from the Manager network; the port must be in the 1–65535 range; the TLS toggle controls whether the Manager negotiates STARTTLS on the relay connection; the From and Reply-To addresses must be valid email addresses. SMTP configuration is Manager-local — the setting is not broadcast to sensors.
DNS
Short description: primary and optional secondary DNS resolvers used by the Manager and every sensor. Both IPv4 and IPv6 resolver addresses are accepted.
UI location: Configuration → Network → DNS.
Validation: each address is checked for well-formedness as an IPv4 or IPv6 address. The change is broadcast to every service; the Manager and each sensor rewrite their host resolver configuration on the underlying operating system and restart any client pool that caches resolver handles.
NTP Server
Short description: one or two NTP servers used for time synchronization. Optional keys authenticate the exchange.
UI location: Configuration → Network → NTP.
Validation: each host must be a reachable IPv4 address. Keys are stored encrypted. The change is broadcast to every service and applied host-side by rewriting the time-daemon configuration and restarting that daemon.
Timezone
Short description: the Manager's system timezone. Governs log timestamp rendering, UI time display, and the alignment of scheduled jobs.
UI location: Configuration → System → Timezone.
Validation: the value must be a valid IANA timezone identifier (for example, UTC, America/Chicago, Europe/Berlin). Invalid values are rejected on save.
Password Complexity
Short description: enforces password length, character-class mix, maximum age (expiration), and reuse history. The policy is evaluated every time an administrator or user sets a password.
UI location: Configuration → Security → Password Policy.
Validation: each rule has its own bounds (minimum length at least 8, history depth at least 0, expiration days at least 0). A relaxed policy applies only to future password changes — existing passwords are not invalidated. Deep dive in (Link Removed).
Account Logon Access Control
Short description: account lockout policy (failed-attempt threshold and window), session timeout, and concurrent-login limits.
UI location: Configuration → Security → Account Logon.
Validation: lockout threshold and window are positive integers; session timeout is bounded to prevent indefinite sessions; concurrent-login limits apply per-user. Lockout thresholds apply on the next failed login after save — already-locked accounts are not retroactively unlocked by raising the threshold.
Integration Settings
Short description: the shared surface for external integrations — MetaDefender Core and MetaDefender Cloud for file scanning, Recorded Future for threat intelligence, and SIEM destinations (see Syslog Configuration above).
UI location: Configuration → Integrations.
Validation: varies by integration. Each integration form runs a connectivity probe before persisting credentials. Deep dive in (Link Removed).
SSL Certificate
Short description: the server certificate and private key used by the Manager UI when reached over HTTPS.
Administrators upload certificates through POST /api/server/tls/certificates (multipart form upload of the certificate and key) and check status with GET /api/server/tls/certificates. A graphical upload form is planned for a subsequent release.
Validation: the uploaded certificate is parsed, checked for a matching private key, checked for validity dates, and checked against the Manager hostname as a common-name or subject-alternative-name match. Mismatches are rejected before the certificate is installed. A Manager restart is required for the new certificate to bind.
SNMP
Short description: exposes Manager health metrics over SNMP for an external network-management station (NMS).
UI location: Configuration → System → SNMP.
Validation: the community string (for SNMPv2c) or user and authentication/privacy credentials (for SNMPv3) are stored encrypted. The port must be in the 1–65535 range. Enabling SNMP binds the Manager's SNMP agent on that port — a Manager restart is required.
Validation, Confirmation, and Propagation
Every save on a Manager Configuration card runs through the same pipeline: the value is validated against its schema and bounds in the product ontology, persisted to the configuration store with a new version identifier, and broadcast to every service the setting affects. Affected services apply the new value live where they can and report health back to the configuration store; the UI reflects that health in the status line on each card. Settings that require a restart are called out on the form with a banner before the Save button is engaged, and the confirmation dialog spells out the restart requirement a second time. The underlying rules for validation, propagation order, health reporting, and precedence when group-level and sensor-level overrides disagree live in the Manager Configuration.
Each completed save is recorded in the audit trail with the actor, the prior and new values, the timestamp, and a correlation identifier. Configuration changes are version-controlled, and an earlier version of any setting can be restored through the /api/server/config/:configType/versions and /api/server/config/:configType/revert REST endpoints.
Common Procedures
Changing the Manager Hostname
- Confirm with stakeholders that downstream consumers (SIEM collectors, certificate subjects, firewall rules, bookmarks) are prepared for the new hostname.
- Navigate to Administration → Configuration → System → Hostname.
- Enter the new fully-qualified hostname and click Save.
- Acknowledge the restart-required banner in the confirmation dialog.
- Wait for the Manager to restart (typically under a minute). The UI becomes unreachable at the old hostname at this point.
- Reconnect using the new hostname. If the Manager UI uses an SSL certificate whose subject does not match the new hostname, follow "Uploading a New SSL Certificate" next.
- Verify the audit log shows the hostname-change entry with the correct actor and timestamp.
Uploading a New SSL Certificate
- Obtain the server certificate and private key files from the certifying authority or internal public-key infrastructure. Both must be PEM-encoded.
- Verify locally that the certificate matches the Manager hostname — the hostname must appear as the common name or a subject-alternative-name entry.
- Upload the pair through the REST API with a multipart
POST /api/server/tls/certificatesrequest, supplying the certificate and the private key as form parts. - The Manager validates the pair, rejects on mismatch or expiry, and otherwise installs the certificate into its TLS keystore.
- Restart the Manager so the new certificate binds.
- Reconnect and verify the browser accepts the new certificate.
- Verify the audit log shows the certificate-rotation entry.
Configuring SMTP
- Obtain the SMTP relay details from the networking team: host, port, whether STARTTLS is required, and the service-account username and password if authenticated.
- Navigate to Administration → Configuration → Network → SMTP.
- Enter Host, Port, enable TLS if the relay requires STARTTLS, and populate Username and Password.
- Enter a From address that the relay accepts (commonly
ndr-noreply@<organization-domain>) and a Reply-To address that routes to a staffed mailbox. - Enter a To address used by the connectivity test — typically an administrator mailbox that accepts inbound mail from the From address.
- Click Save and acknowledge the restart-required dialog. The Manager restarts its mail client.
- Trigger a test notification — for example, request a password reset for a test account — and verify the message arrives at the destination mailbox.
- Verify the audit log shows the SMTP-configuration entry.
Quick-Start Checklist
The checklist below runs through the Manager Configuration settings that operators typically set before a MetaDefender NDR deployment enters daily use. Items that link to later chapters receive their full treatment there; this list is a pre-production sanity pass.
| Item | Action | Verification |
|---|---|---|
| Hostname | Set the Manager hostname and confirm the Manager restarts cleanly. | The UI is reachable at the new hostname; the audit log shows the change. |
| DNS | Configure primary and (optional) secondary DNS resolvers. | Resolution tests from the Manager and one adopted sensor succeed for a known hostname. |
| NTP | Configure one or two NTP servers. | The Manager and each sensor show a time offset under one second in health monitoring. |
| Timezone | Set the IANA timezone. | UI timestamps and exported logs render in the expected local time. |
| SSL Certificate | Upload a certificate whose subject matches the Manager hostname. | The browser connects without warning; GET /api/server/tls/certificates returns the new subject and expiry. |
| SMTP | Configure the outbound SMTP relay. | A test password-reset email delivers to the destination mailbox. |
| Upstream HTTP Proxy | Configure the proxy if the Manager cannot reach the Internet directly. | The next automatic update check succeeds; the enrichment services report healthy. |
| Automatic Updates | Verify the default one-hour feed cadence meets organizational policy. | [Updates Management](Updates Management) verification steps pass. |
| Syslog Configuration | Wire the Manager to the organization's SIEM. | The SIEM receives events within minutes of the first alert; the connectivity-test endpoint succeeds. |
| SNMP | Enable SNMP if an NMS will poll the Manager. | The NMS receives responses on the configured port. |
| Notice and Consent Banner | Apply the organization's login-screen legal text. | The banner renders on the login page. |
| MOTD | Apply any operator-shift or maintenance message. | The MOTD renders on the login page. |
| Password Complexity | Align the password policy with organizational policy. | A new user creation is rejected when a weak password is entered. |
| Account Logon Access Control | Set lockout, session timeout, and concurrent-login limits. | A deliberate failed-login run locks the test account as expected. |
| Data Management and Retention | Confirm default retention matches the organization's policy. | [Data Retention](Data Retention) verification steps pass. |
| Integration Settings | Wire in MetaDefender Core and Cloud, Recorded Future, and SIEM as applicable. | Integrations verification steps pass for each wired integration. |
See Also
- Administration Page — the Administration page structure, access control, audit trail, and chapter map.
- Sensor Management — per-sensor configuration and overrides, including settings that inherit from the Manager.
- Manager Configuration — deep dive on validation, propagation, precedence, and troubleshooting of configuration changes.