# Deployment (UI and general guidance) ## UI vs API Deployment Match supports deployment via both the Vectra UI and either the v3.3 API and later (RUX deployments) or the v2.5 API (QUX deployments). Changes made via the UI or either API will be reflected in both the UI and in responses to API requests. For example, you might choose to do your initial deployment using the UI and then later automate ruleset management via the API. ## Deployment Main Steps Match code is present on all Vectra devices that include Sensor functionality (this includes mixed mode Brains). If you are not using Match, there is no performance impact to your deployment as the code simply lies dormant on the Sensors for potential future use. The process to turn Match on and begin sending log data to configured destinations when an assigned ruleset matches traffic seen by a device is below: * Configure Vectra Match to send matches via Vectra Stream (RUX and QUX), Syslog (QUX only) or Kafka (QUX only). * This could be done at any time but once a ruleset is assigned to a device (Sensor), it will immediately begin to create matches when a rule matches observed traffic. * Enable Match by serial number on at least one device. * Upload ruleset(s) that you intend to use on your device(s) to your Brain. * For RUX deployments, rulesets are uploaded to Vectra’s cloud and then sent automatically to your Brain. In the [API Deployment Examples](https://docs.vectra.ai/deployment/match/api-deployment#api-deployment-examples) we’ll show both RUX and QUX ruleset upload processes. * Assign the ruleset to your device(s). ## Configure Desired Output Method for Matches The first step in the deployment process is to configure output of Matches to your downstream system that is setup to process Suricata log data. This step can be done at any time but keep in mind that Matches sent by Sensors will be dropped by the Brain until a receiver is configured. Vectra recommends doing this first to ensure that any matches will be visible downstream immediately once Sensors begin processing traffic against Match rules. Please see one of the following sections: * [Match Stream Output to Data Lake or SIEM (RUX and QUX)](https://docs.vectra.ai/deployment/match/outputting-matches-to-downstream-receivers#match-stream-output-to-data-lake-or-siem-rux-and-qux) * [Match Syslog or Kafka Log Output (QUX only)](https://docs.vectra.ai/deployment/match/outputting-matches-to-downstream-receivers#match-syslog-or-kafka-log-output-qux-only) * [Using Match with Vectra Recall (QUX only)](https://docs.vectra.ai/deployment/match/outputting-matches-to-downstream-receivers#using-match-with-vectra-recall-qux-only) ## Planning for Required Sensor Downtime Sensors need to reboot when they change their enablement state for Match. This means that when a Sensor is enabled (changes state from disabled to enabled) or disabled (changes state from enabled to disabled), as a normal part of configuration, the Sensor must reboot. Please keep in mind the following: * During the reboot of the Sensor, no traffic will be processed by the Sensor that you are changing the state on. * This means that metadata will not be passed to the Brain for processing (NDR, Recall, Stream, etc). * If the device rebooting is a mixed mode Brain, no traffic captured by that appliance will be buffered. * Sensor reboots generally take from 1 to 10 minutes depending on the Sensor model. * Virtual (including cloud) Sensors are normally the fastest. * Hardware Sensors take a bit more time to boot. * Match processes outside of the reboot mentioned above, can also take 5 to 10 minutes to complete when changing state. * These processes will not impact the non-Match related duties your performed by your Sensor.. * There are no impacts to the Brain, Recall, Stream, or other Sensors (that are not having their enablement state changed). * This only impacts the Sensor that is changing enablement states. * You should plan enablement state changes for Match during times where being unable to process traffic and forward metadata on to the Brain will have the least impact. ## UI Deployment All Match configuration is done in the *Configuration → COVERAGE → Vectra Match* section of the Vectra UI: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/e4VQ6WaE9YpN0bSliw6c/Unknown%20image) ### Enabling/Disabling Sensor(s) Sensors must be enabled for Match before rulesets can be assigned to them. Sensors must be paired to be available for enablement and show up in the table. Click on **Enable Sensors**, select the Sensor(s) you wish to enable for Match and then click the **Enable** button in the dialog: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/YYP9AoXFi0zKQiRwCrNu/Unknown%20image) You should see a message near the top of your screen: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/aRkDRE6LzjYWFpWCNN7I/Unknown%20image) Your Sensor(s) should enter the **Healthy** state once they are fully enabled: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/C399U1rcZqMATJLDaEY0/Unknown%20image) Sensors are ready for ruleset assignment after the enablement process has completed. Sensors can also be disabled if you no longer wish to run Match on them. The disabling process is essentially the same except you would select the **Disable Sensors** link instead of the **Enable Sensors** link. ### Upload/Assign Ruleset Click on the **Upload/Assign Ruleset** button to upload a ruleset (`.rules` file) to the Brain and assign it to a Sensor. You can also assign already uploaded rulesets to a Sensor. First we show uploading and assigning a new ruleset. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/GBQD8aBlMvPNztKuoW4c/Unknown%20image) {% hint style="info" %} **Please Note:** * A ruleset is accepted during the upload process when one or more rules within the ruleset are valid. * A ruleset is only rejected if there are zero valid rules, it is too large, doesn’t have a .rules extension, or the contents match exactly with an existing ruleset. {% endhint %} Click on the **Browse files** link to select a ruleset from your filesystem and upload/validate it. Once accepted by the Brain, the rules file will be shown (you also have an opportunity to delete it using the trash can icon if you selected the wrong file). It is recommended to add a note to help differentiate files with similar names from each other. You can now move on to assigning the ruleset to your Sensor(s). ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/fqL9p71bDizk5qIvrFZ2/Unknown%20image) Click on **Next: Select Sensors**, choose the Sensor(s) you wish to assign the ruleset to and then click on **Assign Sensors**. * Please note that only Sensors which have been previously enabled for Match will be available to select on this screen. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/G0i8kJC8CAtRwLcxpR5b/Unknown%20image) Once complete, your **Sensors & Rulesets** list will show the Sensor and the ruleset name, or a link to a dialog to allow you to manage the rulesets currently assigned to the Sensor when multiple rulesets are assigned to it. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/7MGBHrrrJbcwdojVFHdc/Unknown%20image) ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/pMNWKu8bDQEgQ0s7vIoN/Unknown%20image) If you click into the link shown when multiple rulesets are assigned to a Sensor, you will see a dialog box like this one below where you can see or delete ruleset assignments from the Sensor: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/5EUiav21KHGBr1p9LXZh/Unknown%20image) In the beginning of this example, we said we would first show uploading and assigning a ruleset. Now we will show assigning already uploaded rulesets. If you select the **Assign a .rules file that has been uploaded already**, you will see a new option appear to simply select an existing ruleset. The assignment process would be the same as in the first example. ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/ZhEyenrmB5Lr8hE4nAya/Unknown%20image) ### Deleting Rulesets If you wish to Delete a ruleset completely, this can be done with the **Delete Rulesets** link: ![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/ygiB8X2W1UZQvgjsOV0e/Unknown%20image) Deleting a ruleset in this manner will remove the ruleset from the Brain and remove the assigned ruleset from any Sensor that was running it.