The integration between Carbon Black Cloud Workload and NSX-T orchestrates network remediations using NSX-T Distributed Firewall (DFW) policies, and associated tags. After registering the Carbon Black Cloud Workload with the NSX Manager, you can use the newly created NSX policies to remediate VM workloads within the Carbon Black Cloud console, or remove already applied NSX policies tags from certain VM workloads.

Once the Carbon Black Cloud generates an alert for a certain VM workload, you can trigger NSX remediation for that workload either from the Inventory > VM Workloads page, or from the Alerts page. This procedure describes the flow within the Alerts page.
Note:

Only one NSX tag can be applied to a VM workload. If you want to update the tag with a new one, you must remove the existing tag. Then, perform NSX remediation to apply the new tag.

Prerequisites

  • The VM workload must be associated with a Carbon Black Cloud Workload appliance that is registered with NSX, and has an active NSX connectivity. For information on registering the appliance with NSX, see VMware Carbon Black Cloud Workload Guide.
  • The VM workload must have a Carbon Black sensor installed with the following versions:
    • For Windows - 3.6 or later.
    • For Linux - 2.9 or later.
  • The VM workload must be on an NSX N-VDS (opaque network) to have the Apply NSX Tag option available.

Procedure

  1. From the left navigation pane, select Alerts and locate the alert for the compromised VM workload.
  2. Double-click the alert row, or select the > icon, and locate the Remediation section in the details pane.
  3. To trigger the remediation, click the Apply NSX Tag.
  4. Select an NSX DFW tag and associated policy to apply to the VM workload from the drop-down menu.
    Option Description

    CB-NSX-Quarantine

    With this policy, the VM workload associated with the pre-registered tag is quarantined from the network. This is a read only policy for NSX administrators. The policy only allows the following network flows:
    • DHCP for IP addresses and DNS traffic for name resolution.
    • HTTPS traffic to a list of FQDNs required by the sensor to remain connected to Carbon Black Cloud. The VM has a limited internet connectivity specified by the FQDNs in the policy definition.

    CB-NSX-Isolate

    With this policy the VM workload associated with the pre-registered tag is completely isolated from the network. This is a read only policy for NSX administrators.

    CB-NSX-Custom

    This policy is fully customizable. By applying this policy, the NSX administrator can enforce any rules on VM workloads. Thus, advanced users can create a custom security posture.

    When DFW policy applies, you see a status icon showing that the workload is now restricted by the NSX tag.

What to do next

If one or more workloads are already remediated, you can remove the tags by selecting the Remove NSX Tags.