The NSX Advanced Firewall Add On provides a distributed IDS/IPS, L7 FW and DNS filtering that enhance the capabilities of the existing distributed firewall, providing a distributed, scalable security solution that is fully integrated with the Private Cloud and VMware Aria Operations for Logs for monitoring, and can help address many of the considerations in this document.

Ideas to consider:

  • Ensure that “Auto Update new versions (recommended)” is enabled in the Distributed IDS/IPS settings.

  • Automatic signature updates require outbound/egress network access for the NSX Manager to the update servers. If you have created egress rules for your SDDC ensure that NSX Manager can continue to retrieve signature updates.

  • By default, the Distributed IDS/IPS does not have a defined rule for detection. You will need to create and enable a rule. Be mindful of the tradeoffs between detection scope and system performance. For example, you may find it helpful to create an IP address group called “Internet” that is defined as (IPv4) and/or ::/0 (IPv6), that represents all possible IP addresses. You can use this group as both the source and destination for the IDS/IPS rules, to apply detection logic to all traffic. However, inspecting more traffic requires more performance. Monitor performance and reduce the scope of your detection rules as needed.

  • Remember that if an attacker has breached a workload the attacks might come from inside your SDDC as the attacker tries to move laterally. Microsegmentation allows for very granular rules and easily updated rule sets. Use very specific rules where possible and leverage groups to allow easy updates when needed.

  • The default Intrusion Detection Service Profile, “DefaultIDSProfile,” does not include all rules, as more rules is a tradeoff with performance. Consider adding a new profile that is customized to the needs of your organization.

  • In order for traffic to be blocked/dropped by the IPS engine, the signature in the profile has to be set with an action of Drop or Reject AND the rule mode has to be set to Detect & Prevent. This enables precise controls about how different signatures are applied on different traffic types.