When you activate ransomware recovery services and start VMs in validation, they are put into a 'Quarantined+Analysis' network, which means those VMs can only connect over the internet to integrated security and vulnerability servers on Carbon Black Cloud and to basic network services like DNS and NTP.

Once a VM has been moved into the validation stage, you can choose different network isolation levels for one or more VMs on the recovery SDDC, depending on your method of analysis and how much isolation you require.

You can select multiple VMs in a running plan, and then from the Other Actions menu, select Change Isolation.

Changing network isolation for multiple VMs.

Or, you can change the network when a VM is started and in validation, by clicking Change Isolation from the Toolkit panel.

Link for changing network isolation levels
Note: You can also create your own custom network isolation level.
The following table describes the ransomware network isolation levels and the type of network access allowed for each. A check mark means that the type of connectivity is allowed.
Note: Applying or changing a network isolation level for a VM overwrites any previous firewall configurations that were previously set for the VM.

Some isolation levels require NSX Advanced Firewall. When NSX Advanced Firewall is enabled, VMware Ransomware Recovery creates firewall rules for the various network isolation levels during recovery operations. When all recovery plans for ransomware are ended, all firewall groups and rules are deleted on the recovery SDDC.

If you already have a subscription to the advanced firewall active in your SDDC, VMware Ransomware Recovery leverages the already deployed NSX Advanced Firewall and does not activate or deactivate any NSX Advanced Firewall services, and there are no additional on-demand NSX charges incurred. For more information, see VMware NSX Advanced Firewall for VMware Cloud on AWS.

If your SDDC does not have NSX Advanced Firewall enabled, VMware Live Cyber Recovery enables it each time you run a recovery plan for ransomware (which incurs a cost). When the last concurrent plan is disabled, NSX Advanced Firewall is also deactivated.

Network Isolation Levels Allowed Connectivity

The following table describes the ransomware network isolation levels and the type of network access allowed for each. A check mark means that the type of connectivity is allowed.
Note: Applying or changing a network isolation level for a VM overwrites any previous firewall configurations that were previously set for the VM.
Note: If you have configured VMware Cloud Gateway in a plan, then east-west refers to traffic within the gateway
Network Access Level NSX-T Advanced Firewall required for security scanning DHCP, DNS, NTP Integrated Security analysis and scanning Outbound External Outbound East-West Inbound External Inbound East-West*

Isolated

No

Quarantined

No

Check mark icon. Check mark icon.
Quarantined +Analysis
Note: Default isolation level when NSX Advanced Firewallis enabled.
Yes Check mark icon. Check mark icon.
External Outbound
Note: Default isolation level used when NSX Advanced Firewallis not enabled.

No.

Check mark icon. Check mark icon. Check mark icon.

Internal Inbound

Yes

Check mark icon. Check mark icon. Check mark icon.

Internal

Yes

Check mark icon. Check mark icon. Check mark icon. Check mark icon.
Internal + External Outbound

No

Check mark icon. Check mark icon. Check mark icon. Check mark icon.

Open

No

Check mark icon. Check mark icon. Check mark icon. Check mark icon. Check mark icon. Check mark icon.

Network Isolation with NSX Advanced Firewall On

When you activate integrated security and vulnerability analysis and turn on NSX Advanced Firewall in the Settings dialog box, and your recovery plan has ransomware recovery and integrated analysis on, VMs in the validation state are placed into the Quarantine+Analysis network isolation level.

Network isolation level with NSX Advanced Firewall on.

Network Isolation with NSX Advanced Firewall Off

If you activate integrated security and vulnerability analysis but turn off NSX Advanced Firewall in the Settings dialog box, and your recovery plan has ransomware recovery and integrated analysis on, VMs in the validation state are placed into the External Outbound network isolation level. This isolation level allows the sensors installed on the VMs to connect to Carbon Black Cloud.

Network Isolation level with NSX Advanced Firewall off

Network Isolation with Integrated Security and Vulnerability Analysis Off

If you deactivate integrated security and vulnerability analysis from the Settings dialog box, VMs in the validation state are placed into the Quarantined network isolation level.

Network isolation level when integrated security and vulnerability analysis is off.