Before you can start using the NSX Suspicious Traffic feature, your NSX-T Data Center environment and the NSX Intelligence feature must meet specific license and software requirements.

License Requirements

You must have one of the following licenses in effect during your NSX Manager session. The following lists the various NSX Data Center licenses that support the NSX Suspicious Traffic feature.
  • NSX Data Center Evaluation
  • NSX-T Evaluation
  • NSX Advanced Threat Prevention (Only applicable for customers who have previously purchased the license.)
  • NSX Advanced Threat Prevention Add On for NSX Distributed Firewall with Threat Prevention
  • NSX Advanced Threat Prevention Add On for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
  • NSX Distributed Firewall with Advanced Threat Prevention
  • NSX Gateway Firewall with Advanced Threat Prevention
  • NSX Advanced Threat Prevention Add On for NSX Gateway Firewall
  • NSX-T Advanced with NSX Advanced Threat Prevention Add-On for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus
  • NSX-T Enterprise Plus with NSX Advanced Threat Prevention Add-On for NSX Distributed Firewall or NSX Advanced or NSX Enterprise Plus

Software Requirements

You must meet the following software requirements before you can start using the NSX Suspicious Traffic feature.
  • Install NSX-T Data Center 3.2 or later.
  • Deploy the VMware NSX® Application Platform using an Advanced form factor.
  • Activate the NSX Intelligence 3.2 or later application on the NSX Application Platform.
  • Configure the NSX Intelligence 3.2 or later feature to only collect network traffic data for the specific standalone hosts or clusters of hosts that you want to be monitored. The NSX Suspicious Traffic feature is only supported on standalone hosts or clusters of hosts that have traffic data collection activated. For information about configuring the settings for the NSX Intelligence 3.2 or later feature, see the Activating and Upgrading VMware NSX Intelligence document.
  • Activate the NSX Network Detection and Response feature if you are going to work with campaigns to obtain deeper analysis of the detected suspicious traffic events using the VMware NSX® Advanced Threat Prevention cloud service. See the feature activation information in the NSX Network Detection and Response section of the Security chapter of the NSX-T Data Center Administration Guide document. The NSX-T Data Center Administration Guide document is delivered with the VMware NSX® Data Center 3.2 or later at https://docs.vmware.com/en/VMware-NSX/index.html.
    Important: To provide the functionalities for deeper analysis of the detected malicious or anomalous events, the NSX Network Detection and Response feature requires that your NSX-T Data Center 3.2 or later environment be connected to the Internet.

    The NSX Network Detection and Response feature is not supported in air-gapped environments when there is no outbound Internet access from the Kubernetes cluster pods and the NSX-T Data Center Unified Appliance.