Activate the NSX Suspicious Traffic Detectors

Before any threats or suspicious network traffic data can be detected in your NSX-T Data Center environment, you must manually turn on the NSX Suspicious Traffic detectors that you want to use. Only the detectors that are activated will be used for monitoring suspicious network traffic events.

Prerequisites

Verify that you meet the license requirements and software requirements listed in System Requirements for the NSX Suspicious Traffic Feature.
You must be logged in to NSX Manager using one of the following NSX-T Data Center built-in roles. See Role-Based Access Control in NSX Intelligence for more information.
- Enterprise Admin
- Security Admin

Procedure

From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
Use the following steps to turn on a supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.

Note that the following steps are for all available detectors, except for the DNS-based detectors, which must be manually configured before they can be used. See the next step after this one for information about configuring DNS-based detectors.
1. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
2. Locate the detector that you want to activate and click Edit (pencil icon).
3. Locate the toggle switch in the far-right side of the expanded row and click the toggle switch to turn on the detector, as shown in the following image.
4. Click Save.
To turn on DNS-based detectors, such as Domain Generation Algorithm (DGA) and DNS Tunneling, perform the following steps only once.
1. Create a custom DNS context profile or use a default system-provided context profile.
  
  See details about adding a context profile in the NSX-T Data Center Administration Guide for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX/index.html.
2. Create a distributed firewall rule, using ANY in the Sources and Destinations columns; and using the DNS context profile, if you created one.
  
  See details about adding a distributed firewall rule in the NSX-T Data Center Administration Guide for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX/index.html.
3. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
4. Locate the DNS-based detector that you want to activate and click Edit (pencil icon).
5. In the far-right side of the expanded row, locate the toggle switch for that DNS-based detector. To turn on the detector, click the toggle switch on.
6. Click Save.

Results

The toggle switches for the activated detectors show as On in the Detector Definitions tab.

What to do next

Manage the detected suspicious traffic events. See Analyzing the NSX Suspicious Traffic Detection Events for details.