Before any threats or suspicious network traffic data can be detected in your NSX environment, you must manually turn on the NSX Suspicious Traffic detectors that you want to use. Only the detectors that are activated will be used for monitoring suspicious network traffic events.

Prerequisites

Procedure

  1. From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
  2. Use the following steps to turn on a supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.

    Note that the following steps are for all available detectors, except for the DNS-based detectors, which must be manually configured before they can be used. See the next step after this one for information about configuring DNS-based detectors.

    1. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
    2. Locate the detector that you want to activate and click Edit (pencil icon).
    3. Locate the toggle switch in the far-right side of the expanded row and click the toggle switch to turn on the detector, as shown in the following image.

      Screenshot of the Detector Definitions tab in the Suspicious Traffic UI.

    4. Click Save.
  3. To turn on DNS-based detectors, such as Domain Generation Algorithm (DGA) and DNS Tunneling, perform the following steps only once.
    1. Create a custom DNS context profile or use a default system-provided context profile.

      See details about adding a context profile in the NSX Administration Guide for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX/index.html.

    2. Create a distributed firewall rule, using ANY in the Sources and Destinations columns; and using the DNS context profile, if you created one.

      See details about adding a distributed firewall rule in the NSX Administration Guide for version 3.2 or later at https://docs.vmware.com/en/VMware-NSX/index.html.

    3. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
    4. Locate the DNS-based detector that you want to activate and click Edit (pencil icon).
    5. In the far-right side of the expanded row, locate the toggle switch for that DNS-based detector. To turn on the detector, click the toggle switch on.
    6. Click Save.

Results

The toggle switches for the activated detectors show as On in the Detector Definitions tab.

What to do next

Manage the detected suspicious traffic events. See Analyzing the NSX Suspicious Traffic Detection Events for details.