Before any threats or suspicious network traffic data can be detected in your NSX environment, you must manually turn on the NSX Suspicious Traffic detectors that you want NSX Intelligence to use. Only the detectors that are activated will be used for monitoring suspicious network traffic events.
Procedure
- From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
- Use the following steps to turn on a supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.
Note that the following steps are for all available detectors, except for the DNS-based detectors, which must be manually configured before they can be used. See the next step after this one for information about configuring DNS-based detectors.
- Navigate to the tab.
- Locate the detector that you want to activate and click Edit (pencil icon).
- Locate the toggle switch in the far-right side of the expanded row and click the toggle switch to turn on the detector, as shown in the following image.
- Click Save.
- To turn on DNS-based detectors, such as Domain Generation Algorithm (DGA) and DNS Tunneling, perform the following steps only once.
- Create a custom DNS context profile or use a default system-provided context profile.
See details about adding a context profile in the NSX Administration Guide delivered with the VMware NSX Documentation set for NSX version 3.2 or later.
- Create a distributed firewall rule, using ANY in the Sources and Destinations columns; and using the DNS context profile, if you created one.
See details about adding a distributed firewall rule in the NSX Administration Guide delivered with the VMware NSX Documentation set for NSX version 3.2 or later..
- Navigate to the tab.
- Locate the DNS-based detector that you want to activate and click Edit (pencil icon).
- In the far-right side of the expanded row, locate the toggle switch for that DNS-based detector. To turn on the detector, click the toggle switch on.
- Click Save.
Results
The toggle switches for the activated detectors show as On in the Detector Definitions tab.
What to do next
Manage the detected suspicious traffic events. See Analyzing Suspicious Traffic Events for details.