Activate the NSX Suspicious Traffic Detectors

Before any threats or suspicious network traffic data can be detected in your NSX environment, you must manually activate the NSX Suspicious Traffic detectors that you want NSX Intelligence to use. Only the detectors that are activated are used for monitoring suspicious network traffic events.

Prerequisites

Verify that you meet the license requirements and software requirements listed in NSX Suspicious Traffic System Requirements.
You must be logged in to NSX Manager using one of the following NSX built-in roles. See Role-Based Access Control in NSX Intelligence for more information.
- Enterprise Admin
- Security Admin

Procedure

From your browser, log in with the required privileges to an NSX Manager appliance at https://<nsx-manager-ip-address>.
Use the following steps to activate supported NSX Suspicious Traffic detector to perform network traffic analysis on the collected traffic data.
Note that the following steps are for all available detectors, except for the DNS-based detectors, which must be manually configured before they can be used. See the next step after this one for information about configuring DNS-based detectors.
1. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
2. Locate single or multiple detectors that you want to activate.
3. Click the check box next to each detector and click Activate.
  The activated detectors show as Activated in the Detector Definitions tab.
To turn on DNS-based detectors, such as Domain Generation Algorithm (DGA) and DNS Tunneling, perform the following steps only once.
1. Create a custom DNS context profile or use a default system-provided context profile.
  
  See details about adding a context profile in the NSX Administration Guide delivered with the VMware NSX Documentation set for NSX version 3.2 or later.
2. Create a distributed firewall rule, using ANY in the Sources and Destinations columns; and using the DNS context profile, if you created one.
  
  See details about adding a distributed firewall rule in the NSX Administration Guide delivered with the VMware NSX Documentation set for NSX version 3.2 or later..
3. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
4. Locate the detector that you want to activate.
5. Click the check box next to the detector and click Activate.
The activated detectors show as Activated in the Detector Definitions tab.
(Optional) Use the following steps to deactivate supported NSX Suspicious Traffic detector to stop network traffic analysis.
1. Navigate to the Security > Suspicious Traffic > Detector Definitions tab.
2. Locate single or multiple detectors to deactivate.
3. Click the check box next to each detector and click Deactivate.
The deactivated detectors show as Deactivated in the Detector Definitions tab.

What to do next

Manage the detected suspicious traffic events. See Analyzing Suspicious Traffic Events for details.