IDS rules are used to apply a previously created profile to select applications and traffic.

IDS rules are created in the same manner as distributed firewall (DFW) rules. First, an IDS policy or section is created, and then rules are created. DFW must be enabled, and traffic must be allowed by DFW to be passed through to IDS rules.

IDS rules must:
  • specify one IDS profile per rule
  • stateful
  • use of Layer 7 attributes (APP IDs) is not supported

One or more policy sections with rules must be created, because there are no default rules. Before creating rules, create a group that needs a similar rule policy. See Add a Group.

  1. Navigate to Security > IDS > Rules.
  2. Click Add Policy to create a policy section, and give the section a name.
  3. Click the gear icon to configure the following policy section options:
    Option Description
    Stateful A stateful firewall monitors the state of active connections and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment.

    Some roles such as enterprise administrator have full access credentials, and cannot be locked out. See Role-Based Access Control.

  4. Click Add Rule to add a new rule, and give the rule a name.
  5. Configure source/destination/services to determine which traffic needs IDS inspection. IDS supports any type of group for source and destination.
  6. Select the IDS Profile to be used for the matching traffic. For more information, see Distributed IDS Profiles.
  7. Configure Applied To, to limit the scope of the rules. Groups consisting of only IP addresses, MAC addresses, or Active Directory groups cannot be used in the Applied To text box.
  8. Click the gear icon to configure the following rule options:
    Option Description
    Logging Logging is turned off by default. Logs are stored in the /var/log/dfwpktlogs.log file on ESXi and KVM hosts.
    Direction Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked. OUT means that only traffic from the object is checked. In-Out, means that traffic in both directions is checked.
    IP Protocol Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6.
    Log Label Log Label is carried in the Firewall Log when logging is enabled.
  9. Click Publish. Multiple rules can be added and then published together at one time.

For more information about creating policy sections and rules, see Add a Distributed Firewall.