NSX-T IDS/IPS can automatically apply signatures to your hosts, and update intrusion detection signatures by checking our cloud-based service.

For IDS/IPS to work, Distributed firewall (DFW) must be enabled. If traffic is blocked by a DFW rule, then IDS/IPS can not see the traffic.

Intrusion detection and prevention is enabled on standalone hosts by toggling the enabled bar. If VC clusters are detected, IDS/IPS can also be enabled on a cluster basis by selecting the cluster and clicking enable.

Signatures

Signatures are applied to IDS rules through profiles. A single profile is applied to matching traffic. By default, NSX Manager checks for new signatures once per day. New signature update versions are published every two weeks (with additional non-scheduled 0-day updates). When a new update is available, there is a banner across the page with an Update Now link.

If Auto update new versions is selected, signatures are automatically applied to your hosts after they are downloaded from the cloud. If auto update is disabled, the signatures are stopped at the listed version. Click view and change versions to add another version, in addition to the default. Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.

If a proxy server is configured for NSX Manager to access the Internet, click Proxy Settings and complete the configuration.

Global Signature Management

Signatures can be changed by profile and globally. Signature changes made in profiles override global changes. To globally change a specific signature action to alert/drop/reject, click View and manage global signature set . Select an Action for the signature, and click Save.
Action Description
Alert An alert is generated and no automatic preventative action is taken.
Drop An alert is generated and the offending packets are dropped.
Reject An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

Offline Downloading and Uploading Signatures

NSX-T IDS/IPS can automatically apply signatures to your hosts, and update intrusion detection signatures by checking our cloud-based service. Starting with NSX-T Data Center 3.1.2, to download IDS/IPS signature go to https://api.prod.nsxti.vmware.com/. For new signature updates, make sure post upgrade NSX deployment has access to https://api.prod.nsxti.vmware.com/.

Note: Bundles which do not have the classification.config and changelog.jsn files present in the tar.gz file are not supported.
To download and upload a signature bundle, when NSX Manager does not have Internet access:
  1. This API is the first one to be called before any communication with the cloud service is started. License keys are from the NSX Distributed Threat license. The client_id is the name given by the user. Client_secret is generated and used as the request for the Authentication API. If the client has previously registered, but does not have access to the client_id and client_secret, the client has to re-register using the same API.
    POST https://api.nsx-sec-prod.com/1.0/auth/register 
       
    Body:
    {
    "license_keys":["XXXXX-XXXXX-XXXXX-XXXXX"],
    "device_type":"NSX-Policy-Manager",
    "client_id": "client_username"
    }
    Response:
    {"client_id":"client_username", 
    "client_secret": "Y54+V/rCpEm50x5HAUIzH6aXtTq7s97wCA2QqZ8VyrtFQjrJih7h0alItdQn02T46EJVnSMZWTseragTFScrtIwsiPSX7APQIC7MxAYZ0BoAWvW2akMxyZKyzbYZjeROb/C2QchehC8GFiFNpwqiAcQjrQHwHGdttX4zTQ="
    }
  2. This API call authenticates the client using the client_id and client_secret, and generates an authorization token to use in the headers of requests to IDS Signatures APIs. The token is valid for 60 minutes. If the token is expired, the client has to reauthenticate using the client_id and client_secret.
    POST https://api.nsx-sec-prod.com/1.0/auth/authenticate
       
    Body:
    {"client_id":"client_username", 
    "client_secret": "Y54+V/rCpEm50x5HAUIzH6aXtTq7s97wCA2QqZ8VyrtFQjrJih7h0alItdQn02T46EJVnSMZWTseragTFScrtIwsiPSX7APQIC7MxAYZ0BoAWvW2akMxyZKyzbYZjeROb/C2QchehC8GFiFNpwqiAcQjrQHwHGdttX4zTQ="
    }
    Response:
    {
        "access_token": "eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI3ZjMwN2VhMmQwN2IyZjJjYzM5ZmU5NjJjNmZhNDFhMGZlMTk4YjMyMzU4OGU5NGU5NzE3NmNmNzk0YWU1YjdjLTJkYWY2MmE3LTYxMzctNGJiNS05NzJlLTE0NjZhMGNkYmU3MCIsInN1YiI6IjdmMzA3ZWEyZDA3YjJmMmNjMzlmZTk2MmM2ZmE0MWEwZmUxOThiMzIzNTg4ZTk0ZTk3MTc2Y2Y3OTRhZTViN2MtMmRhZjYyYTctNjEzNy00YmI1LTk3MmUtMTQ2NmEwY2RiZTcwIiwiZXhwIjoxNTU1NTUyMjk0LCJpYXQiOjE1NTU1NDg2OTR9.x4U75GShDLMhyiyUO2B9HIi1Adonzx3Smo01qRhvXuErQSpE_Kxq3rzg1_IIyvoy3SJwwDhSh8KECtGW50eCPg",
        "token_type": "bearer",
        "expires_in": 3600,
        "scope": "[distributed_threat_features]"
    }
  3. The response to this command has the link for the ZIP file. NSX Cloud downloads the signatures from the git hub repository every 24 hours, and saves the signatures in a ZIP file. Copy and paste the signatures URL into your browser, and the ZIP file will download.
    GET https://api.nsx-sec-prod.com/1.0/intrusion-services/signatures
       

    In the Headers tab, the Authorization key will have the access_token value from the authenticate API response.

    Authorization eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI3ZjMwN2VhMmQwN2IyZjJjYzM5ZmU5NjJjNmZhNDFhMGZlMTk4YjMyMzU4OGU5NGU5NzE3NmNmNzk0YWU1YjdjLTJkYWY2MmE3LTYxMzctNGJiNS05NzJlLTE0NjZhMGNkYmU3MCIsInN1YiI6IjdmMzA3ZWEyZDA3YjJmMmNjMzlmZTk2MmM2ZmE0MWEwZmUxOThiMzIzNTg4ZTk0ZTk3MTc2Y2Y3OTRhZTViN2MtMmRhZjYyYTctNjEzNy00YmI1LTk3MmUtMTQ2NmEwY2RiZTcwIiwiZXhwIjoxNTU1NTUyMjk0LCJpYXQiOjE1NTU1NDg2OTR9.x4U75GShDLMhyiyUO2B9HIi1Adonzx3Smo01qRhvXuErQSpE_Kxq3rzg1_IIyvoy3SJwwDhSh8KECtGW50eCPg
    Response:
    {
    "signatures_url": "https://ncs-idps-us-west-2-prod-signatures.s3.us-west-2.amazonaws.com/a07fe284ff70dc67194f2e7cf1a8178d69570528.zip?X-Amz-Security-Token=IQoJb3JpZ2luX2VjENf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXdlc3QtMSJHMEUCIG1UYbzfBxOsm1lvdj1k36LPyoPota0L4CSOBMXgKGhmAiEA%2BQC1K4Gr7VCRiBM4ZTH2WbP2rvIp0qfHfGlOx0ChGc4q6wEIHxABGgw1MTAwMTM3MTE1NTMiDA4H4ir7eJl779wWWirIAdLIx1uAukLwnhmlgLmydZhW7ZExe%2BamDkRU7KT46ZS93mC1CQeL00D2rjBYbCBiG1mzNILPuQ2EyxmqxhEOzFYimXDDBER4pmv8%2BbKnDWPg08RNTqpD%2BAMicYNP7WlpxeZwYxeoBFruCDA2l3eXS6XNv3Ot6T2a%2Bk4rMKHtZyFkzZREIIcQlPg7Ej5q62EvvMFQdo8TyZxFpMJBc4IeG0h1k6QZU1Jlkrq2RYKit5WwLD%2BQKJrEdf4A0YctLbMCDbNbprrUcCADMKyclu8FOuABuK90a%2BvnA%2FJFYiJ32eJl%2Bdt0YRbTnRyvlMuSUHxjNAdyrFxnkPyF80%2FQLYLVDRWUDatyAo10s3C0pzYN%2FvMKsumExy6FIcv%2FOLoO8Y9RaMOTnUfeugpr6YsqMCH0pUR4dIVDYOi1hldNCf1XD74xMJSdnviaxY4vXD4bBDKPnRFFhOxLTRFAWVlMNDYggLh3pV3rXdPnIwgFTrF7CmZGJAQBBKqaxzPMVZ2TQBABmjxoRqCBip8Y662Tbjth7iM2V522LMVonM6Tysf16ls6QU9IC6WqjdOdei5yazK%2Fr9g%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20191202T222034Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3599&X-Amz-Credential=ASIAXNPZPUTA6A7V7P4X%2F20191202%2Fus-west-1%2Fs3%2Faws4_request&X-Amz-Signature=d85ca4aef6abe22062e2693acacf823f0a4fc51d1dc07cda8dec93d619050f5e"
    }
  4. Navigate to Security > Distributed IDS > Settings. Click Upload IDS Signatures in the right corner. Navigate to the saved signature ZIP file and upload the file. You can also upload the signature ZIP using the API call:
    POST https://<mgr-ip>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures?action=upload_signatures