IDS/IPS rules are used to apply a previously created profile to select applications and traffic.

IDS/IPS rules are created in the same manner as distributed firewall (DFW) rules. First, an IDS policy or section is created, and then rules are created. DFW must be enabled, and traffic must be allowed by DFW to be passed through to IDS rules.

IDS rules must:
  • specify one IDS profile per rule
  • stateful
  • use of Layer 7 attributes (APP IDs) is not supported

One or more policy sections with rules must be created, because there are no default rules. Before creating rules, create a group that needs a similar rule policy. See Add a Group.

  1. Navigate to Security > Distributed IDS/IPS > Rules.
  2. Click Add Policy to create a policy section, and give the section a name.
  3. (Optional) Click the gear icon to configure the following policy section options:
    Option Description
    Stateful A stateful firewall monitors the state of active connections and uses this information to determine which packets to allow through the firewall.
    Locked The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment.

    Some roles such as enterprise administrator have full access credentials, and cannot be locked out. See Role-Based Access Control.

  4. Click Add Rule to add a new rule, and give the rule a name.
  5. Configure source/destination/services to determine which traffic needs IDS inspection. IDS supports any type of group for source and destination.
  6. Select the IDS Profile to be used for the matching traffic. For more information, see Distributed IDS/IPS Profiles.
  7. Configure Applied To, to limit the scope of the rules. By default, the Applied To column is set to DFW, and the rule is applied to all workloads. You can also apply the rule or policy to selected groups. Groups consisting of only IP addresses, MAC addresses, or Active Directory groups cannot be used in the Applied To text box.
  8. Select the Mode:
    • Detect Only - Detects signatures and does not take action.
    • Detect and Prevent - detects signatures and takes into account profile or globla action of drop or reject.
  9. (Optional) Click the gear icon to configure the following rule options:
    Option Description
    Logging Logging is turned off by default. Logs are stored in the /var/log/dfwpktlogs.log file on ESXi and KVM hosts.
    Direction Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked. OUT means that only traffic from the object is checked. In-Out, means that traffic in both directions is checked.
    IP Protocol Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6.
    Log Label Log Label is carried in the Firewall Log when logging is enabled.
  10. Click Publish. Multiple rules can be added, and then published together at one time. When rules are successfully pushed to the host the status will display Success.
  11. (Optional) Click the graph icon to view:
    • policy status - rules have been successfully pushed to the hosts
    • transport node status and errors

For more information about creating policy sections and rules, see Add a Distributed Firewall.