Distributed Intrusion Detection and Prevention Service (IDS/IPS) monitors network traffic on the host for suspicious activity.

Signatures can be enabled based on severity. A higher severity score indicates an increased risk associated with the intrusion event. Severity is determined based on the following:
  • Severity specified in the signature itself
  • CVSS (Common Vulnerability Scoring System) score specified in the signature
  • Type-rating associated with the classification type
IDS detects intrusion attempts based on already known malicious instruction sequences. The detected patterns in the IDS are known as signatures. You can set a specific signature alert/drop/reject actions globally, or by profile.
Action Description
Alert An alert is generated and no automatic preventative action is taken.
Drop An alert is generated and the offending packets are dropped.
Reject An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.
Note: Do not enable Distributed Intrusion Detection and Prevention Service (IDS/IPS) in an environment that is using Distributed Load Balancer. NSX-T Data Center does not support using IDS/IPS with a Distributed Load Balancer.
Distributed IDS/IPS Configuration:
  1. Enable IDS/IPS on hosts, download latest signature set, and configure signature settings. Distributed IDS/IPS Settings and Signatures
  2. Create IDS/IPS profiles. Distributed IDS/IPS Profiles
  3. Create IDS/IPS rules. Distributed IDS/IPS Rules
  4. Verify IDS/IPS status on hosts.