In this example, your objective is to create security policies with Gateway Firewall rules that detect malicious files on the north-south traffic, which is passing through the NSX Edges in your NSX-T Data Center.

For this example, consider that your network topology is as shown in the following figure. You will add Gateway Malware Prevention rules to detect malware on tier-1 gateways: T1-GW1 and T1-GW2. Both tier-1 gateways have an overlay segment attached to it. Workload VMs are attached to the overlay segments. Both tier-1 gateways are connected to a single tier-0 gateway, which in turn is connected to the physical top-of-rack switch to enable connectivity with the outside public network.


Network topology with two tier-1 gateways connected to a single tier-0 gateway.

Assumptions:

  • The following groups are added in the NSX-T inventory.
    Group Name Group Type Notes

    North

    IP Addresses Only

    This group contains a public IP range. For example, 12.1.1.10-12.1.1.100

    South

    Generic

    This group contains an overlay segment (Segment1), which is attached to T1-GW1, as the static member.

  • A Malware Prevention profile named Profile_T1-GW is added with the following configuration:
    • All file category options are selected.
    • Cloud File Analysis option is selected.

    You will use this Malware Prevention profile in the Gateway Firewall rules of both tier-1 gateways.

Prerequisites

  • NSX Edges with Extra Large form factor are deployed in your data center and configured as Edge Transport Nodes.
  • NSX Malware Prevention feature is turned on or activated on tier-1 gateways: T1-GW1 and T1-GW2.

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to Security > IDS/IPS & Malware Prevention > Gateway Rules.
  3. On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW1.
  4. Click Add Policy to create a section, and enter a name for the policy.
    For example, enter Policy_T1-GW1.
  5. Click Add Rule and configure two rules with the following configurations.
    Name ID Sources Destinations Services Security Profiles Applied To Mode
    N_to_S 1011 North South HTTP Profile_T1-GW T1-GW1 Detect Only
    S_to_N 1010 South North HTTP Profile_T1-GW T1-GW1 Detect Only

    The rule IDs in this table are only for reference. They might vary in your NSX-T environment.

    Let us understand the meaning of these rules:
    • Rule 1011: This rule is enforced on T1-GW1 when HTTP connections are initiated by the machines in the public IP range (12.1.1.10-12.1.1.100) and these connections are accepted by the workload VMs that are attached to Segment1. If a file is detected in the HTTP connection, a file event is generated, and the file is analyzed for malicious behavior.
    • Rule 1010: This rule is enforced on T1-GW1 when HTTP connections are initiated by the workload VMs on Segment1 and these connections are accepted by the machines in the public IP range (12.1.1.10-12.1.1.100). If a file is detected in the HTTP traffic, a file event is generated, and the file is analyzed for malicious behavior.
  6. Publish the rules.
  7. On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW2.
  8. Click Add Policy to create a section, and enter a name for the policy.
    For example, enter Policy_T1-GW2.
  9. Click Add Rule and configure an Any-Any rule as follows.
    Name ID Sources Destinations Services Security Profiles Applied To Mode
    Any_Traffic 1006 Any Any Any Profile_T1-GW T1-GW2 Detect Only

    This rule is enforced on T1-GW2 when any type of traffic is initiated from any source and accepted by any destination. If a file is detected in the traffic, a file event is generated, and the file is analyzed for malicious behavior.

  10. Publish the rules.

Example

Scenario: In the same topology as shown earlier, assume that a VM on Segment1 wants to transmit a file to a VM on Segment2. In this case, the file traverses through both tier-1 gateways: T1-GW1 and T1-GW2. As Malware Prevention profile is configured on both tier-1 gateways, the file is inspected twice and two file events are generated. This behavior is expected.