In this example, your objective is to create security policies with Gateway Firewall rules that detect malicious files on the north-south traffic, which is passing through the NSX Edges in your NSX-T Data Center.
For this example, consider that your network topology is as shown in the following figure. You will add Gateway Malware Prevention rules to detect malware on tier-1 gateways: T1-GW1 and T1-GW2. Both tier-1 gateways have an overlay segment attached to it. Workload VMs are attached to the overlay segments. Both tier-1 gateways are connected to a single tier-0 gateway, which in turn is connected to the physical top-of-rack switch to enable connectivity with the outside public network.
Assumptions:
Procedure
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Navigate to .
- On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW1.
- Click Add Policy to create a section, and enter a name for the policy.
For example, enter
Policy_T1-GW1.
- Click Add Rule and configure two rules with the following configurations.
Name |
ID |
Sources |
Destinations |
Services |
Security Profiles |
Applied To |
Mode |
N_to_S |
1011 |
North |
South |
HTTP |
Profile_T1-GW |
T1-GW1 |
Detect Only |
S_to_N |
1010 |
South |
North |
HTTP |
Profile_T1-GW |
T1-GW1 |
Detect Only |
The rule IDs in this table are only for reference. They might vary in your NSX-T environment.
Let us understand the meaning of these rules:
- Rule 1011: This rule is enforced on T1-GW1 when HTTP connections are initiated by the machines in the public IP range (12.1.1.10-12.1.1.100) and these connections are accepted by the workload VMs that are attached to Segment1. If a file is detected in the HTTP connection, a file event is generated, and the file is analyzed for malicious behavior.
- Rule 1010: This rule is enforced on T1-GW1 when HTTP connections are initiated by the workload VMs on Segment1 and these connections are accepted by the machines in the public IP range (12.1.1.10-12.1.1.100). If a file is detected in the HTTP traffic, a file event is generated, and the file is analyzed for malicious behavior.
- Publish the rules.
- On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW2.
- Click Add Policy to create a section, and enter a name for the policy.
For example, enter
Policy_T1-GW2.
- Click Add Rule and configure an Any-Any rule as follows.
Name |
ID |
Sources |
Destinations |
Services |
Security Profiles |
Applied To |
Mode |
Any_Traffic |
1006 |
Any |
Any |
Any |
Profile_T1-GW |
T1-GW2 |
Detect Only |
This rule is enforced on T1-GW2 when any type of traffic is initiated from any source and accepted by any destination. If a file is detected in the traffic, a file event is generated, and the file is analyzed for malicious behavior.
- Publish the rules.
Example
Scenario: In the same topology as shown earlier, assume that a VM on Segment1 wants to transmit a file to a VM on Segment2. In this case, the file traverses through both tier-1 gateways: T1-GW1 and T1-GW2. As Malware Prevention profile is configured on both tier-1 gateways, the file is inspected twice and two file events are generated. This behavior is expected.