You can set up NSX IDS/IPS and NSX Malware Prevention features in your NSX-T Data Center environment only when your data center uses an appropriate license.

For information about licenses that are required to run the NSX Advanced Threat Prevention solution, see the Security Licenses section in License Types.

Preparing the data center for NSX Intrusion Detection/Prevention and NSX Malware Prevention involves multiple steps. To do these steps, you can use the IDS/IPS & Malware Prevention Setup wizard.

The setup wizard is like an onboarding process that guides you through a sequence of steps to prepare the data center for these two security features. To run this wizard, navigate to Security > IDS/IPS & Malware Prevention.

If NSX-T detects that appropriate licenses are not added, the page displays the following text:

IDS/IPS & Malware Prevention is not supported with current license.

If NSX-T detects that appropriate licenses are added, the page displays the Start Setup and Skip Setup buttons.

To begin the setup wizard, click Start Setup. Follow the on-screen instructions and this documentation to complete the steps in the wizard.

  • If you want to save your progress at any stage and exit the wizard, click Back to Main Page. Later, you can continue the setup from where you left off.
  • If you want to reset the setup wizard, and start again from the beginning, click Cancel. Canceling the setup removes the selections you made in the wizard, but it does not remove any deployments that you completed in the wizard. For example, if you completed the deployment of the NSX Application Platform and the NSX Malware Prevention service virtual machine on host clusters before resetting the wizard, these deployments are retained.
  • If you do not want to use the setup wizard and prefer setting up the two security features on your own later, click Skip Setup. NSX Manager does not show this wizard again. Later, you can navigate to Security > IDS/IPS & Malware Prevention > Settings and set up the data center for both the features. For information about using the IDS/IPS & Malware Prevention Settings page, see Configuring NSX IDS/IPS and NSX Malware Prevention Settings.
By default, all the check boxes in the IDS/IPS and Malware Prevention feature cards are selected for setup. You can edit the selections, if required. When you are ready to proceed, click Next. Your selections determine the tabs that are shown in the wizard, as explained in the following table.
Note: NSX Application Platform is a prerequisite for NSX Malware Prevention, but not for NSX IDS/IPS.
Selected Features Tabs Shown

IDS/IPS on east-west traffic

or

IDS/IPS on north-south traffic (In NSX-T Data Center 3.2.0, this feature was available in tech preview mode only. Starting with NSX-T Data Center 3.2.1, the feature is available for production environments and has full support.)

Configure NSX Proxy

Manage Signatures

Enable Nodes

Malware Prevention only on east-west traffic

Configure NSX Proxy

Deploy NSX Application Platform

Deploy Service VM

Malware Prevention only on north-south traffic

Configure NSX Proxy

Deploy NSX Application Platform

Enable Nodes

Malware Prevention on both east-west traffic and north-south traffic

Configure NSX Proxy

Deploy NSX Application Platform

Deploy Service VM

Enable Nodes

All features selected

All five tabs in the wizard are shown

Configure NSX Proxy Server for Internet Connectivity

NSX Malware Prevention can work only when your NSX-T Data Center is connected to the Internet. NSX IDS/IPS can work in a network without Internet connectivity, but you will have to manually update the IDS/IPS signatures.

Click the Go to NSX Proxy Server link and specify the following settings:
  • Scheme (HTTP or HTTPS)
  • IP address of the host
  • Port number
  • User name and password

Deploy NSX Application Platform

NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform. You must first deploy the NSX Application Platform, and then activate the NSX Malware Prevention feature. After this feature is activated, the microservices that are required for NSX Malware Prevention get deployed in the platform.

To summarize, you must perform the following tasks in the given order:
  1. Deploy NSX Application Platform
  2. Activate NSX Malware Prevention

Deploy Service Virtual Machine

For east-west traffic in the data center, you must deploy the NSX Distributed Malware Prevention service on vSphere host clusters that are prepared for NSX. When this service is deployed, a service virtual machine (SVM) is installed on each host of the vSphere cluster and NSX Malware Prevention is enabled on the host cluster.

A donut chart on this page shows the number of host clusters in the data center where the NSX Distributed Malware Prevention service is deployed and not deployed.

For detailed instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.

After the service deployment is done on the host clusters, return to this page in the wizard, and click Next to continue.

Note: High availability is not supported for the service virtual machine of NSX Distributed Malware Prevention service.

Manage Signatures

When Internet connectivity is configured in your data center, NSX Manager checks for availability of new intrusion detection signatures on the cloud every 20 minutes, by default. When a new update is available, a banner is displayed on the page with an Update Now link.

If the data center does not have an Internet connectivity, you can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager. For detailed instructions, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

Signature Management

Signature management tasks are optional. If needed, you can do them later on the IDS/IPS & Malware Prevention Settings page. (Security > IDS/IPS & Malware Prevention > Settings > IDS/IPS).

  • Turn on the Auto Update new versions option to automatically apply intrusion detection signatures to the hosts and edges in the data center after they are downloaded from the cloud.

    When this option is turned off, the signatures are stopped at the listed version.

  • Click View and change versions to add another version of the signatures, in addition to the default.

    Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.

  • Click View and manage global signature set to globally change the action of specific signatures to alert, drop, or reject.

    Select an Action for the signature, and click Save. The changes done in global signature management settings are applicable to all IDS/IPS profiles. However, if you update the signature settings in an IDS/IPS profile, the profile settings take precedence.

    The following table explains the meaning of each signature action.

    Action Description

    Alert

    An alert is generated and no automatic preventive action is taken.

    Drop

    An alert is generated and the offending packets are dropped.

    Reject

    An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

Enable Nodes for IDS/IPS and Malware Prevention

In the Activate Hosts & Clusters for East-West Traffic section, do the following configurations:

  • Turn on NSX IDS/IPS on the standalone ESXi hosts.
  • Select the ESXi host clusters where you want to turn on NSX IDS/IPS on the east-west traffic.
  • If the NSX Distributed Malware Prevention service is not already deployed on ESXi host clusters, click the Defined in Service VM deployment link in the Malware Prevention column. For instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.
Note:
  • Do not enable NSX Distributed IDS/IPS in an environment that is using Distributed Load Balancer. NSX does not support IDS/IPS with a Distributed Load Balancer.
  • For NSX Distributed IDS/IPS to work, Distributed Firewall (DFW) must be enabled. If traffic is blocked by a DFW rule, then IDS/IPS cannot see the traffic.
In the Activate Gateways for North-South Traffic section, do the following configurations:
  • Select the tier-1 gateways where you want to turn on NSX IDS/IPS on the north-south traffic.
  • Select the tier-1 gateways where you want to turn on NSX Malware Prevention on the north-south traffic.
Important: On the north-south traffic, NSX-T Data Center 3.2 supports:
  • NSX Malware Prevention feature only on tier-1 gateways.
  • NSX IDS/IPS on Gateway Firewall feature only on tier-1 gateways. In NSX-T Data Center 3.2.0, NSX IDS/IPS on Gateway Firewall was available in tech preview mode only. Starting with NSX-T Data Center 3.2.1, NSX IDS/IPS on Gateway Firewall is available for production environments and has full support. For more information, see the NSX-T Data Center Release Notes.