The NSX Manager UI provides a common rule table to add rules for NSX Intrusion Detection/Prevention and NSX Malware Prevention on a Distributed Firewall.

In NSX-T Data Center 3.2, NSX Distributed Malware Prevention service can detect and prevent malware only on Windows guest endpoints (VMs).

Note: On the distributed east-west traffic, malware detection and prevention is supported only for Windows Portable Executable (PE) files that are extracted by the GI thin agent on the workload VMs (endpoints). Other file categories are not supported currently by NSX Distributed Malware Prevention. The supported maximum file size limit is 64 MB.

Prerequisites

For NSX Malware Prevention:
For NSX IDS/IPS:
  • Add an NSX IDS/IPS Profile.
  • Turn on or activate NSX IDS/IPS on the vSphere host clusters. (Security > IDS/IPS & Malware Prevention > Settings > Shared).

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to Security > IDS/IPS & Malware Prevention > Distributed Rules.
  3. Click Add Policy to create a section for organizing the rules.
    1. Enter a name for the policy.
    2. (Optional) In the policy row, click the gear icon to configure advanced policy options. These options are applicable only to NSX Distributed IDS/IPS and not to NSX Distributed Malware Prevention.
      Option Description

      Stateful

      A stateful firewall monitors the state of active connections and uses this information to determine which packets to allow through the firewall.

      Locked

      The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment.

      Some roles such as enterprise administrator have full access credentials, and cannot be locked out. See Role-Based Access Control.

  4. Click Add Rule and configure the rule settings.
    1. Enter a name for the rule.
    2. Configure Sources, Destinations, and Services columns based on the traffic that requires IDS inspection. IDS supports Generic and IP Addresses Only group types for source and destination.
      These three columns are not supported for Distributed Malware Prevention firewall rules. Retain them as Any. However, you must limit the scope of the Distributed Malware Prevention rules by selecting the groups in the Applied To column.
    3. In the Security Profiles column, select the profile to use for this rule.
      You can select an NSX IDS/IPS profile or an NSX Malware Prevention profile, but not both. In other words, only one security profile is supported in a rule.
    4. In the Applied To column, select any one of the options.
      Option Description
      DFW In NSX-T 3.2, Distributed Malware Prevention rules do not support DFW in Applied To. Distributed IDS/IPS rules can be applied to DFW. The IDS/IPS rules get applied to workload VMs on all host clusters that are activated with NSX IDS/IPS.
      Groups The rule is applied only to the VMs that are members of the selected groups.
    5. In the Mode column, select any one of the options.
      Option Description
      Detect Only

      For NSX Malware Prevention service: The rule detects malicious files on the VMs, but no preventive action is taken. In other words, malicious files are downloaded on the VMs.

      For NSX IDS/IPS service: The rule detects intrusions against signatures and does not take any action.

      Detect and Prevent

      For NSX Malware Prevention service: The rule detects known malicious files on the VMs and blocks them from being downloaded on the VMs.

      For NSX IDS/IPS service: The rule detects intrusions against signatures and either drops or rejects the traffic depending on the signature configuration in the IDS/IPS profile or in the global signature configuration.

    6. (Optional) Click the gear icon to configure other rule settings. These settings are applicable only to NSX Distributed IDS/IPS and not to NSX Distributed Malware Prevention.
      Option Description
      Logging Logging is turned off by default. Logs are stored in the /var/log/dfwpktlogs.log file on ESXi hosts.
      Direction Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked. OUT means that only traffic from the object is checked. In-Out, means that traffic in both directions is checked.
      IP Protocol Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6.
      Log Label Log Label is stored in the firewall log when logging is enabled.
  5. (Optional) Repeat step 4 to add more rules in the same policy.
  6. Click Publish.
    The rules are saved and pushed to the hosts. You can click the graph icon to view rule statistics for NSX Distributed IDS/IPS.
    Note: Rule statistics for NSX Distributed Malware Prevention firewall rules are not supported.

Results

When files are extracted on the endpoint VMs, file events are generated and shown on the Malware Prevention dashboard and the Security Overview dashboard. If the files are malicious, the security policy is enforced. If the files are benign, they are downloaded on the VMs.

For rules configured with IDS/IPS profile, if the system detects malicious traffic, it generates an intrusion event and shows it on the IDS/IPS dashboard. The system drops, rejects, or generates an alarm for the traffic based on the action that you configured in the rule.

Example

For an end-to-end example of configuring a Distributed Firewall rule for malware detection and prevention on VM endpoints, see Example: Add Rules for NSX Distributed Malware Prevention.

What to do next

Monitor and analyze file events on the Malware Prevention dashboard. For more information, see Monitoring File Events.

Monitor and analyze intrusion events on the IDS/IPS dashboard. For more information, see Monitoring IDS/IPS Events.