If you have skipped the IDS/IPS and Malware Prevention Setup wizard without configuring any settings, or if you have skipped the wizard midway during the configuration process, you can continue the configuration process from the IDS/IPS & Malware Prevention Settings page.

To open this page in the NSX Manager UI, navigate to Security > IDS/IPS & Malware Prevention > Settings.

The configuration settings are grouped into three tab pages:
  • Shared
  • IDS/IPS
  • Malware Prevention

Shared Settings

As the name suggests, these settings are common to NSX IDS/IPS and NSX Malware Prevention.
Configure Internet Proxy Server

NSX Malware Prevention can work only when your NSX-T Data Center is connected to the Internet. NSX IDS/IPS can work in a network without Internet connectivity, but you will have to manually update the IDS/IPS signatures.

Click the Internet Proxy Server link and specify the following settings:
  • Scheme (HTTP or HTTPS)
  • IP address of the host
  • Port number
  • User name and password
Define Scope for Malware Prevention and IDS/IPS Deployment

In the Activate Hosts & Clusters for East-West Traffic section, do the following configurations:

  • Turn on NSX IDS/IPS on the standalone ESXi hosts.
  • Select the ESXi host clusters where you want to turn on NSX IDS/IPS on the east-west traffic.
  • If the NSX Distributed Malware Prevention service is not already deployed on ESXi host clusters, click the Defined in Service VM deployment link in the Malware Prevention column. For instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.
In the Activate Gateways for North-South Traffic section, do the following configurations:
  • Select the tier-1 gateways where you want to turn on NSX IDS/IPS on the north-south traffic.
  • Select the tier-1 gateways where you want to turn on NSX Malware Prevention on the north-south traffic.
Important: On the north-south traffic, NSX-T Data Center 3.2 supports:
  • NSX Malware Prevention feature only on tier-1 gateways.
  • NSX IDS/IPS on Gateway Firewall feature only on tier-1 gateways. In NSX-T Data Center 3.2.0, NSX IDS/IPS on Gateway Firewall was available in tech preview mode only. Starting with NSX-T Data Center 3.2.1, NSX IDS/IPS on Gateway Firewall is available for production environments and has full support. For more information, see the NSX-T Data Center Release Notes.

IDS/IPS Settings

When Internet connectivity is configured in your data center, NSX Manager checks for availability of new intrusion detection signatures on the cloud every 20 minutes, by default. When a new update is available, a banner is displayed on the page with an Update Now link.

If the data center does not have an Internet connectivity, you can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager. For detailed instructions, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

You can do the following signature management tasks on this page:

  • Turn on the Auto Update new versions option to automatically apply intrusion detection signatures to the hosts and edges in the data center after they are downloaded from the cloud.

    When this option is turned off, the signatures are stopped at the listed version.

  • Click View and change versions to add another version of the signatures, in addition to the default.

    Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.

  • Click View and manage global signature set to globally change the action of specific signatures to alert, drop, or reject.

    Select an Action for the signature, and click Save. The changes done in global signature management settings are applicable to all IDS/IPS profiles. However, if you update the signature settings in an IDS/IPS profile, the profile settings take precedence.

    The following table explains the meaning of each signature action.

    Action Description

    Alert

    An alert is generated and no automatic preventive action is taken.

    Drop

    An alert is generated and the offending packets are dropped.

    Reject

    An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

Malware Prevention Settings

NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform.

If the NSX Application Platform is not deployed in your data center, this page displays the following title:

Malware Prevention is not deployed yet.
Do the following steps:
  1. Read the on-screen text and click Go to NSX Application Platform.
  2. Before proceeding with the platform deployment, read the NSX Application Platform Deployment Checklist in the Deploying and Managing the VMware NSX Application Platform publication at https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html. From the left navigation pane at this link, expand version 3.2 or later, and then click the publication name.
  3. Deploy the NSX Application Platform. For more details, see the Deploying and Managing the VMware NSX Application Platform publication.
  4. Activate NSX Malware Prevention feature on the platform.

After the NSX Malware Prevention feature is activated on the NSX Application Platform, the Malware Prevention settings page displays the Allowlist section. You might have to refresh the page a few times to view this section.

Allowlist
Using the NSX Manager UI or API, you can override or suppress the verdict of the file that NSX-T has computed. This overridden file verdict takes precedence over the NSX-T computed verdict. The Allowlist table table displays all the files with suppressed verdict. This table is initially empty. When you start monitoring the file events in your data center by using the Malware Prevention dashboard and suppress file verdicts based on your specific security requirements, the suppressed files are added to the Allowlist table.

To learn more about overriding file verdicts, see Add a File to the Allowlist.