Example: Add Rules for NSX Malware Prevention on a Gateway Firewall

In this example, your objective is to create security policies with Gateway Firewall rules that detect malicious files on the north-south traffic, which is passing through the NSX Edges in your NSX.

For this example, consider that your network topology is as shown in the following figure. You will add Gateway Malware Prevention rules to detect malware on tier-1 gateways: T1-GW1 and T1-GW2. Both tier-1 gateways have an overlay segment attached to it. Workload VMs are attached to the overlay segments. Both tier-1 gateways are connected to a single tier-0 gateway, which in turn is connected to the physical top-of-rack switch to enable connectivity with the outside public network.

Network topology with two tier-1 gateways connected to a single tier-0 gateway.

Assumptions:

The following groups are added in the NSX inventory.

Group Name	Group Type	Notes
North	IP Addresses Only	This group contains a public IP range. For example, 12.1.1.10-12.1.1.100
South	Generic	This group contains an overlay segment (Segment1), which is attached to T1-GW1, as the static member.

A Malware Prevention profile named Profile_T1-GW is added with the following configuration:
- All file category options are selected.
- Cloud File Analysis option is selected.
You will use this Malware Prevention profile in the Gateway Firewall rules of both tier-1 gateways.

Prerequisites

NSX Edges with Extra Large form factor are deployed in your data center and configured as Edge Transport Nodes.
NSX Malware Prevention feature is turned on or activated on tier-1 gateways: T1-GW1 and T1-GW2.

Procedure

From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
Navigate to Security > IDS/IPS & Malware Prevention > Gateway Rules.
On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW1.
Click Add Policy to create a section, and enter a name for the policy.
For example, enter Policy_T1-GW1.

Click Add Rule and configure two rules with the following configurations.


Name	ID	Sources	Destinations	Services	Security Profiles	Applied To	Mode
N_to_S	1011	North	South	HTTP	Profile_T1-GW	T1-GW1	Detect Only
S_to_N	1010	South	North	HTTP	Profile_T1-GW	T1-GW1	Detect Only

The rule IDs in this table are only for reference. They might vary in your NSX environment.

Let us understand the meaning of these rules:

Rule 1011: This rule is enforced on T1-GW1 when HTTP connections are initiated by the machines in the public IP range (12.1.1.10-12.1.1.100) and these connections are accepted by the workload VMs that are attached to Segment1. If a file is detected in the HTTP connection, a file event is generated, and the file is analyzed for malicious behavior.
Rule 1010: This rule is enforced on T1-GW1 when HTTP connections are initiated by the workload VMs on Segment1 and these connections are accepted by the machines in the public IP range (12.1.1.10-12.1.1.100). If a file is detected in the HTTP traffic, a file event is generated, and the file is analyzed for malicious behavior.

Publish the rules.
On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW2.
Click Add Policy to create a section, and enter a name for the policy.
For example, enter Policy_T1-GW2.

Click Add Rule and configure an Any-Any rule as follows.


Name	ID	Sources	Destinations	Services	Security Profiles	Applied To	Mode
Any_Traffic	1006	Any	Any	Any	Profile_T1-GW	T1-GW2	Detect Only

This rule is enforced on T1-GW2 when any type of traffic is initiated from any source and accepted by any destination. If a file is detected in the traffic, a file event is generated, and the file is analyzed for malicious behavior.

Publish the rules.

Example

Scenario: In the same topology as shown earlier, assume that a VM on Segment1 wants to transmit a file to a VM on Segment2. In this case, the file traverses through both tier-1 gateways: T1-GW1 and T1-GW2. As Malware Prevention profile is configured on both tier-1 gateways, the file is inspected twice and two file events are generated. This behavior is expected.