In this example, your objective is to create security policies with Gateway Firewall rules that detect malicious files on the north-south traffic, which is passing through the NSX Edges in your NSX.

For this example, consider that your network topology is as shown in the following figure. You will add Gateway Malware Prevention rules to detect malware on tier-1 gateways: T1-GW1 and T1-GW2. Both tier-1 gateways have an overlay segment attached to it. Workload VMs are attached to the overlay segments. Both tier-1 gateways are connected to a single tier-0 gateway, which in turn is connected to the physical top-of-rack switch to enable connectivity with the outside public network.


Network topology with two tier-1 gateways connected to a single tier-0 gateway.

Assumptions:

  • The following groups are added in the NSX inventory.
    Group Name Group Type Notes

    North

    IP Addresses Only

    This group contains a public IP range. For example, 12.1.1.10-12.1.1.100

    South

    Generic

    This group contains an overlay segment (Segment1), which is attached to T1-GW1, as the static member.

  • A Malware Prevention profile named Profile_T1-GW is added with the following configuration:
    • All file category options are selected.
    • Cloud File Analysis option is selected.

    You will use this Malware Prevention profile in the Gateway Firewall rules of both tier-1 gateways.

Prerequisites

  • NSX Edges with Extra Large form factor are deployed in your data center and configured as Edge Transport Nodes.
  • NSX Malware Prevention feature is turned on or activated on tier-1 gateways: T1-GW1 and T1-GW2.

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to Security > IDS/IPS & Malware Prevention > Gateway Rules.
  3. On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW1.
  4. Click Add Policy to create a section, and enter a name for the policy.
    For example, enter Policy_T1-GW1.
  5. Click Add Rule and configure two rules with the following configurations.
    Name ID Sources Destinations Services Security Profiles Applied To Mode
    N_to_S 1011 North South HTTP Profile_T1-GW T1-GW1 Detect Only
    S_to_N 1010 South North HTTP Profile_T1-GW T1-GW1 Detect Only

    The rule IDs in this table are only for reference. They might vary in your NSX environment.

    Let us understand the meaning of these rules:
    • Rule 1011: This rule is enforced on T1-GW1 when HTTP connections are initiated by the machines in the public IP range (12.1.1.10-12.1.1.100) and these connections are accepted by the workload VMs that are attached to Segment1. If a file is detected in the HTTP connection, a file event is generated, and the file is analyzed for malicious behavior.
    • Rule 1010: This rule is enforced on T1-GW1 when HTTP connections are initiated by the workload VMs on Segment1 and these connections are accepted by the machines in the public IP range (12.1.1.10-12.1.1.100). If a file is detected in the HTTP traffic, a file event is generated, and the file is analyzed for malicious behavior.
  6. Publish the rules.
  7. On the Gateway Specific Rules page, in the Gateway drop-down menu, select T1-GW2.
  8. Click Add Policy to create a section, and enter a name for the policy.
    For example, enter Policy_T1-GW2.
  9. Click Add Rule and configure an Any-Any rule as follows.
    Name ID Sources Destinations Services Security Profiles Applied To Mode
    Any_Traffic 1006 Any Any Any Profile_T1-GW T1-GW2 Detect Only

    This rule is enforced on T1-GW2 when any type of traffic is initiated from any source and accepted by any destination. If a file is detected in the traffic, a file event is generated, and the file is analyzed for malicious behavior.

  10. Publish the rules.

Example

Scenario: In the same topology as shown earlier, assume that a VM on Segment1 wants to transmit a file to a VM on Segment2. In this case, the file traverses through both tier-1 gateways: T1-GW1 and T1-GW2. As Malware Prevention profile is configured on both tier-1 gateways, the file is inspected twice and two file events are generated. This behavior is expected.