If Internet connectivity is not configured in your NSX, you can use APIs to manually download the NSX intrusion detection signature bundle (.zip) file, and then upload the signature bundle to NSX Manager. Perform the following steps to download signatures in an offline mode and upload them on NSX.
Step 1: Register NSX to the Cloud Service
Use the following API to register NSX to the cloud service. Before starting any communication with the cloud service, you must use this API to register to the cloud service. Send all licenses and you will be provided with necessary permission. If the license key is valid, the API generates and returns client_id and client_secret. The information about the license is stored in the cloud. Client_secret is used as the request for the Authentication API. If the client has previously registered, but does not have access to client_id and client_secret, the client has to re-register using the same API.
URI Path:
POST https://api.prod.nsxti.vmware.com/2.0/auth/register
{
"client_type": "NSX-Idps-Offline-Download",
"client_id": "client_username",
"licenses": {
"license_keys": ["XXXXX-XXXXX-XXXXX-XXXXX-XXXX"]
}
}
{
"client_id":"client_username",
"client_secret": "Y54+V/rCpEm50x5HAUIzH6aXtTq7s97wCA2QqZ8VyrtFQjrJih7h0alItdQn02T46EJVnSMZWTseragTFScrtIwsiPSX7APQIC7MxAYZ0BoAWvW2akMxyZKyzbYZjeROb/C2QchehC8GFiFNpwqiAcQjrQHwHGdttX4zTQ="
}
Step 2: Authenticate NSX to the Cloud Service
Use the following API to authenticate NSX to the cloud service. This API call authenticates the client using the client_id and client_secret. The API generates access_token to use in the headers of requests to IDS Signatures APIs. The token is valid for 60 minutes. If the token expires, the client has to reauthenticate using the client_id and client_secret.
URI Path:
POST https://api.prod.nsxti.vmware.com/1.0/auth/authenticate
{
"client_id":"client_username",
"client_secret": "Y54+V/rCpEm50x5HAUIzH6aXtTq7s97wCA2QqZ8VyrtFQjrJih7h0alItdQn02T46EJVnSMZWTseragTFScrtIwsiPSX7APQIC7MxAYZ0BoAWvW2akMxyZKyzbYZjeROb/C2QchehC8GFiFNpwqiAcQjrQHwHGdttX4zTQ="
}
Response:
{
"access_token": "eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI3ZjMwN2VhMmQwN2IyZjJjYzM5ZmU5NjJjNmZhNDFhMGZlMTk4YjMyMzU4OGU5NGU5NzE3NmNmNzk0YWU1YjdjLTJkYWY2MmE3LTYxMzctNGJiNS05NzJlLTE0NjZhMGNkYmU3MCIsInN1YiI6IjdmMzA3ZWEyZDA3YjJmMmNjMzlmZTk2MmM2ZmE0MWEwZmUxOThiMzIzNTg4ZTk0ZTk3MTc2Y2Y3OTRhZTViN2MtMmRhZjYyYTctNjEzNy00YmI1LTk3MmUtMTQ2NmEwY2RiZTcwIiwiZXhwIjoxNTU1NTUyMjk0LCJpYXQiOjE1NTU1NDg2OTR9.x4U75GShDLMhyiyUO2B9HIi1Adonzx3Smo01qRhvXuErQSpE_Kxq3rzg1_IIyvoy3SJwwDhSh8KECtGW50eCPg",
"token_type": "bearer",
"expires_in": 3600,
"scope": "[idps_scope]"
}
Step 3: Retrieve Link of the Signature Bundle (Zip) File
Use the following API to retrieve link of the signature bundle file. NSX Cloud downloads the latest signatures every 24 hours, and saves the signatures in a ZIP file. This API returns a ZIP file link in the response. Copy and paste the link in your browser and download the ZIP file.
URI Path:
GET https://api.prod.nsxti.vmware.com/2.0/intrusion-services/signatures
In the Headers tab, the Authorization key will have the access_token value from the authenticate API response.
Authorization: eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiI3ZjMwN2VhMmQwN2IyZjJjYzM5ZmU5NjJjNmZhNDFhMGZlMTk4YjMyMzU4OGU5NGU5NzE3NmNmNzk0YWU1YjdjLTJkYWY2MmE3LTYxMzctNGJiNS05NzJlLTE0NjZhMGNkYmU3MCIsInN1YiI6IjdmMzA3ZWEyZDA3YjJmMmNjMzlmZTk2MmM2ZmE0MWEwZmUxOThiMzIzNTg4ZTk0ZTk3MTc2Y2Y3OTRhZTViN2MtMmRhZjYyYTctNjEzNy00YmI1LTk3MmUtMTQ2NmEwY2RiZTcwIiwiZXhwIjoxNTU1NTUyMjk0LCJpYXQiOjE1NTU1NDg2OTR9.x4U75GShDLMhyiyUO2B9HIi1Adonzx3Smo01qRhvXuErQSpE_Kxq3rzg1_IIyvoy3SJwwDhSh8KECtGW50eCPg
{
"signatures_url": "https://cdn.prod.nsxti.vmware.com/vmware-idps-signature-us-west-2/IDSSignatures_1895.zip?X-Amz-Security-Token=IQoJb3JpZ2luX2VjENf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLXd
lc3QtMSJHMEUCIG1UYbzfBxOsm1lvdj1k36LPyoPota0L4CSOBMXgKGhmAiEA%2BQC1K4Gr7VCRiBM4ZTH2WbP2rvIp0qfHfG
lOx0ChGc4q6wEIHxABGgw1MTAwMTM3MTE1NTMiDA4H4ir7eJl779wWWirIAdLIx1uAukLwnhmlgLmydZhW7ZExe%2BamDkRU7K
T46ZS93mC1CQeL00D2rjBYbCBiG1mzNILPuQ2EyxmqxhEOzFYimXDDBER4pmv8%2BbKnDWPg08RNTqpD%2BAMicYNP7WlpxeZw
YxeoBFruCDA2l3eXS6XNv3Ot6T2a%2Bk4rMKHtZyFkzZREIIcQlPg7Ej5q62EvvMFQdo8TyZxFpMJBc4IeG0h1k6QZU1Jlkrq
2RYKit5WwLD%2BQKJrEdf4A0YctLbMCDbNbprrUcCADMKyclu8FOuABuK90a%2BvnA%2FJFYiJ32eJl%2Bdt0YRbTnRyvlMuS
UHxjNAdyrFxnkPyF80%2FQLYLVDRWUDatyAo10s3C0pzYN%2FvMKsumExy6FIcv%2FOLoO8Y9RaMOTnUfeugpr6YsqMCH0pUR
4dIVDYOi1hldNCf1XD74xMJSdnviaxY4vXD4bBDKPnRFFhOxLTRFAWVlMNDYggLh3pV3rXdPnIwgFTrF7CmZGJAQBBKqaxzP
MVZ2TQBABmjxoRqCBip8Y662Tbjth7iM2V522LMVonM6Tysf16ls6QU9IC6WqjdOdei5yazK%2Fr9g%3D&X-Amz-Algorithm
=AWS4-HMAC-SHA256&X-Amz-Date=20191202T222034Z&X-Amz-SignedHeaders=host&X-Amz-Expires=3599&X-Amz-
Credential=ASIAXNPZPUTA6A7V7P4X%2F20191202%2Fus-west-1%2Fs3%2Faws4_request&X-Amz-
Signature=d85ca4aef6abe22062e2693acacf823f0a4fc51d1dc07cda8dec93d619050f5e",
"version": "1997",
"sha256_checksum": "c9918187017af9a270d307bde6fb14cdb6b09b3c576cce7689c17ab63fb2c13c",
"last_updated": "2023-11-14T15:47:30Z",
"version_name": "IDPSSignatures.1997.2023-11-14T15:45:38Z"
}
Step 4: Upload the Signature Bundle to NSX Manager
- Method 1: Upload using NSX Manager UI
To upload the file from NSX Manager UI, navigate to , and click Upload IDS/IPS Signatures. Browse the saved signature ZIP file and upload the file.
- Method 2: Upload using an NSX API
To upload the file using the NSX API, use the following API.
POST https://<mgr-ip>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures?action=upload_signatures
Error Code Handling for Authentication API
This is an example authentication API error response:
{
"error_code":100101,
"error_message":"XXXXX"
}
- If you received an error code from 100101-100150, re-register with the same client id.
- If you received an error code from 100151-100200, re-register with a different client id.
