To use the NSX virtual appliance CLI, you must have SSH access to an NSX virtual appliance. Each NSX virtual appliance contains a command-line interface (CLI).

The viewable modes in the CLI can differ based on the assigned role and rights of a user. If you are unable to access an interface mode or issue a particular command, consult your NSX administrator.

Procedure

  1. Open an SSH session to a compute host running the work loads that were previously deployed. Log in as root.
  2. Enter the nsxcli command to open the NSX CLI.
  3. To confirm that IDS is enabled on this host, run the command: get ids status.
    Sample Output: 
    localhost> get ids status
 NSX IDS Status
--------------------------------------------------
 status: enabled
 uptime: 793756 (9 days 04:29:16)
  4. To confirm both of the IDS profiles have been applied to this host, run the command get ids profile. 
    localhost> get ids profiles
 NSX IDS Profiles
--------------------------------------------------
Profile count: 2
 1. 31c1f26d-1f26-46db-b5ff-e6d3451efd71
 2. 65776dba-9906-4207-9eb1-8e7d7fdf3de
  5. To review IDS profile (engine) statistics including the number of packets processed and alerts generated, run the command get ids engine profilestats <tab_to_select_profile_ID>.
    The output is on a per profile basis, and shows the number of alerts, and the number of packets that were evaluated. 
    localhost> get ids engine profilestats eec3ea3f-0b06-4b9d-a3fe-7950d5726c7c
Fri Oct 23 2020 UTC 21:22:36.257
           NSX IDS Engine Profile Stats
------------------------------------------------------------
               Profile ID: eec3ea3f-0b06-4b9d-a3fe-7950d5726c7c
             Total Alerts: 14
            Total Packets: 27407
  6. To review the signature action of a rule, run the command get ids engine signaction <ruleID> <profileID> <signatureID>.
    Returns the signature action for a specific RuleID, ProfileID, and SignID. If the IDPS rule is of type "DETECT ONLY," the signature action for all signatures is returned as "ALERT." To drop/reject traffic, the IDPS rule must be configured with "DETECT_PREVENT." 
    > get ids engine signaction 1001 84f00f24-3177-401c-8c30-d70dbee48479 4100761
      NSX IDS Engine Signature Action
  ---------------------------------------------
                   alert