You can set up NSX IDS/IPS and NSX Malware Prevention features in your NSX environment only when your data center uses an appropriate license.
For information about licenses that are required to run the NSX Advanced Threat Prevention solution, see the Security Licenses section in License Types.
Preparing the data center for NSX Intrusion Detection/Prevention and NSX Malware Prevention involves multiple steps. To do these steps, you can use the IDS/IPS & Malware Prevention Setup wizard.
The setup wizard is like an onboarding process that guides you through a sequence of steps to prepare the data center for these two security features. To run this wizard, navigate to
.If NSX detects that appropriate licenses are not added, the page displays the following text:
IDS/IPS & Malware Prevention is not supported with current license.
If NSX detects that appropriate licenses are added, the page displays the Start Setup and Skip Setup buttons.
To begin the setup wizard, click Start Setup. Follow the on-screen instructions and this documentation to complete the steps in the wizard.
- If you want to save your progress at any stage and exit the wizard, click Back to Main Page. Later, you can continue the setup from where you left off.
- If you want to reset the setup wizard, and start again from the beginning, click Cancel. Canceling the setup removes the selections you made in the wizard, but it does not remove any deployments that you completed in the wizard. For example, if you completed the deployment of the NSX Application Platform and the NSX Malware Prevention service virtual machine on host clusters before resetting the wizard, these deployments are retained.
- If you do not want to use the setup wizard and prefer setting up the two security features on your own later, click Skip Setup. NSX Manager does not show this wizard again. Later, you can navigate to and set up the data center for both the features. For information about using the IDS/IPS & Malware Prevention Settings page, see Configuring NSX IDS/IPS and NSX Malware Prevention Settings.
Selected Features | Tabs Shown |
---|---|
IDS/IPS on east-west traffic or IDS/IPS on north-south traffic |
Configure NSX Proxy Manage Signatures Enable Nodes |
Malware Prevention only on east-west traffic |
Configure NSX Proxy Deploy NSX Application Platform Deploy Service VM |
Malware Prevention only on north-south traffic |
Configure NSX Proxy Deploy NSX Application Platform Enable Nodes |
Malware Prevention on both east-west traffic and north-south traffic | Configure NSX Proxy Deploy NSX Application Platform Deploy Service VM Enable Nodes |
All features selected |
All five tabs in the wizard are shown |
Configure NSX Proxy Server for Internet Connectivity
NSX IDS/IPS does not necessarily require an Internet connection for it to function. NSX IDS/IPS uses signatures for detecting and preventing intrusions. If your NSX environment has Internet connectivity, NSX Manager can download the latest intrusion detection signatures automatically either directly from the Internet or through an NSX Proxy Server. If Internet connectivity is not configured in your NSX environment, you can use APIs to manually download the NSX intrusion detection signature bundle (.zip) file, and then upload the signature bundle to NSX Manager. To learn more about manually uploading the signatures, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.
NSX Malware Prevention also uses signatures for detecting and preventing malware. However, NSX Manager can download the latest signatures only when your NSX environment has Internet connectivity. You cannot upload the latest signatures manually to NSX Manager. NSX Malware Prevention also sends files to the NSX Advanced Threat Prevention cloud service for a detailed cloud file analysis. Files are sent to the cloud by the NSX Application Platform and not by NSX Manager. NSX Application Platform does not support proxy server configuration and it requires a direct access to the Internet.
- Scheme (HTTP or HTTPS)
- IP address of the host
- Port number
- User name and password
Deploy NSX Application Platform
NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform. You must first deploy the NSX Application Platform, and then activate the NSX Malware Prevention feature. After this feature is activated, the microservices that are required for NSX Malware Prevention get deployed in the platform.
Deploy Service Virtual Machine
For east-west traffic in the data center, you must deploy the NSX Distributed Malware Prevention service on vSphere host clusters that are prepared for NSX. When this service is deployed, a service virtual machine (SVM) is installed on each host of the vSphere cluster and NSX Malware Prevention is enabled on the host cluster.
A donut chart on this page shows the number of host clusters in the data center where the NSX Distributed Malware Prevention service is deployed and not deployed.
For detailed instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.
After the service deployment is done on the host clusters, return to this page in the wizard, and click Next to continue.
Manage Signatures
When Internet connectivity is configured in your data center, NSX Manager checks for availability of new intrusion detection signatures on the cloud every 20 minutes, by default. When a new update is available, a banner is displayed on the page with an Update Now link.
If the data center does not have an Internet connectivity, you can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager. For detailed instructions, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.
- Signature Management
-
Signature management tasks are optional. If needed, you can do them later by navigating to
.- To view signature version or to add another version of the signatures in addition to the default, click View and Change.
Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.
- To automatically download intrusion detection signatures from the cloud and apply them to the hosts and edges in the data center, turn on the Auto Update toggle.
When this option is turned off, the automatic download of signatures stops. You can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager.
- To view status of signature download on transport nodes, click the link in Status field.
- To globally exclude specific signatures or to change their action to alert, drop, or reject, click View and Manage Signature Set.
Select an Action for the signature, and click Save. The changes done in global signature management settings are applicable to all IDS/IPS profiles. However, if you update the signature settings in an IDS/IPS profile, the profile settings take precedence.
The following table explains the meaning of each signature action.
Action Description Alert
An alert is generated and no automatic preventive action is taken.
Drop
An alert is generated and the offending packets are dropped.
Reject
An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.
- To view signature version or to add another version of the signatures in addition to the default, click View and Change.
Enable Nodes for IDS/IPS and Malware Prevention
In the Activate Hosts & Clusters for East-West Traffic section, do the following configurations:
- Turn on NSX IDS/IPS on the standalone ESXi hosts.
- Select the ESXi host clusters where you want to turn on NSX IDS/IPS on the east-west traffic.
- If the NSX Distributed Malware Prevention service is not already deployed on ESXi host clusters, click the Defined in Service VM deployment link in the Malware Prevention column. For instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.
- Do not enable NSX Distributed IDS/IPS in an environment that is using Distributed Load Balancer. NSX does not support IDS/IPS with a Distributed Load Balancer.
- For NSX Distributed IDS/IPS to work, Distributed Firewall (DFW) must be enabled. If traffic is blocked by a DFW rule, then IDS/IPS cannot see the traffic.
- Select the tier-1 gateways where you want to turn on NSX IDS/IPS on the north-south traffic.
- Select the tier-1 gateways where you want to turn on NSX Malware Prevention on the north-south traffic.
- NSX Malware Prevention feature only on tier-1 gateways.
- NSX IDS/IPS on Gateway Firewall feature only on tier-1 gateways.