Preparing the Data Center for NSX IDS/IPS and NSX Malware Prevention

You can set up NSX IDS/IPS and NSX Malware Prevention features in your NSX environment only when your data center uses an appropriate license.

For information about licenses that are required to run the NSX Advanced Threat Prevention solution, see the Security Licenses section in License Types.

Preparing the data center for NSX Intrusion Detection/Prevention and NSX Malware Prevention involves multiple steps. To do these steps, you can use the IDS/IPS & Malware Prevention Setup wizard.

The setup wizard is like an onboarding process that guides you through a sequence of steps to prepare the data center for these two security features. To run this wizard, navigate to Security > IDS/IPS & Malware Prevention.

If NSX detects that appropriate licenses are not added, the page displays the following text:

IDS/IPS & Malware Prevention is not supported with current license.

If NSX detects that appropriate licenses are added, the page displays the Start Setup and Skip Setup buttons.

To begin the setup wizard, click Start Setup. Follow the on-screen instructions and this documentation to complete the steps in the wizard.

If you want to save your progress at any stage and exit the wizard, click Back to Main Page. Later, you can continue the setup from where you left off.
If you want to reset the setup wizard, and start again from the beginning, click Cancel. Canceling the setup removes the selections you made in the wizard, but it does not remove any deployments that you completed in the wizard. For example, if you completed the deployment of the NSX Application Platform and the NSX Malware Prevention service virtual machine on host clusters before resetting the wizard, these deployments are retained.
If you do not want to use the setup wizard and prefer setting up the two security features on your own later, click Skip Setup. NSX Manager does not show this wizard again. Later, you can navigate to Security > IDS/IPS & Malware Prevention > Settings and set up the data center for both the features. For information about using the IDS/IPS & Malware Prevention Settings page, see Configuring NSX IDS/IPS and NSX Malware Prevention Settings.

By default, all the check boxes in the IDS/IPS and Malware Prevention feature cards are selected for setup. You can edit the selections, if required. When you are ready to proceed, click Next. Your selections determine the tabs that are shown in the wizard, as explained in the following table.

Note: NSX Application Platform is a prerequisite for NSX Malware Prevention, but not for NSX IDS/IPS.

Selected Features	Tabs Shown
IDS/IPS on east-west traffic or IDS/IPS on north-south traffic	Configure NSX Proxy Manage Signatures Enable Nodes
Malware Prevention only on east-west traffic	Configure NSX Proxy Deploy NSX Application Platform Deploy Service VM
Malware Prevention only on north-south traffic	Configure NSX Proxy Deploy NSX Application Platform Enable Nodes
Malware Prevention on both east-west traffic and north-south traffic	Configure NSX Proxy Deploy NSX Application Platform Deploy Service VM Enable Nodes
All features selected	All five tabs in the wizard are shown

Configure NSX Proxy Server for Internet Connectivity

NSX IDS/IPS does not necessarily require an Internet connection for it to function. NSX IDS/IPS uses signatures for detecting and preventing intrusions. If your NSX environment has Internet connectivity, NSX Manager can download the latest intrusion detection signatures automatically either directly from the Internet or through an NSX Proxy Server. If Internet connectivity is not configured in your NSX environment, you can use APIs to manually download the NSX intrusion detection signature bundle (.zip) file, and then upload the signature bundle to NSX Manager. To learn more about manually uploading the signatures, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

NSX Malware Prevention also uses signatures for detecting and preventing malware. However, NSX Manager can download the latest signatures only when your NSX environment has Internet connectivity. You cannot upload the latest signatures manually to NSX Manager. NSX Malware Prevention also sends files to the NSX Advanced Threat Prevention cloud service for a detailed cloud file analysis. Files are sent to the cloud by the NSX Application Platform and not by NSX Manager. NSX Application Platform does not support proxy server configuration and it requires a direct access to the Internet.

If NSX Manager accesses the Internet through an NSX Proxy Server, click the Go to NSX Proxy Server link and specify the following settings:

Scheme (HTTP or HTTPS)
IP address of the host
Port number
User name and password

Deploy NSX Application Platform

NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform. You must first deploy the NSX Application Platform, and then activate the NSX Malware Prevention feature. After this feature is activated, the microservices that are required for NSX Malware Prevention get deployed in the platform.

To summarize, you must perform the following tasks in the given order:

Note: Versioning of the NSX Malware Prevention feature in the NSX Application Platform matches the NSX Application Platform version number, and not the NSX product version number.

Deploy Service Virtual Machine

For east-west traffic in the data center, you must deploy the NSX Distributed Malware Prevention service on vSphere host clusters that are prepared for NSX. When this service is deployed, a service virtual machine (SVM) is installed on each host of the vSphere cluster and NSX Malware Prevention is enabled on the host cluster.

A donut chart on this page shows the number of host clusters in the data center where the NSX Distributed Malware Prevention service is deployed and not deployed.

For detailed instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.

After the service deployment is done on the host clusters, return to this page in the wizard, and click Next to continue.

Note: High availability is not supported for the service virtual machine of NSX Distributed Malware Prevention service.

Manage Signatures

When Internet connectivity is configured in your data center, NSX Manager checks for availability of new intrusion detection signatures on the cloud every 20 minutes, by default. When a new update is available, a banner is displayed on the page with an Update Now link.

If the data center does not have an Internet connectivity, you can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager. For detailed instructions, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

Signature Management

Signature management tasks are optional. If needed, you can do them later by navigating to Security > IDS/IPS & Malware Prevention > Settings > IDS/IPS.

To view signature version or to add another version of the signatures in addition to the default, click View and Change.
Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.
To automatically download intrusion detection signatures from the cloud and apply them to the hosts and edges in the data center, turn on the Auto Update toggle.
When this option is turned off, the automatic download of signatures stops. You can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager.
To view status of signature download on transport nodes, click the link in Status field.

To globally exclude specific signatures or to change their action to alert, drop, or reject, click View and Manage Signature Set.

Select an Action for the signature, and click Save. The changes done in global signature management settings are applicable to all IDS/IPS profiles. However, if you update the signature settings in an IDS/IPS profile, the profile settings take precedence.

The following table explains the meaning of each signature action.

Action	Description
Alert	An alert is generated and no automatic preventive action is taken.
Drop	An alert is generated and the offending packets are dropped.
Reject	An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

Enable Nodes for IDS/IPS and Malware Prevention

In the Activate Hosts & Clusters for East-West Traffic section, do the following configurations:

Turn on NSX IDS/IPS on the standalone ESXi hosts.
Select the ESXi host clusters where you want to turn on NSX IDS/IPS on the east-west traffic.
If the NSX Distributed Malware Prevention service is not already deployed on ESXi host clusters, click the Defined in Service VM deployment link in the Malware Prevention column. For instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.

Note:

Do not enable NSX Distributed IDS/IPS in an environment that is using Distributed Load Balancer. NSX does not support IDS/IPS with a Distributed Load Balancer.
For NSX Distributed IDS/IPS to work, Distributed Firewall (DFW) must be enabled. If traffic is blocked by a DFW rule, then IDS/IPS cannot see the traffic.

In the Activate Gateways for North-South Traffic section, do the following configurations:

Select the tier-1 gateways where you want to turn on NSX IDS/IPS on the north-south traffic.
Select the tier-1 gateways where you want to turn on NSX Malware Prevention on the north-south traffic.

Important: On the north-south traffic, NSX supports:

NSX Malware Prevention feature only on tier-1 gateways.
NSX IDS/IPS on Gateway Firewall feature only on tier-1 gateways.