The NSX Manager UI provides a common rule table to add rules for NSX Intrusion Detection/Prevention and NSX Malware Prevention on a Distributed Firewall.
- In NSX 4.0, malware detection and prevention on the distributed east-west traffic is supported only for Windows Portable Executable (PE) files that are extracted by the GI thin agent on the Windows guest endpoints (VMs). Other file categories are not supported by NSX Distributed Malware Prevention.
- Starting in NSX 4.0.1.1, malware detection and prevention on the distributed east-west traffic is supported for all the file categories on both Windows and Linux guest endpoints. To view the list of supported file categories, see File Categories Supported for NSX Malware Prevention.
- The supported maximum file size limit is 64 MB.
Prerequisites
For
NSX Malware Prevention:
Procedure
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Navigate to .
- Click Add Policy to create a section for organizing the rules.
- Enter a name for the policy.
- (Optional) In the policy row, click the gear icon to configure advanced policy options. These options are applicable only to NSX Distributed IDS/IPS and not to NSX Distributed Malware Prevention.
Option |
Description |
Stateful |
A stateful firewall monitors the state of active connections and uses this information to determine which packets to allow through the firewall. |
Locked |
The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment. Some roles such as enterprise administrator have full access credentials, and cannot be locked out. See Role-Based Access Control. |
- Click Add Rule and configure the rule settings.
- Enter a name for the rule.
- Configure Sources, Destinations, and Services columns based on the traffic that requires IDS inspection. IDS supports Generic and IP Addresses Only group types for source and destination.
These three columns are not supported for Distributed Malware Prevention firewall rules. Retain them as Any. However, you must limit the scope of the Distributed Malware Prevention rules by selecting the groups in the
Applied To column.
- In the Security Profiles column, select the profile to use for this rule.
You can select an
NSX IDS/IPS profile or an
NSX Malware Prevention profile, but not both. In other words, only one security profile is supported in a rule.
- In the Applied To column, select any one of the options.
Option |
Description |
DFW |
Currently, Distributed Malware Prevention rules do not support DFW in Applied To. Distributed IDS/IPS rules can be applied to DFW. The IDS/IPS rules get applied to workload VMs on all host clusters that are activated with NSX IDS/IPS. |
Groups |
The rule is applied only to the VMs that are members of the selected groups. |
- In the Mode column, select any one of the options.
Option |
Description |
Detect Only |
For NSX Malware Prevention service: The rule detects malicious files on the VMs, but no preventive action is taken. In other words, malicious files are downloaded on the VMs. For NSX IDS/IPS service: The rule detects intrusions against signatures and does not take any action. |
Detect and Prevent |
For NSX Malware Prevention service: The rule detects known malicious files on the VMs and blocks them from being downloaded on the VMs. For NSX IDS/IPS service: The rule detects intrusions against signatures and either drops or rejects the traffic depending on the signature configuration in the IDS/IPS profile or in the global signature configuration. |
- (Optional) Click the gear icon to configure other rule settings. These settings are applicable only to NSX Distributed IDS/IPS and not to NSX Distributed Malware Prevention.
Option |
Description |
Logging |
Logging is turned off by default. Logs are stored in the /var/log/dfwpktlogs.log file on ESXi hosts. |
Direction |
Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked. OUT means that only traffic from the object is checked. In-Out, means that traffic in both directions is checked. |
IP Protocol |
Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6. |
Oversubscription |
Starting with NSX 4.0.1.1, you can configure whether excess traffic should be dropped or should bypass the IDS/IPS engine in case of oversubscription. Value entered here will overide the value set for oversubscription in the global setting. |
Log Label |
Log Label is stored in the firewall log when logging is enabled. |
- (Optional) Repeat step 4 to add more rules in the same policy.
- Click Publish.
The rules are saved and pushed to the hosts. You can click the graph icon to view rule statistics for
NSX Distributed IDS/IPS.
Note: Rule statistics for
NSX Distributed Malware Prevention firewall rules are not supported.
Results
When files are extracted on the endpoint VMs, file events are generated and shown on the Malware Prevention dashboard and the Security Overview dashboard. If the files are malicious, the security policy is enforced. If the files are benign, they are downloaded on the VMs.
For rules configured with IDS/IPS profile, if the system detects malicious traffic, it generates an intrusion event and shows it on the IDS/IPS dashboard. The system drops, rejects, or generates an alarm for the traffic based on the action that you configured in the rule.
What to do next
Monitor and analyze file events on the Malware Prevention dashboard. For more information, see Monitoring File Events.
Monitor and analyze intrusion events on the
IDS/IPS dashboard. For more information, see
Monitoring IDS/IPS Events.