If you have skipped the IDS/IPS and Malware Prevention Setup wizard without configuring any settings, or if you have skipped the wizard midway during the configuration process, you can continue the configuration process from the IDS/IPS & Malware Prevention Settings page.

To open this page in the NSX Manager UI, navigate to Security > IDS/IPS & Malware Prevention > Settings.

The configuration settings are grouped into three tab pages:
  • Shared
  • IDS/IPS
  • Malware Prevention

Shared Settings

As the name suggests, these settings are common to NSX IDS/IPS and NSX Malware Prevention.
Configure Internet Proxy Server

NSX IDS/IPS does not necessarily require an Internet connection for it to function. NSX IDS/IPS uses signatures for detecting and preventing intrusions. If your NSX environment has Internet connectivity, NSX Manager can download the latest intrusion detection signatures automatically either directly from the Internet or through an NSX Proxy Server. If Internet connectivity is not configured in your NSX environment, you can use APIs to manually download the NSX intrusion detection signature bundle (.zip) file, and then upload the signature bundle to NSX Manager. To learn more about manually uploading the signatures, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

NSX Malware Prevention also uses signatures for detecting and preventing malware. However, NSX Manager can download the latest signatures only when your NSX environment has Internet connectivity. You cannot upload the latest signatures manually to NSX Manager. NSX Malware Prevention also sends files to the NSX Advanced Threat Prevention cloud service for a detailed cloud file analysis. Files are sent to the cloud by the NSX Application Platform and not by NSX Manager. NSX Application Platform does not support proxy server configuration and it requires a direct access to the Internet.

If NSX Manager accesses the Internet through an NSX Proxy Server, click the Internet Proxy Server link and specify the following settings:

  • Scheme (HTTP or HTTPS)
  • IP address of the host
  • Port number
  • User name and password
Define Scope for Malware Prevention and IDS/IPS Deployment

In the Activate Hosts & Clusters for East-West Traffic section, do the following configurations:

  • Turn on NSX IDS/IPS on the standalone ESXi hosts.
  • Select the ESXi host clusters where you want to turn on NSX IDS/IPS on the east-west traffic.
  • If the NSX Distributed Malware Prevention service is not already deployed on ESXi host clusters, click the Defined in Service VM deployment link in the Malware Prevention column. For instructions about deploying the NSX Distributed Malware Prevention service on a host cluster, see Deploy the NSX Distributed Malware Prevention Service.
In the Activate Gateways for North-South Traffic section, do the following configurations:
  • Select the tier-1 gateways where you want to turn on NSX IDS/IPS on the north-south traffic.
  • Select the tier-1 gateways where you want to turn on NSX Malware Prevention on the north-south traffic.
Important: On the north-south traffic, NSX supports:
  • NSX Malware Prevention feature only on tier-1 gateways.
  • NSX IDS/IPS on Gateway Firewall feature only on tier-1 gateways.

IDS/IPS Settings

When Internet connectivity is configured in your data center, NSX Manager checks for availability of new intrusion detection signatures on the cloud every 20 minutes, by default. When a new update is available, a banner is displayed on the page with an Update Now link.

If the data center does not have an Internet connectivity, you can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager. For detailed instructions, see Offline Downloading and Uploading NSX Intrusion Detection Signatures.

You can perform the following signature management tasks on this page:

  • To view signature version or to add another version of the signatures in addition to the default, click View and Change.

    Currently, two versions of signatures are maintained. Whenever there is a change in the version commit identification number, a new version is downloaded.

  • To automatically download intrusion detection signatures from the cloud and apply them to the hosts and edges in the data center, turn on the Auto Update toggle.

    When this option is turned off, the automatic download of signatures stops. You can manually download the IDS signature bundle (.zip) file, and then upload the file to NSX Manager.

  • To view status of signature download on transport nodes, click the link in Status field.
  • To globally exclude specific signatures or to change their action to alert, drop, or reject, click View and Manage Signature Set.

    Select an Action for the signature, and click Save. The changes done in global signature management settings are applicable to all IDS/IPS profiles. However, if you update the signature settings in an IDS/IPS profile, the profile settings take precedence.

    The following table explains the meaning of each signature action.

    Action Description

    Alert

    An alert is generated and no automatic preventive action is taken.

    Drop

    An alert is generated and the offending packets are dropped.

    Reject

    An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection.

You can also manage the following advanced settings:

  • To send IDS/IPS events to external syslog consumers, turn on the Syslog toggle.
  • Starting with NSX 4.0.1.1, you can also configure whether excess traffic should be dropped or should bypass the IDS/IPS engine in case of oversubscription. Click the appropriate option in the Oversubscription field.

Malware Prevention Settings

NSX Malware Prevention requires certain microservices to be deployed in the NSX Application Platform.

If the NSX Application Platform is not deployed in your data center, this page displays the following title:

Malware Prevention is not deployed yet.
Do the following steps:
  1. Read the on-screen text and click Go to NSX Application Platform.
  2. Before proceeding with the platform deployment, read the NSX Application Platform Deployment Checklist in the Deploying and Managing the VMware NSX Application Platform publication at https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html. From the left navigation pane at this link, expand version 4.0, and then click the publication name.
  3. Deploy the NSX Application Platform. For more details, see the Deploying and Managing the VMware NSX Application Platform publication.
  4. Activate NSX Malware Prevention feature on the platform.

After the NSX Malware Prevention feature is activated on the NSX Application Platform, the Malware Prevention settings page displays the Allowlist section. You might have to refresh the page a few times to view this section.

Allowlist
Using the NSX Manager UI or API, you can override or suppress the verdict of the file that NSX has computed. This overridden file verdict takes precedence over the NSX computed verdict. The Allowlist table table displays all the files with suppressed verdict. This table is initially empty. When you start monitoring the file events in your data center by using the Malware Prevention dashboard and suppress file verdicts based on your specific security requirements, the suppressed files are added to the Allowlist table.

To learn more about overriding file verdicts, see Add a File to the Allowlist.