You can trigger the upgrade process of the NSX Malware Prevention service virtual machine (SVM) when a new OVA file of the SVM is available on the Download VMware NSX page.

Prerequisites

  • Verify that the service deployment status and the health status of the NSX Distributed Malware Prevention service instance on each host of the ESXi cluster shows Up.
    1. Log in to NSX Manager, and navigate to System > Service Deployments > Deployment.
    2. From the Partner Service drop-down menu, select VMware NSX Distributed Malware Prevention Service.
    3. Verify that the Status column of the service deployment in all host clusters shows Up.
    4. Click the Service Instances tab, and verify that the Deployment Status column and Health Status column of the service instance on each host of the cluster shows Up.
  • Verify that the Kubernetes cluster on the NSX Application Platform is stable.
    1. In NSX Manager, navigate to System > NSX Application Platform.
    2. Verify that the cluster status is Stable (green).
  • Verify that the status of the NSX Malware Prevention feature on the NSX Application Platform is Up.
    1. In NSX Manager, navigate to System > NSX Application Platform.
    2. Scroll down the page until you see the Features section.
    3. Verify that the NSX Malware Prevention feature card shows Status as Up.

Procedure

  1. Download the new OVA file of the NSX Malware Prevention SVM.
    1. On the Broadcom Support portal, log in and open the My Downloads page.
    2. From the All Products drop-down menu, select Networking & Security.
    3. Next to VMware NSX®, click Download Product. The Download VMware NSX page opens.
    4. Find the NSX license that you are using, and then click Go to Downloads.
    5. Download the OVA file of the NSX SVM Appliance (VMware-NSX-Malware-Prevention-appliance-version_number.build_number.ova).
  2. Extract the OVA file with the following command: 
    tar -xvf filename.ova

    Replace filename with the exact name of the OVA file that you downloaded in the previous step.

    Observe that the following four files are available in the root directory where the OVA file is extracted.

    • OVF file (.ovf)
    • Manifest file (.mf)
    • Certificate file (.cert)
    • Virtual machine disk file (.vmdk)
  3. Copy all the extracted files to a Web server that meets the following prerequisites:
    1. The Web server must have unauthenticated access over HTTP.
    2. The Web server must be accessible to NSX Manager, all ESXi hosts where you plan to upgrade the NSX Malware Prevention SVM, and the VMware vCenter that is registered to NSX.
    3. The MIME types for the extracted files must be added to the Web server. For information about adding MIME types to the Web server, see your Web server documentation.
      File Extension MIME Type

      .ovf

      application/vmware

      .vmdk

      application/octet-stream

      .mf

      text/cache-manifest

      .cert

      application/x-x509-user-cert
    Note: You can deploy the Web server on the same network where the NSX Manager appliances, ESXi hosts, and the VMware vCenter appliance are deployed. The Web server does not require Internet access.
  4. Run the following API to add a new deployment specification to an existing NSX Malware Prevention service definition: 
    POST https://{nsx-manager-ip}/napp/api/v1/malware-prevention/svm-spec
    In the request body of this POST API, specify the following details:
    • Complete path to the OVF file on the Web server
    • Name of the deployment specification (SVM is identified by this name on the VMware vCenter)
    • SVM version number
    Example Request Body: 
    {
    "ovf_url" : "http://{webserver-ip}/{path-to-ovf-file}/{filename}.ovf",
    "deployment_spec_name" : "NSX_Distributed_MPS_2",
    "svm_version" : "3.3"
}

    Specify a deployment specification name that is easy for you to identify when you upgrade the service appliance (SVM) in the next step. The SVM version in this request body is only an example. You must replace it with the appropriate version number.

    For more information about this API including an example response, see the Malware Prevention API documentation on the Broadcom Developer Portal.

  5. Upgrade the NSX Malware Prevention service virtual machine (appliance) in the service deployment of each ESXi host cluster.
    1. In NSX Manager, navigate to System > Service Deployments > Deployment.
    2. From the Partner Service drop-down menu, select VMware NSX Distributed Malware Prevention Service.
    3. Next to the service deployment of a host cluster, click Actions menu, and then click Change Appliance.
      Verify that the Change Appliance window lists the deployment specification name that you specified in the request body of the POST API.
    4. Select the deployment specification name.
      In this case, select NSX_Distributed_MPS_2.
    5. Click Update.
    6. Repeat steps c, d, and e to upgrade the service virtual machine (appliance) in the service deployments of other ESXi host clusters.

What to do next

After the upgrade is finished, verify the connectivity status, solution status, and health status of each service instance on the ESXi host.
  1. Navigate to System > Service Deployments > Service Instances.
  2. For each service instance, verify that the Health Status column shows Up.
  3. Click the icon in the Health Status column and verify that the following statuses are Up:
    • Solution status
    • Connectivity status between NSX Guest Introspection agent and NSX Ops agent.

For help on troubleshooting issues, see Troubleshooting NSX Malware Prevention Service Virtual Machine Problems.