The NSX Manager UI provides a common rule table to add rules for NSX Intrusion Detection/Prevention and NSX Malware Prevention on a Gateway Firewall.

The security profiles that you add to the rule determine whether the Gateway Firewall rule enforces only NSX IDS/IPS, or only NSX Malware Prevention, or both.

Note that configuring an NSX IDS/IPS rule in either Detect Only or Detect and Enforce mode on a tier-1 gateway that is configured with a load balancer is not supported.

Prerequisites

For NSX Malware Prevention:
  • Add a Malware Prevention Profile.
  • Turn on or activate NSX Malware Prevention on the tier-1 gateways. (Security > IDS/IPS & Malware Prevention > Settings > Shared)
For NSX IDS/IPS:
  • Add an NSX IDS/IPS Profile.
  • Turn on or activate NSX IDS/IPS on gateways. (Security > IDS/IPS & Malware Prevention > Settings > Shared)

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to Security > IDS/IPS & Malware Prevention > Gateway Rules.
  3. If you want to add a policy for a specific gateway, ensure that you are in the Gateway Specific Rules tab, and select a gateway. If you want to add a policy for multiple gateways, ensure that you are in the All Shared Rules tab.
  4. Click Add Policy to create a section for organizing the rules.
    1. Enter a name for the policy.
    2. (Optional) In the policy row, click the gear icon to configure advanced policy options. These options are applicable only to NSX IDS/IPS and not to NSX Malware Prevention.
      Option Description

      Stateful

      A stateful firewall monitors the state of active connections, and uses this information to determine which packets to allow through the firewall.

      Locked

      The policy can be locked to prevent multiple users from editing the same sections. When locking a section, you must include a comment.

    3. Click Publish to publish the policy.
  5. Click Add Rule and configure the rule settings.
    1. Enter a name for the rule.
    2. In the Sources column, click the edit icon, and select the groups to use as the source of the rule. If source is not specified, it defaults to Any.
      For information about adding groups, see Add a Group.
    3. In the Destinations column, click the edit icon, and select the groups to use as the destination of the rule. If destination is not specified, it defaults to Any.
    4. In the Services column, click the edit icon, and select the services to use in the rule. If service is not specified, it defaults to Any.
      Note:
      • On clicking the edit icon, the UI displays a list of all available services. However, NSX Malware Prevention currently supports detection of file transfer only for the following services: HTTP, HTTPS, FTP, and SMB.
      • NSX Malware Prevention on the Gateway Firewall currently does not support extracting and analyzing files that are uploaded using HTTP. However, if files are uploaded using FTP, the extraction and analysis of the files for detecting malicious behavior is supported.
    5. In the Security Profiles column, click the edit icon, and select the profiles to add to the firewall rule.
      You can select a maximum of two security profiles–one NSX IDS/IPS profile and one NSX Malware Prevention profile.
    6. If you are adding the rule for a specific gateway, the Applied To column displays the name of that gateway. For a tier-0 gateway, you can click the edit icon to make further choices.
      For a tier-1 gateway, you can only specify the rule to apply to the gateway. For a tier-0 gateway, you can specify the rule to apply to the gateway, individual interfaces, or interface groups.

      If you are adding shared rules, click the edit icon in the Applied To column, and select the gateways and interfaces to which you want to apply the rule.

      A rule that applies to a gateway will apply to all the uplink interfaces and service interfaces on the gateway.

    7. In the Mode column, select any one of the options.
      Option Description
      Detect Only The rule detects malicious files, malicious traffic, or both, on the selected gateways depending on the profile that is attached to the rule. No preventive action is taken.
      Detect and Prevent NSX Malware Prevention currently does not support this mode. However, rules with NSX IDS/IPS profile can detect and block malicious traffic on the selected gateways.
    8. (Optional) Click the gear icon to configure other rule settings. These settings are applicable only to NSX IDS/IPS and not to NSX Malware Prevention.
      Option Description
      Logging Logging is turned off by default. Logs are stored in the /var/log/dfwpktlogs.log file on ESXi hosts.
      Direction Refers to the direction of traffic from the point of view of the destination object. IN means that only traffic to the object is checked. OUT means that only traffic from the object is checked. In-Out, means that traffic in both directions is checked.
      Oversubscription Configure whether excess traffic should be dropped or should bypass the IDS/IPS engine in case of oversubscription. Value entered here will overide the value set for oversubscription in the global setting.
      IP Protocol Enforce the rule based on IPv4, IPv6, or both IPv4-IPv6.
  6. (Optional) Repeat step 4 to add more rules in the same policy.
  7. Click Publish. You can click the graph icon to view rule statistics for NSX IDS/IPS on Gateway Firewall.
    The rules are saved and pushed to the NSX Edges.

Results

When files are detected on the tier-1 gateways, file events are generated and shown on the Malware Prevention dashboard and the Security Overview dashboard.

For rules configured with IDS/IPS profile, if the system detects malicious traffic, it generates an intrusion event. You can view the event details on the IDS/IPS dashboard or the Security Overview dashboard.

Example

For an end-to-end example of configuring Gateway Firewall rules with NSX Malware Prevention, see Example: Add Rules for NSX Malware Prevention on a Gateway Firewall.

What to do next

Monitor and analyze file events on the Malware Prevention dashboard. For more information, see Monitoring File Events.

Monitor and analyze intrusion events on the IDS/IPS dashboard. For more information, see Monitoring IDS/IPS Events.