You can create NSX IDS/IPS profiles to group signatures, which can then be applied to selected applications.

The default IDS profile includes critical severities and cannot be edited.

Starting with NSX 4.1.2, you can also capture PCAP (packet capture) files for events that are triggered for distributed IDS/IPS. You can enable this feature for any of the profiles that you create. When the packet capture feature is enabled, a host captures the PCAP files that can be later exported to the NSX Manager and also downloaded from there.

The maximum size a PCAP file can have is 64KB. A total of 500K PCAP files can be saved for 14 days on a large NSX Manager.

Procedure

  1. Navigate to Security > IDS/IPS & Malware Prevention > Profiles.
  2. Click Add Profile.
  3. Enter a name for this profile.
  4. (Optional) Enter a description for the profile and add tags.
  5. Select the required Intrusion Severities that you want to include in the profile.
  6. (Optional) Filter signatures to include in the profile by Attack Types, CVSS, Attack Targets, and Products Affected.
  7. To enable packet capturing for the profile, turn the Packet Capture toggle on and set the maximum size of the PCAP file and maximum packets that can be captured.
  8. To change the action on a specific signature, click Manage signatures for this profile and in the Action column, select the appropriate action.
  9. (Optional) To view only user-modified signatures, click Show only User modified signatures toggle button.
  10. Click Save to create the profile.

What to do next

Create IDS rules.