Follow these steps to upload and apply custom signatures to rules and protect traffic from malicious attacks.
From the NSX Manager UI, you can add a custom signature bundle or manually include custom signatures into an existing list of signatures.
After uploading, validate the custom signatures. Validation outcomes are: Valid, Invalid or Warning.
Note:If any signatures are marked as invalid, check the metadata for errors. For instance, if the traffic direction specified in the signature is incorrect, NSX IDS/IPS will classify it as invalid. Correct the metadata and re-validate the signature.
By default, Warning signatures are excluded and will not be published unless you specifically select the Warning signatures that must be published to the transport nodes and NSX Edges.
Publish the signatures.
Once published, to apply the custom signatures to Distributed Firewall (DFW) or Gateway Firewall (GFW) rules, add them to an NSX IDS/IPS profile. Edit the profile to incorporate both custom and system signatures. After publishing the rules, the profile and rules are pushed based on span of the rule. When a signature match occurs, an event is triggered.
Note:Since only unique signatures are accepted, NSX modifies the original custom signature IDs by appending them to a range of 1 billion to 2 billion. The original signature IDs remain accessible in the NSX Manager UI or API.
Rules on DFW or GFW that utilize the IDS profile containing custom signatures will be active and ready to respond to potential threats. When traffic matches a custom signature, the IDS/IPS generates an alert, which can be viewed on the UI page.
Based on the intrusion details, such as Severity, CVE, CVSS, and the VMs affected by the threat, security administrators can take appropriate steps to mitigate the risk.
