NSX Intrusion Detection and Prevention Service (IDS/IPS) monitors east-west traffic and north-south traffic to detect malicious traffic patterns by comparing the traffic against a known set of intrusion detection signatures. NSX Malware Prevention extracts files from the east-west traffic and north-south traffic and analyzes these files for malicious behavior.
What to read next
Getting Started with NSX IDS/IPS and NSX Malware Prevention Read the topics in this section to obtain an overview of NSX IDS/IPS and NSX Malware Prevention features. Understand the system requirements, terminologies used, and complete the prerequisites tasks to prepare your data center for using these two features.
Offline Downloading and Uploading NSX Intrusion Detection Signatures If Internet connectivity is not configured in your NSX , you can use APIs to manually download the NSX intrusion detection signature bundle (.zip ) file, and then upload the signature bundle to NSX Manager . Perform the following steps to download signatures in an offline mode and upload them on NSX .
Enhanced Threat Management with Custom Signatures NSX IDS/IPS provides the capability to manage threats related to custom applications and zero-day vulnerabilities.
Trigger NSX IDS/IPS Events using Thresholds and Rate Filters You can manage the rate at which NSX IDS/IPS events are generated for system signatures by configuring Thresholds and Rate Filters.
Adding Security Profiles Security profiles include IDS/IPS profile and Malware Prevention profile. To enforce NSX IDS/IPS and NSX Malware Prevention security protection in your data center, you must attach security profiles to Distributed Firewall rules and Gateway Firewall rules.
Using NSX IDS/IPS and NSX Malware Prevention on a Distributed Firewall You can use the NSX IDS/IPS feature to detect malicious traffic patterns in the distributed east-west traffic, and use the NSX Malware Prevention feature to detect malicious files in the distributed east-west traffic.
Using NSX IDS/IPS and NSX Malware Prevention on a Gateway Firewall You can use the NSX IDS/IPS feature to detect malicious traffic patterns in the north-south traffic, and use the NSX Malware Prevention feature to detect malicious files in the north-south traffic.
Distributed IDS/IPS Logs When logging is enabled for NSX-T IDS/IPS, you can look at log files to troubleshoot issues.
Monitoring File Events File events are generated when files are extracted by the IDS engine on the NSX Edges in the north-south traffic and by the NSX Guest Introspection agent on the virtual machine endpoints in the distributed east-west traffic.
Monitoring IDS/IPS Events You can monitor events and view data of the last 14 days.
Export and Download Packet Capture Files You can export PCAP files on the NSX Manager and then download the exported files.
Administering NSX Malware Prevention You can upgrade or delete the NSX Malware Prevention feature by using the NSX Application Platform page in the Security tab.
Troubleshooting NSX Malware Prevention Use the information in this chapter to understand log messages, resolve syslog issues, and troubleshoot common problems that can occur with the NSX Malware Prevention feature.