There is a three-tier app at Site B that is using NSX networking. The app consists of three web VMs, and app VM, a DB VM and a load balancer (LB) VM. All VMs are on different networks (the three web VMs are on the same network).
The app is arbitrarily named cda. There is a similar app at Site A named dist but most work in NSX+ will be with the cda app VMs in Site B.
- HTTP/HTTPS (80/443), from any source to VMs on the lb network
- HTTP (80), from VMs on the lb network to VMs on the web network
- 8443/TCP, from VMs on the web network to VMs on the app network
- 8080/TCP, from VMs on the app network to VMs on the db network
- DNS (53), from VMs on any configured network to 192.168.110.10
- NTP (123) from VMs on any configured network to 192.168.100.1
Before configuring IDS in NSX+, you must enable it on the local NSX manager first.
On the local NSX manager, navigate to Security > Policy Management > IDS/IPS & Malware Prevention.
Click the Skip Setup button.
Click the Skip Setup button again.
Navigate to Settings >Shared.
Set IDS/IPS to On for the cluster.
Click the Yes button.
Back in the NSX+ UI, ensure that you are in the Instance-specific view in NSX+ (not the Global view).
Navigate to Security > Policy Management > IDS/IPS > Signature Management.
If you click the Update Now link, it should import the most recent signatures.
Click Select under Site Assignment. Chose sites appropriately.
Click the Assign button.
Click on the Profiles tab.
Click the Add Profile button. Provide a meaningful name and select appropriate intrusion severities (all in this example).
Click the Save button.
Click on the Distributed Rules tab.
Click on Add Global Policy. Provide a meaningful name.
This policy is called Protect Web since it will be used to monitor the Web VMs in the three tier app.
Click the Security Profiles area. Click the Add Profile button and select the All Signatures profile created earlier.
Click the Apply button.
Click in the Applied To area. Set Select Applied To to Groups and then find and select an appropriate group (Web VMs in this example).
Click the Apply button.
Click the Publish button.
Next, I generated some suspicious activity from one of the Web VMs (Note: I had to disable the DROP DFW rule to allow this traffic out…I could also have created a new rule to explicitly allow it for the Web VMs).
You should see iDS events generated in NSX+ and on the local NSX manager.
On the local NSX manager:
You can also check the
/var/log/nsx-idps logs on the ESXi hosts where the VMs are running to see evidence of detected events.
In the NSX+ UI: