This article provides the general steps to integrate the Deep Security Virtual Appliance (DSVA) Anti-Malware detection and NSX-T Security Tags to move VMs in isolation using the NSX-T Distributed Firewall.
- Licensed Deep Security Manager version 20.0 with Deep Security Virtual Appliance (DSVA) version 20.0, upgrade the DSVA to the latest version using the RHEL7 agent package.
- Licensed NSX-T 3.x and above
- Configure the NSX-T Transport Node Profile with both VLAN and Overlay transport zone.
- VLAN transport zone to create VLAN segment for VM connections
- Overlay transport zone for Service segment that use for DSVA deployment
- Configure the NSX-T VLAN segment which Guest VM connected
- Configure the NSX-T Inventory > add group that includes the Guest VMs which will protected by DSVA
- Configure the NSX-T Endpoint Protection Rules > add Rule and Service Profile that will leverage the DS security policies
- Configure the NSX-T DFW > add policy to control Guest VM network connection
Refer to the VMware KB about the NSX-T editions and feature mapping - https://kb.vmware.com/s/article/86095
Configure the following to be able to auto-quarantine VMs with malware detection:
- Set up the Transport Node profile with VLAN and Overlay transport zone
- Enable the NSX-T security tag from the Deep Security Policy
- Create a new group and provide a suitable name such as "isolation-VM" that includes the VMs that will be tagged with "ANTI_VIRUS.VirusFound.threat=medium"
- Create an NSX-T Distributed Firewall rules to "Reject" outgoing connection from source group "isolation-VM" to destination "Any"
- Create a new segment that connect to VLAN transport zone and assign all Guest VM connect to this segment
Testing if the configuration works
- Login to the Guest VM and verify it can access the internet.
- Follow the instructions on this article to simulate a malware detection
- Login to the manager console and verify that there are Anti-Malware Events
- From the NSX, verify that the Guest VM has been added into the "Isolation-VM" group
- Login to the Guest VM, notice that all outgoing connection is rejected by the NSX-T DFW.
- From the manager console, initiate a manual or scheduled Anti-Malware scan. Once there is no additional detection. The Security Tag will be removed and the Guest VM will no longer be in the "Isolation-VM" group.
- Verify that the Guest VM can access the internet again.