Interpreting Realization status for Malware Prevention Distributed Rules and Policies
search cancel

Interpreting Realization status for Malware Prevention Distributed Rules and Policies

book

Article ID: 306213

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

The purpose of this Knowledge Base article is to provide explanation for what each realization status IDS Security Policies mean for rules containing Malware Prevention profiles. 


Symptoms:

Scenario 1:
  • The NSX T Manager Policy UI shows that realization status for the Intrusion Detection System Security Policies that contain distributed rules utilizing Malware Prevention profiles appears as “Disabled”
 
Scenario 2:
  • The NSX T Manager Policy UI shows that realization status for the Intrusion Detection System Security Policies that contain distributed rules utilizing Malware Prevention profiles appears as “Success”, "Failed" or "In Progress".


Environment

VMware NSX-T Data Center 3.x
VMware NSX-T Data Center

Cause

A realization status of "Disabled" is caused by Intrusion Detection System not being enabled on either:
  • All standalone hosts 
  • At least one cluster
A realization of "Success", "In Progress", or "Failed" can be clicked on via the UI or queried via the following API to learn more:
  • GET https://<NSX-Policy-Manager-IP> /policy/api/v1/infra/realized-state/status?intent_path=<IDS-Security-Policy-Path>&include_enforced_status=true
 

Resolution

As of NSX release 3.2.0, the tracking/ realization of the rule containing Malware Prevention profiles is not supported. The realization status, when seen via UI or API, only gives the information that the rule has been tracked up to the Transport Node, and does NOT indicate whether the rule has been enforced or processed.



Workaround:
To Validate if a VM is indeed protected by Malware Protection, perform the following steps:

  1. 1.) Get the ID of the virtual machine with API.
  • GET https:///policy/api/v1/fabric/virtual-machines
  • Locate your virtual machine and get the value corresponding to “external_id”
2.) Validate that the host Transport Node hosting the virtual machine of focus contains the VM within it's configuration file.
  • Login via ssh to the Host Transport Node
  • Run the command 'cat  /var/run/muxconfig.xml'
The external_id obtained  should be present in the muxconfig.xml similar to-
<VmConfig>
<uuid>[VM-external-ID-from-step-a]</uuid>
<solution>
    <id>634106827##########</id>
    <tag>SEND_TO_CLOUD_RA_DETECT_PREVENT</tag>
    <order>634106827##########</order>
    <action>RA_DETECT_PREVENT</action>
  </solution>
</VmConfig>
  1. 3.) Validate that the Malware Prevention service virtual machine (SVM) services capture file events for the VM of focus.
VM <vm-id-obtained-from-step-a> policy tag is <policy-tag>
OR
VM < vm-id-obtained-from-step-a> policy tag has changed from <policy-tag> to <policy-tag>
Where <policy-tag> numeric values can be one of,
enum VmPolicyTag {
  POLICY_TAG_INVALID = 0;
  SEND_TO_CLOUD_RA_DETECT = 1;
  SEND_TO_CLOUD_RA_DETECT_PREVENT = 2;
  DONT_SEND_TO_CLOUD_RA_DETECT = 3;
  DONT_SEND_TO_CLOUD_RA_DETECT_PREVENT = 4;
}