Interpreting Realization status for Malware Prevention Distributed Rules and Policies
book
Article ID: 306213
calendar_today
Updated On:
Products
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
The purpose of this Knowledge Base article is to provide explanation for what each realization status IDS Security Policies mean for rules containing Malware Prevention profiles.
Symptoms:
Scenario 1:
The NSX T Manager Policy UI shows that realization status for the Intrusion Detection System Security Policies that contain distributed rules utilizing Malware Prevention profiles appears as “Disabled”
Scenario 2:
The NSX T Manager Policy UI shows that realization status for the Intrusion Detection System Security Policies that contain distributed rules utilizing Malware Prevention profiles appears as “Success”, "Failed" or "In Progress".
Environment
VMware NSX-T Data Center 3.x VMware NSX-T Data Center
Cause
A realization status of "Disabled" is caused by Intrusion Detection System not being enabled on either:
All standalone hosts
At least one cluster
A realization of "Success", "In Progress", or "Failed" can be clicked on via the UI or queried via the following API to learn more:
GET https://<NSX-Policy-Manager-IP> /policy/api/v1/infra/realized-state/status?intent_path=<IDS-Security-Policy-Path>&include_enforced_status=true
Resolution
As of NSX release 3.2.0, the tracking/ realization of the rule containing Malware Prevention profiles is not supported. The realization status, when seen via UI or API, only gives the information that the rule has been tracked up to the Transport Node, and does NOT indicate whether the rule has been enforced or processed.
Workaround: To Validate if a VM is indeed protected by Malware Protection, perform the following steps:
1.) Get the ID of the virtual machine with API.
GET https:///policy/api/v1/fabric/virtual-machines
Locate your virtual machine and get the value corresponding to “external_id”
2.) Validate that the host Transport Node hosting the virtual machine of focus contains the VM within it's configuration file.
Login via ssh to the Host Transport Node
Run the command 'cat /var/run/muxconfig.xml'
The external_id obtained should be present in the muxconfig.xml similar to-
In the logs (/var/log/syslog), following types of entries are seen:
VM <vm-id-obtained-from-step-a> policy tag is <policy-tag>
OR
VM < vm-id-obtained-from-step-a> policy tag has changed from <policy-tag> to <policy-tag>
Where <policy-tag> numeric values can be one of,
enum VmPolicyTag {
POLICY_TAG_INVALID = 0;
SEND_TO_CLOUD_RA_DETECT = 1;
SEND_TO_CLOUD_RA_DETECT_PREVENT = 2;
DONT_SEND_TO_CLOUD_RA_DETECT = 3;
DONT_SEND_TO_CLOUD_RA_DETECT_PREVENT = 4;
}