After deploying VMware NSX Malware Prevention Service for Distributed firewall, the following items are visible in the UI:

1. Under System → Service Deployments → Service Instances tab, all Service instances under a deployment cluster report Health Status Down
2. Details for the Service Instance Health, show Solution Status Down.
3. One or more Service instances under this cluster may also show an alarm. Alarm details indicate "EPP Partner Channel Down" which indicates loss of connectivity between GI Host module and NSX Malware Prevention Service
4. ESX agent status for the problem service instance on the VC shows up and running. Both network adapters of this service instance in the network configuration show connected to "vmservice-vshield-pg"

VMware NSX-T

During Malware Prevention Service deployment user is expected to provide deployment parameters. Networks are required to be configured for the service being deployed. When user goes for network configuration of the service, there are two different networks that require configuration. The first network in the list is the control network. This is not available for configuration. The service internally configures this network. The second network in the list is the management network. Customers are expected to configure this network using one of the available networks and also pick a corresponding static or dynamic IP Pool that should be used with the selected network. The customer is expected to select any network from the available list that will let the Service connect to NSX and NSX Application Platform using the selected network.

If a management network is selected in one of the following ways:

1. "vmservice-vshield-pg" is selected as management network. This is an internal network and should NEVER be chosen for any configuration.
2. Network is selected with static IP pool but there are no IPs left in the static IP pool for this network.
3. Network is selected for use with DHCP but this network doesn't have any DHCP service running.
4. Chosen network with right IP resources doesn't provide connectivity to NSX and NSX Application platform.

This leads to failure of connectivity between Malware Prevention Service instance and NSX Application Platform. NSX Application Platform communication is a necessity for functioning of the service as malware analysis is supported using this platform. Service fails to start in case of its failure to connect to NSX Application platform.

Customers must undeploy the service and redeploy with correct management network selection during deployment.

Workaround:
There is no workaround

Impact/Risks:
Failure of MPS service on the deployment cluster will lead to failure to protect workload VMs on all impacted hosts in that cluster.