Symptoms:
GET https://{{NSX Manager IP}}/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status
"download_status" : "PENDING",
"signature_status" : "UNAVAILABLE",
"version_id" : "IDPSSignatures.1718.2023-06-09T22:45:07Z",
"resource_type" : "IdsSignatureStatus",
"id" : "status",
"display_name" : "status",
"path" : "/infra/settings/firewall/security/intrusion-services/signatures/status",
"relative_path" : "status",
"parent_path" : "/infra",
"unique_id" : "",
"realization_id" : "",
"marked_for_delete" : false,
"overridden" : false,
"_create_time" : ,
"_create_user" : "system",
"_last_modified_time" : ,
"_last_modified_user" : "system",
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 123
}
This is a known issue impacting VMware NSX.
Workaround:
To reset the IDPS signature download processing, please follow the below steps.
1. Get the IdsSignature Status using the GET API below.
GET https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status
2. Then update the IdsSignature Status using the below API.
PATCH https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signatures/status
Use the response which we get from STEP 1 as the request body PATCH API above.
Just change the value of "download_status" from "PENDING" to "ERROR" other fields will remain the same.
Sample :
{
"download_status" : "ERROR",
"signature_status" : "UNAVAILABLE",
"version_id" : "IDPSSignatures.1718.2023-06-09T22:45:07Z",
"resource_type" : "IdsSignatureStatus",
"id" : "status",
"display_name" : "status",
"path" : "/infra/settings/firewall/security/intrusion-services/signatures/status",
"relative_path" : "status",
"parent_path" : "/infra",
"unique_id" : "",
"realization_id" : "",
"marked_for_delete" : false,
"overridden" : false,
"_create_time" : ,
"_create_user" : "system",
"_last_modified_time" : ,
"_last_modified_user" : "system",
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 123
}
To validate whether the IdsSignatureStatus is updated successfully, use the GET API mentioned in step one and check whether the download_status is set to "ERROR".
Once this is complete, wait for the download status to show the following status "download_status": "READY".
3. Once this is validated, you must ensure that only three signature bundles are in the system.
NOTE: You do not need to delete or modify the DEFAULT version, ACTIVE version and the version that had ACTIVE status previous to the current ACTIVE bundle.
The three signature bundles that are required.
1. ACTIVE version (i.e. the version with "state" as "ACTIVE"),
2. Default Version (i.e. the version with version_id as "DEFAULT")
3. The Version which is older than the ACTIVE Version. ( That is the bundle with the closest time and date to the active bundle, i.e., the previous active bundle before the current Active bundle.)
We need to delete any other signature bundles present on the system.
3a. To get the version ID, please use the API mentioned below and then try to delete one version at a time.
GET. https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions
3b. We need to clean these objects one by one using the below Delete API request until only the three signature bundles mentioned above are left.
DELETE https://<NSX-Manager-IP>/policy/api/v1/infra/settings/firewall/security/intrusion-services/signature-versions/<Version-id>
Sample Signature Bundles:
"version_id" : "IDPSSignatures.1711.2023-01-01T14:46:24Z"
"version_id" : "IDPSSignatures.1712.2023-01-01T15:46:00Z"
3c. Once complete, verify that only three signature bundles are in the system by re-running the GET request in step 3a.