Extended signature reload times may be observed, potentially exceeding 60 seconds, when the IDS/IPS (or Malware Prevention on Edge) profile configured in the rule includes the full set of signatures(all severities). The comprehensive signature set can contain up to 17,000 signatures in total (approximately 4,000 critical and an additional 13,000 non-critical). The exact reload duration will vary based on the specific number of signatures selected in the profile. 

The signature reload operation will only delay applying non-critical signatures selected in the IDS/IPS profiles.

IDS/IPS feature is enabled on:

• NSX 4.2.2 and later on ESXi hosts deployed with Turbo mode(SCRX) and Edge
• vDefend Firewall with ATP 9.0.1 and later only on NSX Edge nodes

Malware Prevention feature  is enabled on:

• NSX 4.2.2 and vDefend Firewall with ATP 9.0.1 on NSX Edge nodes

This configuration is managed via NSX Manager UI, specifically under Security → IDS/IPS & Malware Prevention

• Signature Management
  • This is when a new signature bundle is updated with all the signatures.
• Distributed Rule or Gateway Rule
  • This is when a new rule is created with the profile containing all the signatures.

With the previous releases, the IDS/IPS engine operated by loading the complete signatures that were received as part of signature bundle download operation. This approach, while comprehensive, contributed to performance bottlenecks. Under that model, profile or rule updates did not trigger signature reloads; reloads were only performed infrequently when a new signature set was received.

With the latest enhancements, significant optimizations have been introduced in the IDS/IPS engine's signature handling. Even though the default signature set comes with critical and non-critical signatures, the default profile will have only critical ones selected  due to which the IDS engine now loads only critical signatures(approximately 4,000). However, a complete signature set rebuild and reload time taken is more with the full set of signatures(which can total up to approximately 17,000 signatures, including the 4,000 critical ones) in below scenarios:

• When a custom profile that incorporates the full set of signatures is actively used by IDPS rules.
• When a new signature bundle becomes available from the cloud (if Auto Update is enabled) and IDPS rules are configured with the IDPS profile incorporating all signatures.
• During vMotion (DRS enabled), IDPS rule realization on transport node depends on the VM workloads being vMotioned. This operation could also trigger signature reload.  

In such instances, this process may result in extended reload times. Customers may experience reload operations taking up to 60 seconds or more, particularly with profile updates containing a large number of signatures. The exact time taken can vary significantly based on environmental factors like CPU, network, and memory load on the system.

Upon successful parsing and verification of the IDPS configuration, a realization success status is sent to the NSX Manager. This occurs prior to the signature reload operation. Consequently, the realization status does not account for the duration required for the reload process. 

As a workaround, the successful completion of the reload can be checked by monitoring the following logs:

• On ESXi hosts: /var/log/nsx-syslog.log

2025-08-22T17:56:37.994Z -INFO nsx-sdp 216 [esx@4413 scPath="crx" progName="nsx-sdp" pid="216"] NSX 216 - [nsx@6876 comp="nsx-sdp" subcomp="idps" tid="383" level="INFO"] [IDPS]:suricata_log rule reload starting
2025-08-22T17:57:23.753Z -INFO nsx-sdp 216 [esx@4413 scPath="crx" progName="nsx-sdp" pid="216"] NSX 216 - [nsx@6876 comp="nsx-sdp" subcomp="idps" tid="383" level="INFO"] [IDPS]:suricata_log rule reload complete

• On NSX Edge nodes : /var/log/syslog

2025-07-16T15:16:45.352Z test-nsxedge NSX 3730 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewall" level="INFO"] [IDPS]:suricata_log rule reload starting
2025-07-16T15:17:46.854Z test-nsxedge NSX 3730 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewall" level="INFO"] [IDPS]:suricata_log rule reload complete

The realization status on the NSX Manager UI will be fixed to reflect the successful status after a reload is complete in the upcoming vDefend releases.