Juniper NSX-T User Manual

Security Director
Published
2021-04-11
VMware NSX-T Integration with Juniper Connected Security
Juniper Networks, Inc.
1133 Innovation Way
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Security Director VMware NSX-T Integration with Juniper Connected Security
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.

Table of Contents

1
About the Documentation | v
Documentation and Release Notes | v
Documentation Conventions | v
Documentation Feedback | viii
Requesting Technical Support | viii
Self-Help Online Tools and Resources | ix
Creating a Service Request with JTAC | ix
VMWare NSX-T Integration
NSX Managers | 2
iii
Understanding Juniper Connected Security for VMware NSX-T Integration | 2
VMware NSX-T Overview | 3
vSRX Integration with NSX-T Manager and Junos Space Security Director | 3
High-Level Workflow | 4
Before You Deploy vSRX in VMware NSX-T Environment | 5
About the NSX Managers Page | 7
Tasks You Can Perform | 8
Field Descriptions | 8
Downloading the SSH Key File | 9
Add the NSX Manager | 11
Registering Security Services | 13
Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment | 14
Create a Security Group | 15
Discover the NSX-T Manager and Register vSRX as a Security Service | 16
Deploy vSRX as a Security Service | 19
Verify vSRX Agent VM Deployment in Security Director | 20
Automatic Creation of Security Policy in the NSX-T Environment to Direct Traffic Through
the vSRX Agent VMs | 21
Delete the NSX-T Manager | 23
Delete NSX-T Manager Services | 24
About the vCenter Servers Page | 25
Tasks You Can Perform | 26
Field Descriptions | 26
About the Security Groups Page | 26
Tasks You Can Perform | 27
Field Descriptions | 27
View Members of a Security Group | 27
About the Virtual Machines Page | 28
Tasks You Can Perform | 28
Field Descriptions | 28
View Network Details of a Virtual Machine | 29
View Security Groups of a Virtual Machine | 30
Implement Threat Policy on VMWare NSX-T | 31
VMWare NSX-T Integration with Policy Enforcer and Sky ATP Overview | 31
iv
Implementation of Infected Hosts Policy Overview | 32
Register NSX Micro Service as Policy Enforcer Connector Instance Overview | 33
Before You Begin | 33
Infected Hosts Workflow in VMware NSX-T | 33
Configure VMware NSX-T with Policy Enforcer | 36
Example: Create a Firewall Rule in VMware NSX-T Using SDSN_BLOCK Tag | 38

About the Documentation

IN THIS SECTION
Documentation and Release Notes | v
Documentation Conventions | v
Documentation Feedback | viii
Requesting Technical Support | viii
Use this guide to understand how Juniper Networks vSRX Virtual Services Gateway integrates in VMware NSX-T environment as an advanced security service with Junos Space Security Director as its security manager. Policy Enforcer integrates with the VMware NSX solution to deliver an advanced next-generation firewall feature set that uses vSRX for VMware microsegmentation deployments.
v

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page vi defines notice icons used in this guide.
Table 1: Notice Icons
vi
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page vi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
new terms.
Identifies guide names.
Identifies RFC and Internet draft
titles.
To enter configuration mode, type the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
that defines match conditions and
actions.
Junos OS CLI User Guide
RFC 1997, BGP Communities
Attribute
Table 2: Text and Syntax Conventions (continued)
vii
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit] root@# set system domain-name
domain-name
To configure a stub area, include
the stub statement at the [edit protocols ospf area area-id]
hierarchy level.
The console port is labeled
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS only
community name members [ community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
viii
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
All Interfaces.
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy, select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
Search for known bugs: https://prsearch.juniper.net/
ix
Find product documentation: https://www.juniper.net/documentation/
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
Download the latest versions of software and review release notes:
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
PART

VMWare NSX-T Integration

NSX Managers | 2
CHAPTER 1

NSX Managers

IN THIS CHAPTER
Understanding Juniper Connected Security for VMware NSX-T Integration | 2
Before You Deploy vSRX in VMware NSX-T Environment | 5
About the NSX Managers Page | 7
Downloading the SSH Key File | 9
Add the NSX Manager | 11
Registering Security Services | 13
Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment | 14
2
Delete the NSX-T Manager | 23
Delete NSX-T Manager Services | 24
About the vCenter Servers Page | 25
About the Security Groups Page | 26
View Members of a Security Group | 27
About the Virtual Machines Page | 28
View Network Details of a Virtual Machine | 29
View Security Groups of a Virtual Machine | 30
Implement Threat Policy on VMWare NSX-T | 31

Understanding Juniper Connected Security for VMware NSX-T Integration

IN THIS SECTION
VMware NSX-T Overview | 3
vSRX Integration with NSX-T Manager and Junos Space Security Director | 3
High-Level Workflow | 4
This section presents an overview of how Juniper Networks vSRX Virtual Services Gateway integrates in the VMware NSX-T environment as an advanced security service with Junos Space Security Director as its security manager.
VMware NSX-T Overview
VMware NSX-T is VMware’s network virtualization platform for the Software Defined Data Center (SDDC). Like server virtualization, network virtualization de-couples the network functions from the physical devices. VMware NSX-T is designed to address application frameworks and architectures that have heterogeneous endpoints and technology stacks. VMware NSX-T is not directly coupled with vShpere and therefore it supports various Hypervisors, Containers, BareMetal, and public clouds such as Amazon Web Service and Azure. With VMware NSX-T, you can design hybrid cloud for organizations where critical data and services are hosted within private cloud and web services or high availability application in Public clouds.
VMware NSX-T is the latest generation of VMware’s network virtualization product series. NSX-T is the successor to NSX-V. NSX-T supports third-party Hypervisors and next generation overlay encapsulation protocols such as Generic Network Virtualization Encapsulation (Geneve). NSX-T acts as a network Hypervisor that allows software abstraction of various network services that include logical switch (segments), logical routers (Tier-0 or Tier-1 Gateway), logical firewalls, logical load balancers, and logical VPNs.
3
VMware NSX-T provides L2-L4 stateful firewall features, network segmentations, multi tenancy support, L2/L3 VPN, load balancer, DHCP, source/destination NAT and many more services at Edge Gateway. VMware NSX-T provides framework to integrate the advanced security services as North-South at Edge Gateway.
Each virtual machine running in NSX-T environment can be protected with a full stateful firewall engine at a very granular level policy. Such policies can be application specific including services. vSRX runs as a service virtual machine and provides advanced services such as L4 to L7 services.
To deploy the advanced security features of the vSRX Virtual Services Gateway in the VMware NSX-T environment, the Junos Space Security Director, vSRX, and NSX-T Manager operate together as a solution to fully automate the provisioning and deployment of the vSRX to protect applications and data from advanced cyberattacks.
vSRX Integration with NSX-T Manager and Junos Space Security Director
To deploy the advanced security features of the vSRX Virtual Services Gateway in the VMware NSX-T environment, the Junos Space Security Director, vSRX, and NSX-T Manager operate together as a joint solution to fully automate the provisioning and deployment of the vSRX to protect applications and data from advanced cyberattacks.
Integration of the vSRX VM in the VMware NSX-T environment involves use with the following management software:
Junos Space Security Director—The centralized security management platform responsible for service
g301445
NSX-T Manager
Security Director/
Policy Enforcer
OVF
1
2 3
4
NSX Edge Cluster
vSRX
registration and configuration of each vSRX instance. The Security Director provides you with the ability to manage a distributed network of virtualized and physical firewalls from a single location. The Security Director functions as the management interface between the NSX-T Manager and the vSRX Services Gateway. Security Director manages the firewall policies on all vSRX instances.
NSX-T Manager—The centralized network management component of VMware NSX.
The NSX-T Manager is added as a registered device in the Security Director and communication is bidirectionally synchronized by the Junos Space Policy Enforcer between the two management platforms. All shared objects (such as security groups) are synchronized between the NSX-T Manager and Security Director. This includes the IP addresses of all VMs, including the vSRX agent VMs. Security Director creates an address group for each security group synchronized from the NSX-T Manager, along with the addresses of each member of the security group. The security groups discovered from the NSX-T Manager are mapped to dynamic address groups (DAG) in Security Director. Policy Enforcer retains the mapping of all IP addresses between security groups and dynamic address groups.
The vSRX Services Gateway is deployed as a partner service appliance in the VMware NSX-T environment. Use the security policies to direct all VM traffic through the vSRX VM for L4 through L7 advanced security analysis.
4
High-Level Workflow
Figure 1 on page 4 provides a high-level workflow of how the NSX-T Manager, Security Director, and
vSRX interact to deploy vSRX as a security service in the VMware NSX-T environment.
Figure 1: vSRX, Security Director, and VMware NSX-T Integration Workflow
1. The Junos Space Security Director initiates communication with the NSX-T Manager. The Security Director discovers, registers, and adds the NSX-T Manager as a device in its database. The Security Director also deploys the vSRX instance from the .ovf file and registers it as a security service. The NSX-T Manager and its inventory of shared objects (for example, security groups) and addresses are then synchronized with the Security Director. The registration process uses Policy Enforcer to enable bidirectional communication between Security Director and the NSX-T Manager.
2. The NSX-T Manager deploys the registered vSRX instance as a Juniper security service to the NSX Edge Cluster. The deployment is based on the vSRX .ovf file.
3. After the vSRX agent VM is provisioned as a security service, NSX-T Manager notifies Security Director by using REST API callbacks. Security Director pushes the initial boot configurations and Junos OS configuration policies to each vSRX agent VM to support the NSX-T security group. Security Director is aware of the NSX-T security groups and corresponding address groups, and all deployed vSRX agent VMs are automatically discovered.
Security policies redirect relevant network traffic originating from the VMs in a specific security group to the Juniper security service vSRX agent VM for further analysis.
5
The Security Director dynamically synchronizes the object database to all vSRX agent VMs deployed in NSX Edge Cluster. Security groups discovered from NSX-T Manager are mapped to a dynamic address group (DAG) in Security Director. The Security Director manages the firewall policies on the vSRX agent VMs. Using Security Director, you create advanced security service policies (for example, an application firewall policy or an IPS policy) and then push those policies.
4. The NSX-T Manager continue to send real-time updates on changes in the virtual environment to Security Director.
RELATED DOCUMENTATION
VMware NSX-T Data Sheet
Junos Space Security Director
vSRX

Before You Deploy vSRX in VMware NSX-T Environment

Before you begin deploying the vSRX Virtual Services Gateway as an advanced security service in VMware NSX-T:
Download the .ovf file of the vSRX software image from Juniper Networks website and save it to the
Policy Enforcer. The vSRX OVF URL automatically appears in the Register Security Service page of the Security Director when you register the vSRX virtual machine (VM) as a Juniper security service on the NSX-T Manager.
Obtain the Juniper SDSN for NSX license key (see Juniper SDSN for VMware NSX Licensing).
Install the VMware vCenter Server on a Windows VM or physical server, or deploy the VMware vCenter
Server Appliance. Connect to the vCenter Server from the vSphere Web Client. See the VMware documentation for details.
Install NSX-T Manager. NSX-T manager can be installed on ESXI or KVM servers. See the VMware
documentation for details.
NOTE: Juniper Networks devices require a license to activate the feature. To understand more
about VMWare NSX Licensing, see, Licenses for Network Management. Please refer to the Licensing Guide for general information about License Management.
6
Table 3 on page 6 lists the system software requirement specifications for the components of a vSRX,
Security Director, and VMware NSX-T Manager.
Table 3: System Software Specifications for vSRX in VMware NSX Environment
SpecificationComponent
6.5 and 6.7VMware ESXi Server
6.7 and 7.0VMware vCenter Server
3.0VMware NSX-T Manager
21.1 or laterJunos Space Security Director
21.1 or laterJunos Space Policy Enforcer
Junos OS Release vSRX 3.0 21.1 or latervSRX
4 GBMemory
16 GB (IDE or SCSI drives)Disk space
2 vCPUsvCPUs
Table 3: System Software Specifications for vSRX in VMware NSX Environment (continued)
SpecificationComponent
7
vNICs
A single vNIC for management traffic. Network traffic is
forwarded to the vSRX over a Virtual Machine Communication
Interface (VMCI) communication channel by the ESXi
hypervisor.
NOTE: VMCI is not a network interface (NIC) but a
VMWare-proprietary device for Host to Guest Communication.

About the NSX Managers Page

To access this page, click Security Director > Devices > NSX Managers.
Use the NSX Managers page to discover the NSX Manager and perform service registration of the vSRX VM with the NSX Manager. The NSX Manager is added as a device in the Security Director and its inventory is synchronized with Security Director.
When you add an NSX Manager in Security Director, the NSX Management RESTful API configures Policy Enforcer as a system log server in NSX Manager. The system log server handler runs in the Policy Enforcer virtual machine. On receiving the security group membership changes from system log, the system log service handler parses the system log and extracts the changed security group details. The security policies with rules having the modified security groups (dynamic address groups) as source or destination addresses are filtered and the perimeter firewall devices assigned to those policies are obtained. A remote procedure call (RPC) is sent to those perimeter firewall devices to update the dynamic address groups. The perimeter firewall devices then obtains and update the IP address feeds from Policy Enforcer.
Before you Begin
1. Install the Policy Enforcer Release OVA image.
a. After the installation is complete, log in to the Policy Enforcer VM through SSH. Run the service
commands to verify the status of the following services:
service nsxmicro status service sd_event_listener status service nsx_callback_listener status service ssh_listener status
b. If services are stopped, initiate the services again by running the following commands:
service nsxmicro start service sd_event_listener start service nsx_callback_listener start service ssh_listener start
2. Select Security Director > Administration > Policy Enforcer > Settings, and add Policy Enforcer to Security Director. For more information, see Identifying the Policy Enforcer Virtual Machine In Security
Director.
3. Download the SSH Key. Copy the vSRX OVA file to the Policy Enforcer VM along with the downloaded SSH key. See Download the SSH Key File.
4. Obtain the vSRX license key before adding the NSX Manager to the Security Director.
Tasks You Can Perform
8
You can perform the following tasks from this page:
Download the SSH Key. See Download the SSH Key File.
Add the NSX Manager. See “Add the NSX Manager” on page 11.
Register security services. See “Registering Security Services” on page 13.
Synchronize the NSX inventory.
Field Descriptions
Table 4 on page 8 provides guidelines on using the fields on the NSX Managers page.
Table 4: Fields on the NSX Managers Page
DescriptionField
Specifies the hostname or the IPv4 address of the NSX Manager.Hostname/IP Address
Specifies the name of the NSX Manager.Name
Associated vCenter
Specifies the hostname or the IP address of the vCenter associated with the
NSX Manager that is automatically fetched by Security Director.
Specifies the connection status of an associated vCenter.Associated vCenter Status
Specifies the registration status of the security services.Service Manager Registration Status
Table 4: Fields on the NSX Managers Page (continued)
DescriptionField
9
Services
Username
Specifies the service definition of a selected NSX Manager.
Click View to view the service definition.
Specifies the port number of the NSX Manager.Port
Specifies the username of the NSX Manager. The user must have the
administrator privileges to access the NSX Manager.
Specifies the connection status of the NSX Manager.Connection Status
RELATED DOCUMENTATION
Add the NSX Manager | 11

Downloading the SSH Key File

You must copy the vSRX OVA image to the Policy Enforcer virtual machine (VM) before adding the NSX Manager.
Use the Upload Image page to download the SSH key file and copy the vSRX OVA file to the Policy Enforcer VM by using the SFTP command with the downloaded SSH key. You must perform this as a first step before adding the NSX Manager.
To download the SSH key:
1. Select Security Director > Devices > NSX Managers.
The NSX Managers page appears.
2. Click Download SSH Key.
The Download SSH Key page appears.
3. Click Download SSH Key.
The SSH key is downloaded and saved in your local drive.
Copying vSRX OVA Image File to Policy Enforcer from Linux Machines
To copy the vSRX OVA file to a Policy Enforcer VM from a Linux machine:
1. Copy the downloaded SSH key file to the same directory where the vSRX OVA image file is saved.
2. Navigate to the directory path where vSRX OVA and SSH key files are located.
3. Run the chmod 600 <<SSHKEYFILE>> command to change the permission of the SSH key file.
4. Run the following commands:
sftp -o “IdentityFile=<<SSHKEYFILE>>" nsxmicro@<<pe_ipaddress>>
cd publish
put <<VSRX OVA FILE>>
The vSRX OVA file will be copied to the Policy Enforcer VM after sometime.
5. After the vSRX OVA file is copied, you can add the NSX Manager and register its services in the Security Director.
10
Copying vSRX OVA Image File to Policy Enforcer from MAC Machines
To copy the vSRX OVA file to a Policy Enforcer VM from a MAC machine:
1. Copy the downloaded SSH key file to the same directory where the vSRX OVA image file is saved.
2. Navigate to the directory path where vSRX OVA and SSH key files are located.
3. Run the chmod 600 <<SSHKEYFILE>> command to change the permission of the SSH key file.
4. Run the following commands:
sftp –i sshkey nsxmicro@<pe_ip>
cd publish
put *<<VSRX OVA FILE>>
The vSRX OVA file will be copied to the Policy Enforcer VM after sometime.
5. After the vSRX OVA file is copied, you can add the NSX Manager and register its services in the Security Director.
RELATED DOCUMENTATION
About the NSX Managers Page | 7

Add the NSX Manager

Use the Add NSX Manager page to add the NSX Manager in to the Security Director database. Based on the NSX details provided, the Security Director automatically fetches the associated VMware vCenter Server hostname from NSX.
To add a NSX Manager:
1. Select Devices > NSX Managers.
The NSX Managers page appears.
2. Click the add icon (+).
The Add NSX Manager page appears.
3. Complete the configuration by using the guidelines in Table 5 on page 11.
11
4. Click Finish to complete the configuration.
After adding the NSX Manager, you must register the vSRX VM as a Juniper security service with the NSX Manager. See “Registering Security Services” on page 13.
Table 5: Fields on the Add NSX Manager Page
DescriptionField
Enter the name of the NSX manager.Name
Enter the IPv4 address of the NSX manager.Host
Port
Username
Password
Enter the port number of the NSX Manager. The NSX Manager and Security Director use
SSL to communicate on TCP port 443.
Enter the username of the NSX Manager to allow Security Director to authenticate the
communication.
Enter the password of the NSX Manager to allow Security Director to authenticate the
communication.
Enter a description about the NSX Manager; you can use a maximum of 255 characters.Description
View the SSL certificate required to authenticate the NSX Manager.SSL Certificate
Select this option to accept the SSL certificate. This is a mandatory field.Accept SSL Certificate
Table 5: Fields on the Add NSX Manager Page (continued)
DescriptionField
12
Type
Firewall Type
Service Manager Registration
SD Username
Select an option: NSX-V or NSX-T.
VMware NSX-T is the latest generation of VMware’s network virtualization product series.
NSX-T is the successor to NSX-V. NSX-T supports third-party Hypervisors and next
generation overlay encapsulation protocols such as Generic Network Virtualization
Encapsulation (Geneve).
Select the type of perimeter firewall for your datacenter.
East-West Firewall—vSRX is spawned in each ESX server of VMware NSX for the
east-west traffic. This provides east-west security for members of the security groups
within a datacenter.
North-South Firewall—Perimeter firewall for the north-south traffic. This provides a
consistent north-south security for members of the security groups, if the members
move across datacenters.
You can select both the types or any one of the firewall types.
NOTE: Firewall Type is applicable only if you select the Type as NSX-V.
Enter the username of Security Director to allow the NSX Manager to authenticate its
communication with Security Director.
SD Password
Associated vCenter - vCenter Server
Username
Enter the password of Security Director to allow the NSX Manager to authenticate its
communication with Security Director.
Enter the license key of vSRX VM.License Key
To add multiple vCenter servers:
Click the + icon.
The Associate vCenter page is displayed.
Enter the IPv4 address of the VMware vCenter Server.Host
Enter the port number of the VMware vCenter Server. Default: 443Port
Enter the username of the VMware vCenter Server. Security Director uses these credentials
to discover the vCenter server and fetch the VM inventory details.
Table 5: Fields on the Add NSX Manager Page (continued)
DescriptionField
13
Password
Enter the password of the VMware vCenter Server. Security Director uses these credentials
to discover the vCenter Server and fetch the VM inventory details.
View the SSL certificate required to authenticate the vCenter Server.SSL Certificate
Select this option to accept the SSL certificate. This is a mandatory field.Accept SSL Certificate
RELATED DOCUMENTATION
About the NSX Managers Page | 7

Registering Security Services

Use the Register Security Service page in Security Director to register a Juniper security service on a specific NSX Manager. After registering the security service from Security Director, log in to the vCenter server and deploy the service from NSX.
To register the Juniper security service:
1. Select Devices > NSX Managers.
The NSX Managers page appears.
2. Select the NSX Manager for which service needs to be registered.
3. From the More list or right-click menu, select Register Security Service.
The Register Security Service page appears.
4. Complete the configuration by using the guidelines in Table 6 on page 14.
5. Click Register to complete the registration.
A confirmation message appears to indicate if registration is successful or not.
Table 6: Fields on the Register Security Service Page
DescriptionField
Enter the name for the Juniper Security Service.Service Name
14
vSRX OVF URL
vSRX Root Password
Firewall Type
RELATED DOCUMENTATION
About the NSX Managers Page | 7
The vSRX OVF image that you have copied to the Policy Enforcer VM is listed here.
Select the vSRX OVF image from the list.
Enter the root password of the vSRX instance.
The same root password is set for all the vSRX VMs deployed in NSX.
Enter the root password of the vSRX instance for confirmation.Confirm vSRX Root Password
The default firewall type is North-South. It is the perimeter firewall for the north-south
traffic. This provides a consistent north-south security for members of the security
groups, if the members move across datacenters.
The Firewall Type field is applicable only if the NSX Manager type is NSX-T.

Deploy the vSRX as an Advanced Security Service in a VMware NSX-T Environment

IN THIS SECTION
Create a Security Group | 15
Discover the NSX-T Manager and Register vSRX as a Security Service | 16
Deploy vSRX as a Security Service | 19
Verify vSRX Agent VM Deployment in Security Director | 20
Automatic Creation of Security Policy in the NSX-T Environment to Direct Traffic Through the vSRX Agent VMs | 21
Use the following procedures to deploy the vSRX as an advanced security service virtual machine (VM) in the VMware NSX-T environment. The vSRX VM is deployed in conjunction with Juniper Networks Junos Space Security Director and VMware NSX-T Manager.
Create a Security Group
You can create a security group by using the VMware NSX-T Manager. Each security group is a logical collection of objects which include VMs that you want to be members in the same security group and to which you will apply the vSRX as a Juniper security service. You can apply an advanced security service policy to all the objects contained in a security group.
To create a security group:
1. Log in to the VMware NSX-T Manager.
2. Select Inventory > Groups.
3. Click ADD GROUP icon to create a new security group that contains the specific VMs you want as members of the same group, as shown in Figure 2 on page 15.
15
Figure 2: Add Groups Page
4. Type a group name and then click Set members.
5. On the Select Members page, define the criteria that an object must meet for it to be added to the security group you are creating. You can define a dynamic group membership criteria for the VMs that are to be part of each security group. For example, VM membership in a security group can be tagged by name. You define the exact membership criteria that you want to use to group VMs. Group membership is associated dynamically at runtime.
6. Click Apply to complete creating the security group.
Discover the NSX-T Manager and Register vSRX as a Security Service
The NSX-T Manager is added as a device in Security Director, and its inventory is synchronized with Security Director.
NOTE: Ensure that SNMP is disabled in Security Director while performing device discovery for
the vSRX agent VM. If SNMP is enabled in Security Director, the vSRX agent VM discovery operation fails.
To discover the NSX-T Manager from Security Director:
1. Select Security Director > Devices > NSX Managers.
The NSX Managers page appears.
2. Click the Add icon (+) to add the NSX Manager to Security Director.
16
The Add NSX Manager page appears, as shown in Figure 3 on page 16.
Figure 3: Add NSX Manager Page
3. In the NSX Manager section, enter the following information:
Name—Enter the name of the NSX Manager.
Host—Enter the IP address of the NSX Manager.
Port—Enter the port number of the NSX Manager. The NSX Manager and Security Director use SSL
to communicate on TCP port 443.
Username, Password—Enter the username and password of the NSX Manager that are required for
communication to be authenticated by the Security Director.
Description—Enter a description for the NSX Manager you are to add to the Security Director.
Type—Select NSX-T.
NSX-T is the successor to the NSX-V product. VMware NSX-T is the latest generation of VMware’s network virtualization product series.
4. Click Next.
5. In the Service Manager Registration section, enter the following details about the Security Director:
SD Username, SD Password—Enter the username and password of Security Director to allow the
NSX-T Manager to authenticate communication to the Security Director.
License Key—Enter the license key for the previously procured Juniper SDSN for NSX license (see
Juniper SDSN for VMware NSX Licensing for details).
17
6. Click Next.
7. In the vCenter Server section, click the + icon to add vCenter servers. Provide the following details on the Associate vCenter page:
Host—Enter the IP address of the VMWare vCenter Server.
Port—Enter the port number of the VMWare vCenter Server. By default, 443 is used.
Username, Password—Enter the username and password of the VMware vCenter Server. Security
Director uses these credentials to discover the vCenter Server and fetch the VM inventory details.
8. Click Finish.
The Summary page of configuration changes appears. Click OK to add the NSX-T Manager. When you return to the NSX Managers page, you will see the discovered NSX-T Manager listed.
After adding the NSX-T Manager, you must register the vSRX VM as a Juniper security service with the NSX-T Manager.
To register the vSRX instance as a Juniper security service:
1. Select the NSX-T Manager for which service needs to be registered, right-click or from the More list, select Register Security Service.
The Register Security Service page appears, as shown in Figure 4 on page 18.
Figure 4: Register Security Service Page
18
2. In the Service Name field, enter the name of the Juniper security service.
3. From the vSRX OVF URL list, select the available vSRX OVF image that you copied to the Policy Enforcer machine.
4. In the vSRX Root Password field, enter the root password of the vSRX instance. The same root password will be set for all the vSRX instances deployed in NSX.
5. By default, the firewall type is North-South. This is the perimeter firewall for the north-south traffic. This provides a consistent north-south security for members of the security groups, if the members move across datacenters.
6. Select a failure policy.
Select Allow to send traffic to the destination VM when the service VM fails. Select Block to not send traffic to the destination VM when the service VM fails.
7. Click Register.
A confirmation message indicates whether the registration is successful or not.
The vSRX is added as a network service that can be deployed by the NSX-T Manager.
In the VMware NSX-T Manager, verify the following:
Select System > Service Deployments and then select the CATALOG tab. Verify that the service name
provided while registering the Security Service is listed in the table (the newly registered vSRX VM) as shown in Figure 5 on page 19.
Figure 5: Service Definition
19
The NSX-T Manager and its inventory are now synchronized with the Security Director. All shared objects (such as security groups) are synchronized between the NSX-T Manager and Security Director. The shared objects include the IP addresses of all VMs, including the vSRX agent VMs. Security Director creates a dynamic address group(DAG) for each security group synchronized from the NSX-T Manager, along with the addresses of each member of the security group.
After you register a Juniper security service in the NSX-T Manager, the NSX-T Manager uses the vSRX agent VM to communicate the service status. The NSX-T Manager transmits messages to Security Director when any changes or activities are happening in the NSX-T Manager that are related to the Juniper security service.
Deploy vSRX as a Security Service
The next step is to deploy the Juniper security service.
To deploy the vSRX agent VM as a security service:
1. Select System > Service Deployments and then click the DEPLOYMENT tab.
2. Select the partner service as the registered service and then click Deploy Service.
a. Enter the service deployment name.
b. Select the attachment point as Tier1 gateway or Tier 0 gateway.
c. Select the Compute Manager as vCenter.
d. Select the Cluster on which the vSRX agent VM is to be deployed.
e. Select the datastore on which to allocate shared storage for the vSRX agent VM.
f. Click Set and then provide the network details such as, primary interface network, primary interface
IP, primary gateway address, primary subnet mask and click Save.
3. Click SAVE to deploy the vSRX agent VM as a security service.
The Security Director automatically discovers all the deployed vSRX VM agents by using the device-initiated discovery. A new firewall and IPS group policies are created and all devices are assigned to these group policies.
20
NOTE:
The Security Director creates predefined IPS policies with a single IPS template. You can
either add more IPS templates or convert the predefined IPS policies to custom IPS policies.
You must register different service for each service deployment.
Verify vSRX Agent VM Deployment in Security Director
In Security Director, based on the NSX Manager discovery, NSX security groups are automatically synchronized with Security Director. For each service group in NSX Manager, Security Director creates a corresponding dynamic address group.
To verify that the vSRX agent VMs have been deployed:
1. Select Security Director > Devices > NSX Managers.
The NSX Managers page appears with the discovered NSX Manager and the vSRX instance registered as a new service.
2. Select Security Director > Monitor > NSX Inventory > Security Groups.
The Security Groups page appears listing all the security groups obtained from NSX and the corresponding dynamic address groups created by the Security Director.
3. Select Security Director > Monitor > vCenter Server Inventory > Virtual Machines.
The Virtual Machines page appears, listing the VMs that are dynamically fetched by the associated vCenter, as shown in Figure 6 on page 21. You can view the security groups associated with each VM. Also, you can view security groups associated with each VM.
Figure 6: Virtual Machines Page
21
Automatic Creation of Security Policy in the NSX-T Environment to Direct Traffic Through the vSRX Agent VMs
After you deploy vSRX agent VM security services, security policies are automatically created to redirect any network traffic originating from the VMs in a specific security group to the Juniper security service vSRX agent VM for further analysis.
To direct the traffic to the vSRX agent VMs by using the automatically created security policies:
1. In Security Director, install the IPS signature to all the vSRX VM agents.
2. On the Firewall and IPS Policies page, add new rules to the automatically created firewall or IPS policies with respective dynamic address groups. You can also use the application firewalls in the firewall rules.
3. After creating policy rules, publish and update the firewall and IPS policies.
4. After the firewall and IPS policies are successfully updated in the Security Director, log in to the VMware NSX-T Manager to verify the security policies.
Select Security > Network Introspection (N-S). The security policies are automatically created from Security Director, as shown Figure 7 on page 22.
Figure 7: Network Introspection (N-S)
22
When you return to Security Director > Devices > Security Devices, you can view the active configuration for the vSRX agent VMs, as shown in Figure 8 on page 22.
Figure 8: Security Devices Page
The NSX-T Manager is aware of the security groups that the Juniper security service monitors. If any changes occur in the security group, the NSX-T Manager notifies Security Director about those changes. If membership changes, NSX-T Manager notifies Security Director of the changes and Security Director updates its database based on the new membership.

Delete the NSX-T Manager

You can delete the NSX-T Manager and its associated vCenter server from the Security Director inventory.
Before You Begin
Before you delete the NSX-T Manager, perform the following steps:
1. Unbind all bindings of network object from a service profile.
Log in to the VMware NSX-T Manager.
23
Select System > Service Deployment.
In the Deployment tab, select the deployed partner service that you want to delete.
The corresponding service details are displayed.
From the Actions list, select Delete.
The delete deployment service confirmation page appears.
Click DELETE to delete the deployed service.
If the action is successful, the deployed service is deleted.
To delete the NSX-T Manager from Security Director:
1. Select Devices > NSX Managers.
The NSX Manager page appears.
2. Select the NSX-T Manager that you want to delete.
3. From the More list, or right-click menu, select Delete NSX Manager.
A confirmation message appears to confirm the deletion.
NOTE: You cannot delete NSX-T Manager from Security Director if the security service is
already deployed in the NSX-T Manager.
4. Click Yes to confirm the deletion.
The NSX-T Manager and its associated vCenter server are deleted from the Security Director inventory.
NOTE: You cannot delete NSX-T Manager if there is a NSX Secure Fabric. You must first delete
the Secure Fabric. See Editing or Deleting a Secure Fabric.
24
RELATED DOCUMENTATION
About the NSX Managers Page | 7

Delete NSX-T Manager Services

You can delete NSX-T Manager services from Security Director. Before deleting a service, you must ensure that the service is not deployed in VMware NSX-T Manager. If the service that you are trying to delete is already deployed in the VMware NSX-T Manager, you will see an error message. To delete the registered security service, you must first delete the deployed service.
To delete a NSX-T Manager service from Security Director:
1. Select Security Director>Devices>NSX Managers.
The NSX Managers page appears.
2. Select the NSX-T Manager for which you want to delete the service definition, and in the Services column click View.
The Services Definition page appears listing the registered security services.
3. Select the service that you want to delete, right click and select Delete Service.
If the selected service is already deployed in NSX-T Manager, an error message is shown to delete the registered security service.
To delete the deployed service from the NSX-T Manager:
a. Log in to the NSX-T Manager.
b. Select System > Service Deployment.
c. In the Deployment tab, select the deployed partner service that you want to delete.
The corresponding service details are displayed.
d. From the Actions list, select Delete.
The delete deployment service confirmation page appears.
e. Click DELETE to delete the deployed service.
If the action is successful, the deployed service is deleted.
f. Go to Security Director and repeat the procedure from Step 1.
4. If the selected service is not deployed in NSX-T Manager, Security Director deletes the service successfully.
25
RELATED DOCUMENTATION
About the NSX Managers Page | 7

About the vCenter Servers Page

To access this page, select Security Director > Devices > vCenter Servers.
VMWare NSX Manager is always associated to a vCenter Server. Based on the NSX Manager discovered by Security Director, the NSX service automatically fetches the associated vCenter server hostname. The NSX service uses the specific vCenter credentials provided by the user at the time of adding the NSX Manager, to connect to vCenter and obtain any required inventory from it.
Use the vCenter Servers page to view details of an associated vCenter Server.
Tasks You Can Perform
You can perform the following task from this page:
Synchronize any changes to the inventory objects in vCenter with the vCenter database.
Field Descriptions
Table 7 on page 26 provides guidelines on using the fields on the vCenter Servers page.
Table 7: Fields on the vCenter Servers Page
DescriptionField
Specifies the hostname of the associated vCenter Server.Host Name
Specifies the port number of the vCenter server.Port
26
Specifies the connection status of NSX Manager and associated vCenter server.Connection Status
RELATED DOCUMENTATION
About the NSX Managers Page | 7
Add the NSX Manager | 11
Registering Security Services | 13

About the Security Groups Page

To access this page, select Security Director > Monitor > NSX Inventory > Security Groups.
Use the Security Groups page to view a list of security groups obtained from NSX and the corresponding dynamic address groups created by Security Director.
The security groups updates are automatically synchronized by Security Director.
Tasks You Can Perform
You can perform the following task from this page:
View members of the security group.
Field Descriptions
Table 8 on page 27 provides guidelines on using the fields on the Security Groups page.
Table 8: Fields on the Security Groups Page
DescriptionField
27
NSX Manager
Members
DAG Name
Specifies the name of the NSX Manager from which the corresponding security group is
obtained.
Specifies the name of the security group.Name
Click View to view the list of VMs belonging to a security group.
If the vCenter is associated with the NSX Manager, the members list shows the VM names
with IPv4 and IPv6 addresses.
Specifies the name of a dynamic address group created for each security group.
The dynamic address group name is created in the format <NSX Manager name>-<security
group name>.
Specifies the definition of a security group.Definition
RELATED DOCUMENTATION
About the NSX Managers Page | 7

View Members of a Security Group

Use the View Members page to view the list of VMs belonging to a security group.
To view the list of virtual machines:
1. Select Monitor > NSX Inventory > Security Groups.
The Security Groups page appears.
2. In the Members column, click View.
The View Members page appears. Table 9 on page 28 describes the fields on this page.
Table 9: Fields on the View Members Page
DescriptionField
Specifies the name of the security group.Security Group
Specifies the name of the VM that belongs to the security group.VM Name
Specifies the IPv4 address of the VM.IP Address
Specifies the IPv6 address of the VM.IPv6 Address
28
RELATED DOCUMENTATION
About the NSX Managers Page | 7

About the Virtual Machines Page

To access this page, select Security Director > Monitor > vCenter Server Inventory > Virtual Machines.
Use the Virtual Machines page to view the complete list of VMs that are dynamically fetched by the associated vCenter.
Tasks You Can Perform
You can perform the following tasks from this page:
View security groups associated with each VM.
View a list of vNICs for each VM and the network that each of vNIC is linked to.
Field Descriptions
Table 10 on page 29 provides guidelines on using the fields on the Virtual Machines page.
Table 10: Fields on the Virtual Machines Page
DescriptionField
Specifies the name of the VM.VM Name
Specifies the vCenter details.vCenter
29
OS on VM
Network Details
Specifies the operating system on each VM. For example: Red Hat, CentOS, and
so on.
Click View to view a list of security groups associated with each VM.Security Groups
Click View to view a list of vNICs for each VM with their corresponding IPv4 and
IPv6 addresses.
Specifies whether the VM is switched on or off.State
Specifies whether the VM is connected to the ESXi host or not.Status
RELATED DOCUMENTATION
About the NSX Managers Page | 7

View Network Details of a Virtual Machine

Use the View Network Details page to view the network details of a virtual machine(VM) such as name of the virtual Network Interface Card (NIC) or the network adapter and the IPv4 and IPv6 addresses of each NIC.
To view the network details:
1. Select Monitor > vCenter Server Inventory > Virtual Machines.
The Virtual Machines page appears.
2. In the Network Details column, click View.
The View Network Details page appears. Table 11 on page 30 provides the guidelines on using the fields on this page.
Table 11: Fields on the View Networks Details Page
DescriptionField
Specifies the IP address of the VM.Virtual Machine
Specifies the name of a vNIC or network adapter.vNIC
Specifies the IPv4 address of a vNIC.IPv4
Specifies the IPv6 address of a vNIC.IPv6
RELATED DOCUMENTATION
About the NSX Managers Page | 7
30

View Security Groups of a Virtual Machine

Use the Security Groups page to view the list of security groups assigned to a virtual machine (VM).
To view the list of security groups:
1. Select Monitor > vCenter Server Inventory > Virtual Machines.
The Virtual Machines page appears.
2. In the Security Groups column, click View.
The Security Groups page appears. Table 12 on page 30 describes fields on this page.
Table 12: Fields on the Security Groups Page
DescriptionField
Specifies the IP address of the VM.Virtual Machine
Specifies the name of the security group to which a VM belongs.Security Group
RELATED DOCUMENTATION
About the NSX Managers Page | 7

Implement Threat Policy on VMWare NSX-T

IN THIS SECTION
VMWare NSX-T Integration with Policy Enforcer and Sky ATP Overview | 31
Before You Begin | 33
Configure VMware NSX-T with Policy Enforcer | 36
Example: Create a Firewall Rule in VMware NSX-T Using SDSN_BLOCK Tag | 38
31
VMWare NSX-T Integration with Policy Enforcer and Sky ATP Overview
Juniper Networks Sky Advanced Threat Prevention (Sky ATP) identifies the infected virtual machines(VMs) running on VMWare NSX-T and tags these VMs as infected. This is based on a malware file exchange from the infected VMs and/or based on the Command and Control communication with known botnet sites on the internet.
Based on this identification of infected or compromised hosts, you can take one of the following actions:
Enable additional security features such as Layer-7 Application Firewall and Intrusion Prevention (IPS)
leveraging vSRX
Enforce Layer-2 to Layer-4 controls using NSX Distributed Firewall
Leverage NSX integration with Host-Based security vendors
(https://www.vmware.com/products/nsx/technology-partners.html) to take host-based security actions such as running antivirus or anti malware features on the infected VMs.
Policy Enforcer provides a set of Connector APIs for the third-party adaptors. The NSX Connector integrates with the Policy Enforcer using these APIs to enable enforcement of the infected hosts policy on Secure Fabric. For NSX connectors, the NSX-T Manager, its associated vCenter, and an edge firewall form the Secure Fabric.
The following topology shows how NSX Manager and the edge firewall create a Secure Fabric with Policy Enforcer.
Figure 9: Topology of NSX-T Integration with Policy Enforcer
External network
NSX
Edge Cluster
Juniper Networks
Sky ATP
T0 Router
T1 Router
VM VM VM
g301446
vSRX
32
The service which is deployed in Tier 0 gateway in VMware NSX-T is enrolled into SKY ATP and acts as an edge firewall.
NOTE: You can register the NSX-T Manager with Security Director only when the Policy Enforcer
is configured. The NSX micro service is bundled with the Policy Enforcer VM. However, the NSX micro service is packaged as a standalone rpm, so that the NSX micro service upgrade and patches can be performed independent of the Policy Enforcer VM.
Implementation of Infected Hosts Policy Overview
The vSRX or SRX Series devices running as an edge firewall is enrolled to send all the suspected traffic to Sky ATP.
The following steps explain the high-level workflow:
If an infection is detected, Sky ATP notifies the Policy Enforcer about the infected IP addresses
If the infected IP address belongs to Secure Fabric associated with the NSX domain, Policy Enforcer
calls the NSX plugin APIs to notify the NSX Connector about the list of infected IP addresses
NSX service will then retrieve the VM corresponding to the IP addresses sent and then calls the NSX
API to tag to an appropriate VM with a security tag, SDSN_BLOCK.
You can then create a policy to block the infected hosts using the SDSN_BLOCK tag by creating gateway specific rules. The block policy consists of two rules for ingress block and egress block. The ingress block rule applies to any traffic originating from a security group composed of VMs tagged with a block tag to
any destination. Similarly, the egress block rule applies to any traffic destined to security group composed of VMs tagged with block tag from any source.
The creation of security groups associated with the SDSN_BLOCK tag, creation of ingress and egress block rules, and the action to take on the matching packets must be configured by the VMWare administrators. The NSX Connector will simply apply the SDSN_BLOCK tag on the infected VM.
Register NSX Micro Service as Policy Enforcer Connector Instance Overview
The integration of each NSX-T Manager discovered in Security Director with Policy Enforcer is triggered automatically.
The automatic registration of a connector instance involves the following steps:
1. Discovering the NSX-T Manager in Security Director. This triggers an auto creation of the Policy Enforcer connector instance.
2. Secure Fabric is created to manage the discovered NSX-T Manager.
33
3. Creation of threat prevention policy requires the knowledge of Sky ATP realm and the edge firewall device. These are taken as inputs from the user.
Before You Begin
IN THIS SECTION
Infected Hosts Workflow in VMware NSX-T | 33
Before you begin to configure NSX with Policy Enforcer, configure the infected hosts workflow in VMWare NSX-T Manager.
Infected Hosts Workflow in VMware NSX-T
To block the infected hosts:
1. Log in to VMware NSX-T Manager.
2. Select Inventory > Tags.
The Tags page is displayed.
3. Click ADD TAG and enter the tag name as SDSN_BLOCK.
4. Click Set Virtual Machines to select Virtual Machines where the tag should be applied.
The Select Virtual Machines page is displayed.
5. Select the virtual machine and click Apply.
6. Click SAVE to add the tag.
On successful creation of the tag, it will be displayed on the Tags page as shown in Figure 10 on page 34.
Figure 10: Tags Page
34
7. Select Inventory > Groups and then click ADD GROUP.
The security administrator can create the security group based on the security tag.
8. Enter a name of the security group.
9. Click Set Members.
The Select Members page is displayed, where you can define or add members for the security group.
10. On the Membership Criteria tab, click ADD CRITERIA.
11. Define the criteria that an object must meet for it to be added to the security group you are creating.
In the Criteria row, select the Virtual Machine and select the tag from the list and then select the SDSN_BLOCK tag name, as shown in Figure 11 on page 35.
Figure 11: Membership Criteria
35
Click Apply.
12. On the Groups page, click SAVE to add the group.
You can see that the security group has been created and the Virtual Machine with the security tag is assigned to the security group.
Configure VMware NSX-T with Policy Enforcer
The following steps explain configuring VMWare NSX-T with Policy Enforcer:
1. Add the NSX-T Manager to the Security Director database, as shown in Figure 3 on page 16. To know more about adding a NSX Manager, see “Add the NSX Manager” on page 11.
Figure 12: Add NSX Manager Page
36
2. After discovering the NSX-T Manager in Security Director, use the Guided Setup workflow to configure the following parameters:
Secure Fabric
Policy Enforcement Group (PEG)
Sky ATP Realm
Threat policies for the following threat types:
Command and Control (C&C) Server
Infected Hosts
Malware
3. Select Configuration > Guided Setup > Threat Prevention.
The Threat Prevention Policy Setup page appears.
4. Click Stat Setup.
The Threat Prevention Policy Setup page appears, as shown in Figure 13 on page 37. Some of the resources are already configured as you discover the NSX-T Manager.
Figure 13: Threat Prevention Policy Setup Page
5. In the Secure Fabric page, the site is already created. For that site, one enforcement point is also added.
To create a secure fabric site in Policy Enforcer for NSX based environment, you require two parts : NSX Manager and edge firewall. In the Add Enforcement Points page, add vSRX, as shown in the topology, as a edge firewall. Select the vSRX device listed under the Available column and move it to the Selected column. You now have two enforcement points within the Secure Fabric.
37
Click Next.
6. In the Policy Enforcement Groups page, the policy enforcement group is already created based on the Location Group Type. The location points to the Secure Fabric site created for NSX.
Click. Next.
7. In the Sky ATP Realm page, associate the Secure Fabric with a Sky ATP realm.
If the Sky ATP realm is already created, click Assign Sites in the Sites Assigned column and chose the Secure Fabric site. The Sky ATP realm and Secure Fabric are now associated.
Click. Next.
8. In the Policies page, create a threat prevention policy by choosing the profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware) and an action for the profile. The DDoS profile is not supported by the NSX Connector. Once configured, you apply policies to PEGs.
Click Assign groups in the Policy Enforcement Group column to associate the policy enforcement group with the policy.
Security Director takes the snapshot of the firewall by performing the rule analysis and threat remediation rules are pushed into the edge firewall.
Click Finish.
NOTE: The GeoIP feeds are not used with the NSX Connectors.
9. The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.
Example: Create a Firewall Rule in VMware NSX-T Using SDSN_BLOCK Tag
The following example shows the firewall rule creation using the SDSN_BLOCK security tag:
1. Log in to VMware NSX-T Manager.
2. Select Security > Gateway Firewall.
The GATEWAY FIREWALL page appears. Gateway firewall represents rules applied at the perimeter firewall.
38
3. Select GATEWAY SPECIFIC RULES tab and then select a gateway.
4. Click Add Policy.
5. Enter the policy name for the new security policy.
6. Select a policy and then select Add Rule to create a new firewall rule and then enter the firewall rule name.
7. Select the source as the security group with SDSN_BLOCK tag and click Apply.
8. In the Applied To column, select the interface to which the rule should be applied.
9. In the Action field, select the Drop option.
10. In the Destination field, select Any.
Figure 14: Gateway Firewall
39
11. Click PUBLISH.
Now security administrator can block the traffic coming from the infected hosts.
RELATED DOCUMENTATION
VMware NSX Data Sheet
vSRX
Loading...