Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Implementing Threat Policy on VMWare NSX

VMWare NSX Integration with Policy Enforcer and Sky ATP Overview

Juniper Networks Sky Advanced Threat Prevention (Sky ATP) identifies the infected virtual machines(VMs) running on VMWare NSX and tags these VMs as infected. This is based on a malware file exchange from the infected VMs and/or based on the Command and Control communication with known botnet sites on the internet.

Based on this identification of infected or compromised hosts, you can take one of the following actions:

Policy Enforcer provides a set of Connector APIs for the third-party adaptors. The NSX Connector integrates with the Policy Enforcer using these APIs to enable enforcement of the infected hosts policy on Secure Fabric. For NSX connectors, the NSX Manager , its associated vCenter, and an edge firewall form the Secure Fabric.

The following topology shows how NSX Manager and the edge firewall create a Secure Fabric to use with Policy Enforcer.

Figure 55: Topology of NSX Integration with Policy Enforcer

of NSX Integration with Policy Enforcer

Within the NSX Manager, the virtual machines (VM) connect to logical networks, shown as green and yellow colour logical networks, as shown in Figure 55. The logical switches connect to each other using a Distributed Logical Router(DLR). To form the Secure Fabric, configure the edge service gateway (ESG) to point to SRX Series devices or vSRX as the gateway for the networks hosted on NSX. This is implemented by establishing IBGP session between ESG and vSRX or SRX Series device. This ensures that all the north-south traffic passes through the vSRX edge firewall. The vSRX edge gateway is enrolled with Sky ATP for the traffic inspection.

If NAT services are required, it must be configured on the vSRX and not on the ESG. Configure NAT services using the following CLI commands.

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule snat-rule match source-address

set security nat source rule-set trust-to-untrust rule snat-rule then source-nat interface

To establish a BGP session, use the following configuration commands:

set routing-options autonomous-system 10

set protocols bgp group nsx neighbor peer-as 10

You can view the BGP configuration in VMWare vCenter Server, as shown in Figure 56.

Figure 56: VMWare vCenter BGP Configuration

vCenter BGP Configuration

Note You can register the NSX Manager with Security Director only when the Policy Enforcer is configured. The NSX micro service is bundled with the Policy Enforcer VM. However, the NSX micro service is packaged as a standalone rpm, so that the NSX micro service upgrade and patches can be performed independent of the Policy Enforcer VM.

Implementation of Infected Hosts Policy Overview

The vSRX or SRX Series devices running as an edge firewall is enrolled to send all the suspected traffic to Sky ATP.

The following steps explain the high-level workflow:

You can then create a policy to block the infected hosts using the SDSN_BLOCK tag by creating VMWare Distributed Firewall (DFW) rules. The block policy consists of two rules for ingress block and egress block. The ingress block rule applies to any traffic originating from a security group composed of VMs tagged with a block tag to any destination. Similarly, the egress block rule applies to any traffic destined to security group composed of VMs tagged with block tag from any source.

The creation of security groups associated with the SDSN_BLOCK tag, creation of ingress and egress block rules, and the action to take on the matching packets must be configured by the VMWare administrators. The NSX Connector will simply apply the SDSN_BLOCK tag on the infected VM.

Registering NSX Micro Service as Policy Enforcer Connector Instance Overview

The integration of each NSX manager discovered in Security Director with Policy Enforcer is triggered automatically.


The automatic registration of a connector instance involves the following steps:

  1. Discovering the NSX Manager in Security Director. This triggers an auto creation of the Policy Enforcer connector instance.
  2. Secure Fabric is created to manage the discovered NSX Manager.
  3. Creation of threat prevention policy requires the knowledge of Sky ATP realm and the edge firewall device. These are taken as inputs from the user.

Before You Begin

Before you begin to configure NSX with Policy Enforcer, configure the infected hosts workflow in VMWare vCenter Server.

Infected Hosts Workflow in VMware vCenter Server


To block the infected hosts:

  1. Log in to the vSphere Web Client through the VMware vCenter Server.
  2. From the vSphere Web Client, click Networking & Security and then click NSX Managers.

    Under the Manage section, click Security Tags column head and create SDSN_BLOCK security tag for NSX, as shown in Figure 57.

    Figure 57: SDSN_BLOCK Security Tag

    SDSN_BLOCK Security

    The feed for the infected hosts will be triggered by Sky ATP down to Policy Enforcer. When there is a trigger, the SDSN_BLOCK tag is attached to the VM. Click on the VM Count column to see the VM details attached to the tag.

  3. Select Networking & Security and then click Service Composer.

    The Service Composer page appears. From the Service Composer, click the Security Groups tab. The security administrator can create the security group based on the security tag.

  4. Click the New Security Group icon to create a new security group.
  5. Enter a name and description for the security group and then click Next.
  6. On the Define dynamic membership page, define the criteria that an object must meet for it to be added to the security group you are creating.

    In the Criteria Details row, select Security Tag from the list and provide the SDSN_BLOCK tag name, as shown in Figure 58.

    Figure 58: Define Dynamic Membership Page

    Define Dynamic
Membership Page

    Click Next.

  7. In the Ready to Complete page, verify the parameters and click Finish.

    In the Service Composer page, under the Security Groups tab, you can see that the security group has been created and the VM with the security tag is assigned to the security group.

Configuring VMware NSX with Policy Enforcer


The following steps explain configuring VMWare NSX with Policy Enforcer:

  1. Add the NSX Manager to the Security Director database, as shown in Figure 59. To know more about adding a NSX Manager, see Adding the NSX Manager.

    Figure 59: Adding NSX Manager Page

    Adding NSX Manager
  2. After discovering the NSX Manager in Security Director, use the Guided Setup workflow to configure the following parameters:
    • Secure Fabric

    • Policy Enforcement Group (PEG)

    • Sky ATP Realm

    • Threat policies for the following threat types:

      • Command and Control (C&C) Server

      • Infected Hosts

      • Malware

  3. Select Configuration > Guided Setup > Threat Prevention.

    The Threat Prevention Policy Setup page appears.

  4. Click Stat Setup.

    The Threat Prevention Policy Setup page appears, as shown in Figure 60. Some of the resources are already configured as you discover the NSX Manager.

    Figure 60: Guided Setup Page

    Guided Setup Page
  5. In the Secure Fabric page, the site is already created. For that site, one enforcement point is also added.

    To create a secure fabric site in Policy Enforcer for NSX based environment, you require two parts : NSX Manager and edge firewall. In the Add Enforcement Points page, add vSRX, as shown in the topology, as a edge firewall. Select the vSRX device listed under the Available column and move it to the Selected column. You now have two enforcement points within the Secure Fabric.

    Click Next.

  6. In the Policy Enforcement Groups page, the policy enforcement group is already created based on the Location Group Type. The location points to the Secure Fabric site created for NSX.

    Click. Next.

  7. In the Sky ATP Realm page, associate the Secure Fabric with a Sky ATP realm.

    If the Sky ATP realm is already created, click Assign Sites in the Sites Assigned column and chose the Secure Fabric site. The Sky ATP realm and Secure Fabric are now associated.

    Click. Next.

  8. In the Policies page, create a threat prevention policy by choosing the profile types depending on the type of threat prevention this policy provides (C&C Server, Infected Host, Malware) and an action for the profile. The DDoS profile is not supported by the NSX Connector. Once configured, you apply policies to PEGs.

    Click Assign groups in the Policy Enforcement Group column to associate the policy enforcement group with the policy.

    Security Director takes the snapshot of the firewall by performing the rule analysis and threat remediation rules are pushed into the edge firewall.

    Click Finish.

    Note The GeoIP feeds are not used with the NSX Connectors.

  9. The last page is a summary of the items you have configured using quick setup. Click OK to be taken to the Policies page under Configure > Threat Prevention > Policies and your policy is listed there.

Example: Creating a Firewall Rule in VMWare vCenter Server Using SDSN_BLOCK Tag


The following example shows the firewall rule creation using the SDSN_BLOCK security tag:

  1. Log in to the vSphere Web Client through the VMware vCenter Server.
  2. Select Networking & Security and then click Service Composer.

    The Service Composer page appears.

  3. Select Security Policies tab in the Service Composer page.

    Create a security policy to block the traffic coming from the infected hosts.

  4. Select the Create Security Policy icon.

    The New Security Policy page appears.

  5. Enter a name and description for the security policy, and click Next.
  6. Select the Firewall Rules option from the left pane.

    The Firewall Rules page appears.

  7. Select the New Firewall Rule icon (+) to create a new firewall rule.

    The New Firewall Rule page appears.

  8. Enter the name of the firewall rule.
  9. In the Action field, select the Block option.
  10. In the Source field, click Change and select the security group.
  11. In the Destination field, click Change and select the security group to add as Any.

    Click Ok. Figure 61 shows a sample firewall rule configuration.

    Figure 61: New Firewall Rule Page

    New Firewall Rule
  12. Click Finish.

    A new policy is created. You can apply this policy to the security group.

  13. In the Security Policies page, right-click on the policy name and select Apply Policy.

    The Apply Policy to Security Groups page appears, as shown in Figure 62.

    Figure 62: Apply Policy to SG Page

    Apply Policy to SG
  14. Select the security group that you have created and assign to a policy.

    Security administrator is now able to block the traffic coming from the infected hosts.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support