While setting up the new Gateway IDPS function in NSX-T 3.20 I wanted a way to test the functionality against log4j intrusion attempts. I discovered during this test that while the policy in my Gateway Rule was set to “Detect and Prevent”, some default signature actions are by default set to “Detect” and need to be modified if you want these intrusions to be prevented. There is a good KB article that mentions this in more detail: https://kb.vmware.com/s/article/87156
Activate the Gateway for N/S Traffic
After licensing NSX-T with NSX Firewall with Advanced Threat Prevention, turn on the IDS/IPS Gateway Firewall (currently in Tech Preview) on your Tier-1 Router by navigating to Security / IDPS/IPS & Malware Prevention / Settings / Shared
Configure Signature Updates
Navigate to Security / IDPS/IPS & Malware Prevention / Settings / IDS/IPS and select Auto Update if your NSX Managers can connect to the Internet. Change the Proxy Settings as needed.
Create the Profile
Navigate to the Security / IDPS/IPS & Malware Prevention / Profiles / IDS/IPS and create a profile, specifying the signature severities you want to monitor. For now, leave the rest as the default.
Create the Gateway Rule
Navigate to the Security / IDPS/IPS & Malware Prevention / Gateway Rules and create a Policy and Rule. Select the Security Profile you created previously and set the Mode to Detect & Prevent
Assuming you have some services behind your T1 published to the Internet, you can either wait for a malicious actor to attempt to compromise them, get your InfoSec Red Team to take a look, or hunt around for an online service to attempt an intrusion. I opted for the last one.
I found a service detectify.com where you can sign up for a trial account and register an “asset” (your domain). You will need to add a TXT DNS record to verify you are the domain owner before you can continue, and after this you can create a “Scan Profile”. The Scan Profile defines what to scan, how often, authenticated or not, to crawl subdomains etc etc.
I opted to scan my internet-facing instance of Harbor. I pressed the Start button and monitored NSX-T IDS/IPS for any events.
After a short time I started to see intrusion attempts in the Security Overview and IDS/IPS pages – great! There was a whole bunch of CVE-2021-4428 attempts (log4j) and the timeline, source and destination info were all available. When expanding the alert, however, I noticed in the bottom right corner that these events were “Detected Only” (purple colour). Hmm… that does not sound right – what did I miss?
Modify the Signature Actions
What it came down to was that even though the Gateway Rule was “Detect and Prevent”, it basically performs what is defined in the signature action. If the signature is set to Detect then that is what it will do.
To change the signature actions, edit your IDS/IPS Profile. Select the Manage signatures for this profile >> link
Filter the signatures as needed – I was interested in log4j so selected CVE-2021-44228. As you can see there are 4 pages of specific exploitation attempts associated with this CVE and they are nearly all set to an Alert action. Only Signature IDs 1107668 and 1107670 are set to Reject and these have a severity of High. The Critical severity attempts are set to Alert.
This is clearly by design from VMware and I can only surmise that it is because one size does not fit all use cases and you should review each exploitation attempt and set the action to Alert, Drop, or Reject as is appropriate for your environment. To continue testing the IDPS gateway firewall functionality, I set all signatures against this CVE to “Drop”. That makes 171 modifications I had to do manually ☹. There must be a better way and there is, but it is quite convoluted:
- Go to the page to edit the signatures
- Filter by CVE 2021-44228
- Check the box at the top left to select all signatures on the page
- Navigate to the other three pages and select all of those as well
- Once you have all your signatures ticked, close the filter by selecting the X next to CLEAR
- Once the filter has been cleared you see an Action box. Select the dropdown and the action you want for the signatures
After making these changes, my profile looks like this:
Note: the above procedure is specific for a particular Profile. You can also define these as global actions at Security / IDPS/IPS & Malware Prevention / Settings / IDS/IPS and select View and manage global signature set.
Going back to detectify.com, I initiated another scan of my harbor instance. I am happy to see now that these intrusion attempts have now been prevented 😊
Within Log Insight, I see the event data including the action – see my previous post on how to configure IDS/IPS logging
I hope you liked this investigation and testing of the NSX-T Gateway IDP/IPS. The NSX-T API does mention a Patch Global IDS Signature call you can make against the signature set in section 22.214.171.124.2. Later on I’ll try and automate the updates using the API.
As usual like, share, and spread the word!
1 thought on “NSX-T IDS/IPS Signature Actions for log4j”
Nicely done! In NSX-T 3.2 around 5000 signatures now have the default action set to Reject compared to around 100 that were set to Drop in NSX-T 3.1