Enabling NSX Network Detection and Response (NDR) in VMware NSX-T 3.2

In my previous post, I covered the deployment and enabling of NSX Intelligence on our NSX Application Platform. In this post, we will explore how to enable the integrated NSX Network Detection & Response (NDR) feature in NSX-T 3.2.

Before we begin, it’s essential to understand that the NDR solution in NSX-T 3.2 does not require the deployment of any sensors, unlike traditional NDR solutions. NSX-T becomes the sensor, monitoring traffic via NSX Intelligence, leveraging inputs from the NSX Malware Prevention solution and the NSX Intrusion Detection & Prevention (IDP) solution.

Requirements:

* NSX-T 3.2 or higher version

* NSX Manager installed and configured

* NSX Intelligence enabled

* NSX Malware Prevention and IDP solutions enabled

Step 1: Log in to the NSX Manager as an administrator.

Step 2: Click on the “Security” tab, then click on the “Network Detection and Response” option.

Step 3: On the “NSX Network Detection and Response” page, click the “Activate” button.

Note: Before activating NDR, ensure that your NSX license meets the minimum requirements for NDR activation.

Step 4: Select the cloud region you want to use for the NSX Advanced Threat Prevention (ATP) cloud service. If you have already activated the Malware Protection feature, the selected cloud region will be preselected.

Step 5: Run prechecks to ensure all prerequisites are met. The activation wizard validates that the minimum license requirement is met, performs connectivity checks between the NSX Manager and the ATP cloud service, and validates that the selected cloud region is reachable.

Step 6: If all pre-checks are successful, click “Activate.” This may take some time as the activation wizard does the needful to get NDR up and running.

Step 7: Once completed, the status should be green, indicating that NDR is active and functioning correctly.

Step 8: Log out of the NSX Manager and log back in as an administrator. Click on the top right corner where the nine dots are (3×3). This will open a new window with the NSX Network Detection and Response landing page.

At this point, your NDR solution should be active, and you should see a dashboard showing security-related activities. In future posts, we will explore how to enable additional features, correlate security events from NSX Intelligence, Malware Prevention, Suspicious Network Activity, and IDS/IPS, and see traffic populating the dashboard.

Quick Win: Turning on NSX Suspicious Traffic detectors is an excellent quick win, but be aware that there is a software bug in NSX-T 3.2.0.1 that can cause meltdowns in your NAPP/NSX-Intelligence environment if you enable Horizontal Port Scan and Uncommonly Used Port. It’s best to check the release notes before enabling these features to ensure they are fixed.

In conclusion, activating NSX Network Detection and Response in NSX-T 3.2 is a straightforward process that unlocks powerful security capabilities. By following these steps and exploring additional features, you can leverage NDR’s full potential and enhance your network security posture.