Configure east-west security

Configuring east-west security is necessary to enable the networking functionality required for the Integrity Monitoring, Intrusion Prevention, Firewall, and Web Reputation features.

Follow the steps below to configure east-west security:

• Add a service profile
• Add a service chain
• Add a Network Introspection policy
• Connect VMs to the logical switch

Add a service profile

1. In NSX-T Manager, click Security at the top, toggle to POLICY, and then on the left, find Settings and click Network Introspection Settings.
2. In the main pane, click SERVICE PROFILES.
3. From the Partner Service drop-down list, select Trend Micro Deep Security if it is not already selected.
4. Click ADD SERVICE PROFILE and fill out the fields as follows:
   • For the Service Profile Name, specify a name. Example: dsva-service-profile-ni.
   • For the Service Profile Description, enter a description. Example: Deep Security Service Profile for Network Introspection.
   • For the Vendor Template, select Default (EBT)_Network. This template was loaded at the same time as the Trend Micro Deep Security service.

   

5. The ADD SERVICE PROFILE page should now look similar to the following:

   

6. Click SAVE.

Add a service chain

1. On the main pane, click the SERVICE CHAINS tab, and click ADD CHAIN. Fill out the fields as described in the following steps.
2. For the Name, specify a name. Example: dsva-service-chain.
3. For the Service Segments, select the service segment created previously. Example: service-segment.
4. For the Forward Path:
   • Click Set Forward Path to open the dialog box.
   • Click ADD PROFILE IN SEQUENCE and add the service profile created previously. In the example, we selected dsva-service-profile-ni.
   • Click ADD.
   • Click SAVE.

   

   You're now back on the main SERVICE CHAINS page. Continue with the SERVICE CHAIN configuration below.

5. For the Reverse Path, keep the Inverse Forward Path check box selected.
6. For the Failure Policy, select Allow.

   The service chain should now look like the following:

   

7. Click SAVE.

   

Add a Network Introspection policy

1. Click Security at the top, toggle to POLICY, and then on the left, find East West Security and click Network Introspection (E-W).
2. In the main pane, click + ADD POLICY.
3. In the Name column, click within the New Policy cell and change the name. For example, use dsva-policy-ni. For Redirect To, select the service chain. In this example, we used dsva-service-chain.
4. Select the check box next to dsva-policy-ni and click + ADD RULE. A rule appears under dsva-policy-ni. Click + ADD RULE again because we need 2 rules.
5. Configure the 1st rule for inbound traffic:
   • For the Name, enter a name for the rule. Example: rule-in.
   • For the Sources, keep Any.
   • For the Destinations, select dsva-protection-group.
   • For the Services, keep Any.
   • For the Applied To, select dsva-protection-group.
   • For the Action, select Redirect.
6. Configure the 2nd rule for outbound traffic:
   • For the Name, enter a name for the rule. Example: rule-out.
   • For the Sources, select dsva-protection-group.
   • For the Destinations, keep Any.
   • For the Services, keep Any.
   • For the Applied To, select dsva-protection-group.
   • For the Action, select Redirect.

   There is now a mapping between the VMs in the dsva-protection-group and the Default (EBT)_Network template specified in the dsva-service-chain.

   The policy should now look similar to the following:

   

7. Click PUBLISH to finish the policy and rule creation.

   

Connect VMs to the logical switch

In order for the VMs in your group to be protected by east-west security in NSX-T, those VMs connected to the logical switch created in an earlier step.

In the example, we connected the Network adapter 1 to logical-switch-overlay. You can check that your VMs are connected to this switch by accessing vCenter through vSphere Client.

You have now configured east-west security in NSX-T.