Set vNetwork behavior when appliances shut down

Applies to on-premise Deep Security software installations only

Only read this topic if you are using Deep Security Manager 10.0 without any updates. With 10.0 Update 1 or later, the issues described in this topic are resolved.

In NSX Manager 6.3.0 or later, there is an important networking change. Protected guest VMs might lose vNetwork connectivity if:

  1. On Deep Security Manager, for protected VMs, you enable any feature that can use network introspection:

    • firewall
    • IPS
    • web reputation

    and select Deep Security Virtual Appliance as the protection source.

  2. Configure NSX 6.3.0 or later to provide network introspection for guest VMs.
  3. On the ESXi server, Deep Security Virtual Appliance is:

    • deleted and re-deployed, or
    • powered down, or
    • its ds_agent service is unavailable.

This occurs because, if you don't configure failOpen (allow network traffic to continue while the appliance's protection isn't available), then NSX Manager 6.3.0 or later now fails closed by default (brings down the vNetwork). When the appliance reboots or is otherwise not available, NSX applies this policy option.

Failing closed eliminates risk of security compromise while the appliance is down, not securing the vNetwork. Down time is a bigger risk for many organizations, however.

If you require uninterrupted vNetwork connectivity, configure the failOpen option in vSphere.

  1. In the vSphere Web Client, go to Home > Networking & Security > Service Definitions.
  2. Double-click Trend Micro Deep Security service.

    vSphere service definitions

  3. Click Service Instances and then click Trend Micro Deep Security-GlobalInstance.

    service global instances

  4. Click Service Profiles and then click Default (EBT) to display the contents of Trend Micro Deep Security service profile.

    vSphere service profile

  5. On Default (EBT), select Settings and then click Edit.

  6. In the value of failOpen, type true, and then click OK.

  7. Click Publish.
  8. Go to Networking & Security > Service Composer > Security Groups.
  9. Right-click the security group and select Apply Policy.

  10. If the policy was already deployed, and you are correcting the policy, you must unbind and re-bind it to the protected VMs' NSX security group in order to resend the policy. Deselect the security policy and then click OK. Select the security policy again, and then click OK.

    You must immediately re-deploy the policy. Network connectivity for all protected guest VMs on the ESXi server may be interrupted until you do.