Deep Security 11.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Configure NSX security tags
If you are using agentless protection, you can configure Deep Security Virtual Appliance to apply NSX security tags to protected VMs when anti-malware or intrusion prevention (IPS) detects a threat. NSX security tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. For more information on NSX tagging and dynamic NSX security group assignment, see the documentation from VMware.
To configure the intrusion prevention module to apply NSX security tags, go to Computer or Policy editor
You can change these settings for a policy or for a specific computer.
To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details).
To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > Advanced > NSX Security Tagging.
Intrusion prevention events have a severity level that is determined by the severity level of the intrusion prevention rule that triggered the event. To configure the severity level of an intrusion prevention rule, go to the Rule Properties > General tab.
Intrusion prevention rule severity levels map to NSX tags as follows:
| IPS Rule Severity | NSX Security Tag |
|---|---|
| Critical | IDS_IPS.threat=high |
| High | IDS_IPS.threat=high |
| Medium | IDS_IPS.threat=medium |
| Low | IDS_IPS.threat=low |
You can configure the sensitivity of the tagging mechanism by specifying the minimum intrusion prevention severity level that will cause an NSX security tag to be applied to a VM.
The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:
- Default (No Tagging): No NSX tag is applied.
- Critical: An NSX tag is applied to the VM if an intrusion prevention rule with a severity level of Critical is triggered.
- High: An NSX tag is applied to the VM if an intrusion prevention rule with a severity level of High or Critical is triggered.
- Medium: An NSX tag is applied to the VM if an intrusion prevention rule with a severity level of Medium, High, or Critical is triggered.
- Low: An NSX tag is applied to the VM if an intrusion prevention rule with a severity level of Low, Medium, High, or Critical is triggered.
Separate settings exist for rules in prevent mode vs. detect-only mode. For information about behavior modes, see Use behavior modes to test rules.
