Synchronize Deep Security policies with NSX

This topic is not applicable to NSX-T Data Center environments.

There are two ways to protect your VMs with Deep Security:

  • Use event-based tasks to activate and deactivate VMs in Deep Security and apply or remove a default policy. For more information, see "Event-Based Tasks Created When Adding a vCenter to Deep Security Manager" in Automated policy management in NSX environments.
  • Synchronize your Deep Security policies with NSX. This method is described below.

Each VM that you want to protect must belong to an NSX Security Group that has an NSX Security Policy assigned to it. When you set up an NSX Security Policy, one of the options that you select is the NSX Service Profile. With Deep Security 9.6 or earlier, there was only one NSX Service Profile for use with Deep Security. In Deep Security 9.6 SP1 or later, you can choose to synchronize all of your Deep Security policies with NSX. This creates a matching NSX Service Profile (which we call a "Mapped Service Profile" in Deep Security) for each of your Deep Security policies.

Enable policy synchronization:

All of the policies in Deep Security Manager must have a unique name before they are synchronized with NSX.

  1. In the Deep Security Manager, go to the Computers page and right-click the vCenter where you want to enable synchronization.
  2. Click Properties.
  3. On the NSX Configuration tab, select Synchronize Deep Security Policies with NSX Service Profiles. Click OK.

Next steps:

  1. There are several steps required to protect your VMs with Deep Security Virtual Appliance, and they must be completed in a specific order. For a complete list of steps, see Deploy the appliance (NSX-V) or Deploy the appliance (NSX-T).

Change or remove the policy assigned to a VM

When a VM is protected by a Mapped Service Profile, the policy assignment cannot be changed from within Deep Security Manager. To change the profile used to protect a VM, you must change the NSX Security Policy or NSX Security Group from your vSphere Web Client.

If you unassign an NSX Security Policy from a group, any VMs in that group will be deactivated in Deep Security Manager.

Change the name of a policy

If you rename a policy in Deep Security Manager, the NSX Service Profile Name will also be changed.

Delete a policy

If you delete a policy in Deep Security Manager and the corresponding NSX Service Profile is not in use, it will be deleted. If the corresponding NSX Service Profile is in use, the NSX Service Profile will be no longer be synchronized with Deep Security Manager and its name will be changed to indicate that it is no longer valid. If the NSX Service Profile becomes unused later, it will be deleted.

VMware vRealize

If you are configuring a blueprint with VMware vRealize, you can assign either a NSX Security Group or an NSX Security Policy to the blueprint. The Security Group or Security Policy can both use Mapped Service Profiles.