Synchronize Deep Security Policies with NSX

See Deploy Deep Security for steps that you must perform before proceeding with the steps in this article.

There are two ways to protect your VMs with Deep Security:

  • Use event-based tasks to activate and deactivate VMs in Deep Security and apply or remove a default policy. For more information, see "Event-Based Tasks Created When Adding a vCenter to Deep Security Manager" in Automated policy management in NSX environments.
  • Synchronize your Deep Security policies with NSX. This method is described below.

Each VM that you want to protect must belong to an NSX Security Group that has an NSX Security Policy assigned to it. When you set up an NSX Security Policy, one of the options that you select is the NSX Service Profile. With Deep Security 9.6 or earlier, there was only one NSX Service Profile for use with Deep Security. In Deep Security 9.6 SP1 or later, you can choose to synchronize all of your Deep Security policies with NSX. This creates a matching NSX Service Profile (which we call a "Mapped Service Profile" in Deep Security) for each of your Deep Security policies.

Enable policy synchronization:

All of the policies in Deep Security Manager must have a unique name before they are synchronized with NSX.

  1. In the Deep Security Manager, go to the Computers page and right-click the vCenter where you want to enable synchronization.
  2. Click Properties.
  3. On the NSX Configuration tab, select Synchronize Deep Security Policies with NSX Service Profiles. Click OK.

Next steps:

  1. Create an NSX Security Policy, as described in Create NSX security groups and policies. Select a Mapped Service Profile as the Service Profile for the Guest Introspection Service and the Inbound and Outbound Network Introspection Services.
    If you select the "Default (EBT)" service profile, the VMs in groups that use this policy will be handled by the "NSX Security Group Change" event-based tasks.
  2. Assign the NSX Security Policy to the NSX Security Groups containing the VMs that you want to protect, as described in Create NSX security groups and policies. Any VMs in the NSX Security Group will be activated and assigned the corresponding Deep Security policy automatically, without the use of event-based tasks.

Change or remove the policy assigned to a VM

When a VM is protected by a Mapped Service Profile, the policy assignment cannot be changed from within Deep Security Manager:

To change the profile used to protect a VM, you must change the NSX Security Policy or NSX Security Group from your vSphere Web Client.

If you unassign an NSX Security Policy from a group, any VMs in that group will be deactivated in Deep Security Manager.

Change the name of a policy

If you rename a policy in Deep Security Manager, the NSX Service Profile Name will also be changed.

Delete a policy

If you delete a policy in Deep Security Manager and the corresponding NSX Service Profile is not in use, it will be deleted. If the corresponding NSX Service Profile is in use, the NSX Service Profile will be no longer be synchronized with Deep Security Manager and its name will be changed to indicate that it is no longer valid. If the NSX Service Profile becomes unused later, it will be deleted.

VMware vRealize

If you are configuring a blueprint with VMware vRealize, you can assign either a NSX Security Group or an NSX Security Policy to the blueprint. The Security Group or Security Policy can both use Mapped Service Profiles.