Skip to main content

VMware NSX-T

GravityZone Security for Virtualized Environments integrates with the VMware NSX-T Data Center through NSX-T Manager.

Integrate with NSX-T Manager

NSX-T Manager is the management plane of your vCenter Servers integrated with an NSX-T Data Center. For the integration to work, you will need to set up the integration for vCenter Servers associated with the NSX-T Manager. For more information, refer to Integrate with vCenter Server.

Integrate GravityZone with vCenter Server

Important

Bitdefender Endpoint Security Tools must not be installed on virtual machines alongside an NSX-T integration.

Add a new VMware vCenter Server integration to the GravityZone Control Center by following these steps:

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration page from the left side menu.

  3. Navigate to Virtualization Providers > Management Platforms.

  4. Click Add and select vCenter Server from the menu.

  5. Specify the vCenter Server details.

  6. Specify the credentials for vCenter Server authentication.

    Note

    You can choose to use the credentials provided for an integration with Active Directory or a different set of credentials. The user whose credentials you provide must have root or administrator permissions on the vCenter Server.

  7. Under Installed platforms choose None for your NSX-T integration.

  8. Click Save to complete the vCenter Server integration with Control Center.

    Note

    Before accepting the self-signed security certificate required for the integration, make sure it corresponds with the vCenter details.

    For more information, refer to Integrating with vCenter Server.

Note

For multiple vCenter Servers managed by NSX-T Manager, you need to repeat this step.

Download NSX-T SVA

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration > Update page from the left side menu.

  3. Select the Components tab.

  4. Under Product, select Security Server (VMware NSX-T).

  5. From the Packages section, select the associated check box to download.

Integrate GravityZone with NSX-T Manager

Add a new VMware NSX-T Manager integration to the GravityZone VA by following these steps:

Important

Each VMware NSX-T Manager integration can only be added to one GravityZone VA.

  1. In Control Center, go to the Configuration page from the left side menu.

  2. Navigate to Virtualization Providers > Security Providers.

  3. Click Add to configure the NSX-T integration.

    80107_1.png
  4. Specify the NSX-T integration details:

    • Name of the NSX-T integration

    • Hostname or the IP address of the NSX Manager system

    • NSX-T port (the default is 443)

      80107_2.png
    • Specify the credentials for NSX-T Manager authentication.

      Note

      The user whose credentials you provide must have root or administrator permissions on the NSX-T Manager.

  5. Click Save to complete the integration.

Note

Integrated server count within NSX-T manager should match the one from the Management Platform within the Control Center. If the count is not matched, follow the integration procedure to add a new vCenter Server integration.

Manage endpoint protection in VMware NSX-T

In this section, you will learn how to apply endpoint protection to your guest virtual machines.

Integration Overview

NSX-T Data Center provides agentless endpoint protection capabilities through the Guest Introspection ecosystem. Bitdefender integrates with the NSX ecosystem to protect guest virtual machines by using a Security Server deployed at the hypervisor host level.

This section provides guidance for NSX-T Data Center administrators on how to configure and apply endpoint protection to guest VMs, by implementing a Bitdefender GravityZone Guest Introspection policy.

Prerequisites

Process Description

To manage endpoint protection in NSX Manager you must follow these steps:

Deploy Partner service (Bitdefender GravityZone) in NSX Manager

Deploy the Security Server installation as a Partner service in NSX-T Manager.

  1. In NSX Manager, go to the System page and click Service Deployment.

  2. Select Partner service and then click Deploy Service.

    80107_3.png
  3. Specify the service deployment details:

    • Enter the service deployment name.

    • In the Compute Manager field, select the vCenter (Bitdefender SVA).

    • In the Cluster field, select the cluster where the service needs to be deployed.

    • In the Data Store field, you can select a data store where the SVA disk can be stored.

      For more information, refer to the official VMware documentation.

    • Under the Network column, click Edit Details to configure the Management Network interface.

      A configuration window is displayed, where you can configure the network/distributed switch to use for the management NIC and the network type.

    • In the Deployment Specification field, select Bitdefender SVA – Medium.

    • In the Deployment Template field, select Bitdefender Security Server OVF Template.

      80107_4.png
  4. Click Save.

    The Bitdefender Security Server is deployed.

Configure NSX Groups

NSX uses groups are used as source and destination field of a service profile. Create groups in the NSX Manager for protected, unprotected VMs and affected (quarantined) VMs.

To create and define group memberships, follow these steps:

Protected VMs Group

Create a group for protected VMs by following these steps:

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

    80107_5.png
  3. Specify the group details:

    • Enter the security group name.

    • Under the Compute Members, click Set Members to define membership of the group:

      1. Go to the Members tab and select a group from the Category drop-down menu.

      2. Select the nodes that should be protected.

      3. Click APPLY.

        80107_6.png

        For more information, refer to the official VMware documentation.

  4. Click SAVE.

    The group for the protected VMs is now added.

Unprotected VMs Group

To create a group and define membership for unprotected VMs, follow the previous 1-4 stepsfrom Protected VMs Group.

Affected VMs Group

Create a quarantine group for affected VMs by following these steps:

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

  3. Specify the group details:

    • Enter the security group name.

    • Under Compute Members, click Set Members to define membership of the group:

      1. Go to the Membership Criteria tab and click ADD CRITERIA.

      2. In the third column, select Contains.

      3. In the Scope field, enter the following tag:

        ANTI_VIRUS

      4. Click APPLY.

        80107_7.png

        For more information, refer to the following VMware Docs article.

  4. Click SAVE.

    The group for the quarantined VMs is now added.

Create GravityZone security policy

Create and configure security policy in Control Center by following these steps:

  1. In Control Center, go to the Policies page from the left side menu.

  2. Click Add to configure a policy.

  3. Enter a name for your policy.

  4. Configure the policy settings as needed.

    80107_8.png

    Note

    Only Antimalware settings are applicable to NSX-T integrations.

  5. Go to NSX and select the associated check box to set its visibility in NSX-T Manager.

    80107_9.png

    The GravityZone policy is visible in the NSX-T Manager under the Vendor Template column, when you add a Service Profile.

  6. Click Save.

Configure and apply endpoint protection to guest VMs

NSX enforces Guest Introspection policies (GravityZone security policy) when a Service Profile is available. To apply endpoint protection to guest VMs you need to create Service Profile and associate it to a VM group through policy rule.

Configure endpoint protection for guest VMs by following these steps:

Create a Service Profile

Add a Service Profile in NSX Manager by following these steps:

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to SERVICE PROFILES.

  3. In the Partner Service drop-down select Bitdefender and then click ADD SERVICE PROFILE.

  4. Specify the Service Profile details:

    • Enter the Service Profile name.

    • Select the vendor template (GravityZone security policy).

  5. Click Save.

    80107_11.png

    The Service Profile is now added.

Create and publish a policy rule

To associate a VM group that needs to be protected with a specific service profile, you need to create a policy rule. Create a policy for your VM group by following these steps:

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to RULES.

  3. Click ADD POLICY.

  4. Enter a policy name.

  5. Click the three vertical dots to open the dropdown menu.

  6. Click Add Rule.

    80107_12.png
  7. Enter a policy rule name.

  8. Under the Groups column, click the edit icon to set VM groups:

    80107_13.png
    • In the table, select a VM group for this rule.

    • Click APPLY.

      80107_14.png
  9. Under the Service Profiles column, click the edit icon to map the Service Profile to your VM groups.

    In the table, select the Service Profile and click SAVE.

  10. Click PUBLISH to apply endpoint protection to your guest VMs.

    80107_15.png

Change the Security Server password

Using the local interface

  1. Open the Security Server console.

    gravityzone_op_sve_new_password_nsx1.png
  2. Press F2 to open the configuration screen.

  3. Enter your password. The default password is: sve.

    sva_change_pass.png
  4. Change the password.

    The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.

    gravityzone_op_sve_new_password_nsx2.png

    Note

    For more information about resetting the root password, refer to Reset root password for Security Server.

Using SSH

  1. Connect to the appliance via SSH.

  2. Log in using the default credentials.

    • User name: root

    • Password: sve

  3. Change the password.

    The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.

    gravityzone_cl_pt_op_sve_new_password2.png

    Note

    For more information about resetting the root password, refer to Reset root password for Security Server.