Virtual Machines (VMs) protected by Deep Security Virtual Appliance (DSVA) are showing IPS offline and Firewall Engine offline.
Below are the details of this issue.
- In Computer view within Deep Security Manager (DSM) console, it has an alert Intrusion Prevention Engine Offline and Firewall Engine Offline:
- The NSX License is Advanced. (The feature is supported for this license).
- Service Composer configuration has been verified to be configured correctly. (Network Introspection is configured/enabled, Security Policy is assigned to Security Group, and affected VMs are member of the Security Group.)
- Since the issue is with IPS/Firewall, this is related to Network Introspection.
- On the ESXi Host where the affected VM is running, use the command "summarize-dvfilter" to find the filter settings for the protected VM.
- Take note of the affected VM Name, and look for vNic slot 4 whether it is missing or not. If missing, this could be an indicator of the issue
- For comparison, look for another VM and check if it has an entry for vNic slot 4.
- In the sample below, the upper section shows a VM without vNic slot 4. The lower section shows a VM with vNic slot 4.
- Slot 4-12 are for 3rd-party services. This is where traffic is redirected to 3rd-party service appliances, like Trend Micro DSVA, which is part of the IOChain.
The known root cause is missing vNic slot 4 for the affected VM in summarize-dvfilter command in ESXi Host.
The recommended action is to contact VMware Support to check why there is no vNic slot 4 for the problematic VM even though having configured the NSX Security Group and Security Policy with Network Introspection.
Verification
- In a working environment, a protected VM has vNic slot 4 and has no IPS/Firewall engine offline issue
Log Collection
- Deep Security Manager Diagnostic Package
- Deep Security Virtual Appliance Diagnostic Package
- ESXi Tech Support Bundle
- NSX Manager Tech Support Bundle
- Output of summarize-dvfilter command
- Version/Build of vCenter Server, NSX Manager, ESXi Host, Deep Security Manager, Deep Security Virtual Appliance
- Screenshot of Service Composer Configuration, Security Policy, Security Group
- Screenshot of IPS/Firewall Engine Offline