Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Intrusion Detection System and Intrusion Prevention modules block all traffic when DSVA shuts down or fails

    • Updated:
    • 4 Sep 2017
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 9.6
    • Platform:
    • N/A N/A

When a Deep Security Virtual Appliance (DSVA) on an ESXi host with Trend Micro Firewall, IPS, or Web Reputation protection enabled shuts down or fails (service outage), all traffic to and from the virtual machine (VM) are blocked.

This does not affect the VMs protected only by the file-based Anti-Malware Engine.

Running summarize-dvfilter on an ESXi host with a VM protected by IDS or IPS inspection module shows the slot 4 filter is created with a failClosed policy setting:

vNic slot 4  name: nic-87820-eth1-serviceinstance-4.4  agentName: serviceinstance-4  state: IOChain Attached  vmState: Detached  failurePolicy: failClosed  slowPathID: none  filter source: Dynamic Filter Creation

This issue has been resolved in Deep Security 10.0 U1 and later, which is now available at Trend Micro Deep Security Download Center.

As a workaround for the lower versions, do the following:

  1. In NSX configuration, go to Networking & Security > Service Definitions.
  2. Navigate to Trend Micro Deep Security > Service Instances.
  3. Select Trend Micro Deep Security-GlobalInstance.
  4. Click Manage and then select Settings.
  5. Click Edit in the attributes table.
  6. Change the value of the failOpen key to "true". For more information, see Set vNetwork behavior when appliances shut down.
  7. Remove and recreate the filter of the VM.
    1. Unassign the security group attached to the security policy under Trend Micro Deep Security Network Introspection Rules.
      This removes the Trend Micro Network Introspection Service from all VMs.
    2. Re-attach it to recreate the policy on each protected VM.
If the Trend Update is being applied on an existing installation, all the Trend Micro service deployment needs to be deleted and the Deep Security Manager (DSM) must be unregistered from NSX to delete the Service Instance. When re-registered to NSX Manager, it should create a Service Instance with the failurePolicy set to failOpen.
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.