Summary
When a Deep Security Virtual Appliance (DSVA) on an ESXi host with Trend Micro Firewall, IPS, or Web Reputation protection enabled shuts down or fails (service outage), all traffic to and from the virtual machine (VM) are blocked.
This does not affect the VMs protected only by the file-based Anti-Malware Engine.
Running summarize-dvfilter on an ESXi host with a VM protected by IDS or IPS inspection module shows the slot 4 filter is created with a failClosed policy setting:
vNic slot 4 name: nic-87820-eth1-serviceinstance-4.4 agentName: serviceinstance-4 state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation
Details
This issue has been resolved in Deep Security 10.0 U1 and later, which is now available at Trend Micro Deep Security Download Center.
As a workaround for the lower versions, do the following:
- In NSX configuration, go to Networking & Security > Service Definitions.
- Navigate to Trend Micro Deep Security > Service Instances.
- Select Trend Micro Deep Security-GlobalInstance.
- Click Manage and then select Settings.
- Click Edit in the attributes table.
- Change the value of the failOpen key to "true". For more information, see Set vNetwork behavior when appliances shut down.
- Remove and recreate the filter of the VM.
- Unassign the security group attached to the security policy under Trend Micro Deep Security Network Introspection Rules.
This removes the Trend Micro Network Introspection Service from all VMs. - Re-attach it to recreate the policy on each protected VM.
- Unassign the security group attached to the security policy under Trend Micro Deep Security Network Introspection Rules.
If the Trend Update is being applied on an existing installation, all the Trend Micro service deployment needs to be deleted and the Deep Security Manager (DSM) must be unregistered from NSX to delete the Service Instance. When re-registered to NSX Manager, it should create a Service Instance with the failurePolicy set to failOpen.
