The reveal
This twin set of firewall rules have the name “Default Malicious IP Block Rules”. It uses a list of malicious IP addresses that is automatically downloaded and applied from NTICS (NSX Threat Intelligence Cloud Service) to block traffic to and from IP addresses that have been marked as harmful for various reasons.
Knowing the name of the firewall rule, we quickly found the note in the NSX-T documentation: “If you are the Greenfield customer, this feature is by default enabled for you with the appropriate license. If you are the Brownfield customer, you will have to perform the steps mentioned in the procedure to enable this feature.” (source: Configure Malicious IP Feeds (vmware.com))
The required license for this feature was present and the rule had been automatically enabled during NSX Manager deployment. Looking at the Malicious IPs Filtering and Analysis Dashboard (Malicious IPs Filtering and Analysis Dashboard (vmware.com)), we were able to find the blocked IP address and add it to the exception list with a single click. According to the Dashboard, this IP address had been blocked because of phishing reports.
With a single click, traffic finally arrives back at its destination in Azure
Looking through the objects in the interface, it seems that it is not possible to see the contents of the Malicious IP set to check if it will block an IP address before enabling the two rules. It would be nice to see a quick and easy to find contact method for the NTICS in case of a false positive result.
At this moment, I have not found a way to get an IP address marked as non-malicious with the NTICS. Do you know a method of contact? Please let us know in the comments below this blog or contact us.
Lessons learned
Sometimes a small note can trip you up. Share seemingly small things with your colleagues and as we say in Dutch: a donkey does not hit the same stone twice.
I certainly won’t forget this little new feature in the Distributed Firewall. It’s worth noting that the Malicious Ips Filtering and Analysis Dashboard shows a lot more dropped packages than I expected. You might find more unwanted traffic when you enable this firewall rule.
Tags
Virtualization
Found this interesting?
Feel free to share on social media
Questions, Remarks & Comments
If you have any questions and need more clarification, we are more than happy to dig deeper. Any comments are also appreciated. You can send it directly to the author or contact us via e-mail or phone, it’s your choice.
[email protected]
+31 88 522 88 22