VMware Carbon Black Cloud + NSX Remediation

Posted on March 9, 2022

Overview

The integration between Carbon Black Cloud Workload and NSX-T orchestrates network remediations using NSX-T Distributed Firewall (DFW) policies, and associated tags. After registering the Carbon Black Cloud Workload with the NSX Manager, you can use the newly created NSX policies to remediate VM workloads within the Carbon Black Cloud console, or remove already applied NSX policies tags from certain VM workloads.

Prerequisites

The VM workload must be associated with a Carbon Black Cloud Workload appliance that is registered with NSX, and has an active NSX connectivity. For information on registering the appliance with NSX, see VMware Carbon Black Cloud Workload Guide.
The VM workload must have a Carbon Black Cloud sensor installed with the following versions:
- For Windows - 3.6 or later.
- For Linux - 2.9 or later.
The VM workload must be on an NSX N-VDS (opaque network) to have the Apply NSX Tag option available.

Supported NSX Tags

Option	Description
`CB-NSX-Quarantine`	With this policy, the VM workload associated with the pre-registered tag is quarantined from the network. This is a read only policy for NSX administrators. The policy only allows the following network flows: DHCP for IP addresses and DNS traffic for name resolution. HTTPS traffic to a list of FQDNs required by the sensor to remain connected to Carbon Black Cloud. The VM has a limited internet connectivity specified by the FQDNs in the policy definition.
`CB-NSX-Isolate`	With this policy the VM workload associated with the pre-registered tag is completely isolated from the network. This is a read only policy for NSX administrators.
`CB-NSX-Custom`	This policy is fully customizable. By applying this policy, the NSX administrator can enforce any rules on VM workloads. Thus, advanced users can create a custom security posture.

For more information see the User guide or try it out with the API documentation.