There are two ways to protect your VMs with Deep Security:
-
Use event-based tasks to activate and deactivate VMs in Deep Security and apply or remove a default policy. For more information, see Event-based tasks created when adding a vCenter to Deep Security Manager.
-
Synchronize your Deep Security policies with NSX. This method is described below.
Each VM that you want to protect must belong to an NSX Security Group that has an
NSX Security Policy assigned to it. When you set up an NSX Security Policy, one of
the options that you select is the NSX Service Profile. With Deep Security 9.6 or
earlier, there was only one NSX Service Profile for use with Deep Security. In Deep
Security 9.6 SP1 or later, you can choose to synchronize all of your Deep Security
policies with NSX. This creates a matching NSX Service Profile (which we call a "Mapped
Service Profile" in Deep Security) for each of your Deep Security policies.
Enable policy synchronization:
![]() |
NoteAll of the policies in Deep Security Manager must have a unique name before they are
synchronized with NSX.
|
-
In the Deep Security Manager, go to the Computers page and right-click the vCenter where you want to enable synchronization.
-
Click Properties.
-
On the NSX Configuration tab, select Synchronize Deep Security Policies with NSX Service Profiles. Click OK.
Next steps:
-
There are several steps required to protect your VMs with Deep Security Virtual Appliance, and they must be completed in a specific order. For a complete list of steps, see Deploy the appliance (NSX-T 3.x), Deploy the appliance (NSX-V), or Upgrade the Deep Security Virtual Appliance.
Change or remove the policy assigned to a VM
When a VM is protected by a Mapped Service Profile, the policy assignment cannot be
changed from within Deep Security Manager. To change the profile used to protect a
VM, you must change the NSX Security Policy or NSX Security Group from your vSphere
Web Client (NSX-V) or NSX-T Data Center console (NSX-T).
If you unassign an NSX Security Policy from a group, any VMs in that group will be
deactivated in Deep Security Manager.
Change the name of a policy
If you rename a policy in Deep Security Manager, the NSX Service Profile Name will
also be changed.
Delete a policy
If you delete a policy in Deep Security Manager and the corresponding NSX Service
Profile is not in use, it will be deleted. If the corresponding NSX Service Profile
is in use, the NSX Service Profile will be no longer be synchronized with Deep Security
Manager and its name will be changed to indicate that it is no longer valid. If the
NSX Service Profile becomes unused later, it will be deleted.
VMware vRealize
If you are configuring a blueprint with VMware vRealize, you can assign either a NSX
Security Group or an NSX Security Policy to the blueprint. The Security Group or Security
Policy can both use Mapped Service Profiles.