Re: NSX Firewall with Hundreds of Rules

A13x · ‎01-10-2017

Hi All , i was wondering is there a firewall cheat that can make working out what rules are applied in what order graphically to a VM or SG when you have thousands of firewall rules created in the nsx firewall that have NOT been made using composer or ARM?

Its possible to use the CLI but having to go through each of the rules and work out what might be the problem takes time.

The massive NSX Firewall ACL has a mix of micro segmentation sg, dfw / and also those applied to edges and other groups. It was fine when we had a few hundred rules but now its getting into a management nightmare.

If you use composer it would help a lot but then you lose a lot of advanced features and flexibility.

How is everyone checking the firewall rule before publishing the policy when there might be a rule or several rules in the thousands that might impact the entire environment?

DaleCoghlan · ‎01-11-2017

The key to using the DFW/Service Composer at scale is to have an appropriate security framework. This framework should be well thought out and designed from the outset to accomodate hundreds or thousands of rules. One of the main points of the security framework that you will build most things on, will be an appropriate security grouping framework.

I have personally helped customers implement their security posture using DFW/Service Composer and they have anywhere from 50 rules right up to 50,000 rules. You must also keep in mind that a lot of the power of NSX comes with the fact that it can be driven programatically, so the customers who have large rule bases also look to automation to help them out, and if automation is going to a factor in the future, your security framework must cater for it from the beginning.

Have you read the following document?

WhitePaper: NSX Distributed Firewalling Policy Rules Configuration Guide

If you get your framework correct, it will allow you to provision and life-cycle rules/applications with ease and do it programatically if required. If you get it wrong, like with most firewall products, you will find making changes to the rules/policies cumbersome or complex.

Can you elaborate on the functionality that your missing from Service Composer? What would you like to see in Service Composer that would sway you to use it?

Dale

rajeevsrikant · ‎01-15-2017

I too had similar question in my mind when implementing the DFW rules & policies.

The grouping ,section & Applied TO functionality makes it very simple to configure & manage the rules.

The search functionality provides ease & flexibility during troubleshooting or during any rule check.

A13x · ‎08-07-2018

rajeevsrikant are you able to expand on this search functionality as the filtering i find in NSX starts to fail the more and more complex rules, sections you have. The only workaround i have managed to find is to dump the entire nsx firewall, ip sets, groups etc and then go through it.

The grouping and sections (with apply too) are failing also because there are just TOO many! when we first started off with a hundred or so rules, it was kind of fine, now we have more and more firewall rules, sections its becoming a management nightmare. Even the sections if you come up with a naming convention and someone decides to create a new sections in a random location, its hard to find that as there is no further section grouping and ordering.

All

NSX Firewall with Thousands of Rules