Hi bayuwibowo & Community
I have NSX version 6.2.2 with DFW. Under spoof guard IP Detection Type is set to "None"
So NSX DFW will be detecting the IP Address of the VM from the VMware tools.
What will happen to the VMs which don`t have VMware tools. So NSX DFW treat these VMs without VMware tools.
http://bayupw.blogspot.jp/2016/12/troubleshoot-nsx-dfw-distributed.html
Here is a bit of a write up I did on why you need either VM Tools or DHCP/ARP snooping when working with with the DFW.
Typo
So how NSX DFW treat these VMs without VMware tools.
If you do not have VMware Tools installed on the VM, NSX 6.2.x offers ARP / DHCP Snooping to detect IP address
VMware NSX for vSphere 6.2 Documentation Center - IP Discovery for Virtual Machines
"Before NSX 6.2, if VMware Tools was not installed on a VM, its IP address was not learned.
In NSX 6.2 you can configure clusters to detect virtual machine IP addresses with DHCP snooping, ARP snooping, or both.
This allows NSX to detect the IP address if VMware Tools is not installed on the virtual machine.
If VMware Tools is installed, it can work in conjunction with DHCP and ARP snooping.
VMware recommends that you install VMware Tools on each virtual machine in your environment. In addition to providing vCenter with the IP address of VMs, it provides many other functions"
VMware NSX for vSphere 6.2 Documentation Center - Change IP Detection Type
"The IP address of a virtual machine can be detected by VMware Tools, which are installed on the VM, or by DHCP snooping and ARP snooping, which are enabled on the host cluster. These IP discovery methods can be used together in the same NSX installation.
Procedure
1. In the vSphere Web client, navigate to Networking & Security > Installation > Host Preparation.
2. Click the cluster you want to change, then click Actions > Change IP Detection Type.
3. Select the desired detection types and click OK."
Thanks got your point.
What will happen to the VMs where it does not have VMware tools & the IP Detection method was set to None. ( I have not enabled ARP / DHCP Snooping to detect IP address)
How NSX DFW treats this ?
If no VMware tools & no other method enabled to detect the VM IP, will DFW not apply any firewall policies.
It will be like no rules applied & will be out of DFW
Correct if my above understanding is wrong.
If DFW cannot detect the IP, the traffic will most likely hit the default rule (any or deny depends on your Default Rule)
Thanks bayuwibowo
Is there any official document from VMware which explains that. I need this to be shared with my Manager.
Here is a bit of a write up I did on why you need either VM Tools or DHCP/ARP snooping when working with with the DFW.
Thanks.
So i have a virtual machine VM A without VMware tools & i have the below rule.
Source - Any Destination - VM B Action - Block Applied to Distributed Firewall
Since there is no VMware tools installed the IP address of the VM A will not be detected by the DFW.
But still the above firewall rule will be applied & the traffic will be blocked , since the source is ANY
Let me know if my above understanding is right.
@DaleCoghlan
Could you please help in reply to the below query ?
Got the attached details from the below link.
If the VMTools was stopped or removed the vCenter removes the IP address entry immediately. An update notification will send to NSX manager cause to firewall module send a list updates to all the vShiled-Statefull-Firewal processes using protobuf format. If we configure firewall rules using vCenter objects (not IP address) as show in screenshot below, there will be a match on the last firewall rule (most of the time called catch-all rule).
http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/
Yes your understanding is correct.
Since the rule is applied to the "DISTRIBUTED FIREWALL", on the source VM (VM A), the outbound packet will match the source (which is defined as ANY address) and the packet will be blocked.
And in actual fact, your rule will block ANY traffic leaving ANY VM with a destination of VM B, but also on VM B itself, it will block all inbound traffic with a destination of VM B, regardless if it originated from a VM or not.
Dale