VMware Cloud Community
m1xed0s
Enthusiast
Enthusiast

Can I see the firewall rule hit in network insight?

I have NSX dfw configured and vCenter/NSX Manager registered to vRNI for over two weeks. But I am not sure where to look for the firewall rule hits...I was told by vmware rep that I can login to vRNI to see which firewall rule (with action allow or block) is hit by what traffic flow in case I missed some flow that should be allowed or blocked but so far failed to find such info...So is it there or just a sales BS?

Reply
0 Kudos
7 Replies
Christian_Holle
Contributor
Contributor

Yes, you have many ways to see it in the VRNI.

1. If it is collecting for a few hours, you can see it in planning for the vm or for a group ...

2. If the collector is integrated in the NSX you will see the flows directly at the vm in the vcenter under Monitor/flow monitoring

3. You even can build your own application mapping in the VRNI. Than you will see the whole traffic in the so called 360 degree view. there you will see even allowed and dropped flows it is the same as the view of a vm.

But you can also see the flows and packing dropping in the vRealize Log Insight, with the NSX expansion pack.

So there are many more ways, to visualize the flows in VRNI.

Reply
0 Kudos
m1xed0s
Enthusiast
Enthusiast

Thanks,

Here is my scenario:

1. I registered Vcenter and NSX manager into vRNI (it has been running for almost two weeks)

2. I configured a dFW rule (rule name: TEMP) in NSX and action is allow

3. This has been running for two weeks

4. I want to see if this dFW rule TEMP got hits and what traffic flows are hitting it

5. I then will add other dFW rules above TEMP for those traffic flows which are legit

6. I then turn the TEMP rule action to block.

So for my scenario, where should I go inside vRNI to get the information I need?

Reply
0 Kudos
Christian_Holle
Contributor
Contributor

1. Look at the WebClient of NSX if the Collector Node is under IPFIX registred and aktiv.

2. Check at your rule Temp Rule, if logging is aktiv. - Default is Logging off

3. Look at your Rule and Take the Rule ID.

4. After you have this informations you can go to the vcenter Web Client. Then you can choose a VM which has this firewall-Rule added.

5. Then you will see at the Monitor/Flow Monitoring you see the flows. There you will see the allowed and blocked flows.

6. Under allowed flows, you will maybe a flow which is matching with your Rule ID

7. It is even easier, to defined a block rule and build up a Security Group for a VM. Then you will see the match under blocke flows.

other way in VRNI you can use the search line and take the vm where the name is like 'VM-NAME'

Than you even see und under flows your rule ID if the rule matches.

Reply
0 Kudos
m1xed0s
Enthusiast
Enthusiast

Thanks!

I do have the VRNI added as IPFIX collector and my TEMP rule is enabled for logging. As matter of fact, I can filter ruleID of the TEMP in Log Insight to see the flow but just not in VRNI...

There are too many VMs in the environment to use search by VM-NAME in VRNI. I tried to search by ruleid but got empty page in VRNI...

Reply
0 Kudos
karthickvm
VMware Employee
VMware Employee

Hello m1xed0s,

To see the Applied firewall rules, we need the following items

1. ESX IPFIX

2. NSX IPFIX

Both should be collected by the same vRNI Collector. If you already have the same configuration and not seeing the rules, kindly open a Support Request with vRNI support team.

Karthic.
vRNI TPM
Reply
0 Kudos
m1xed0s
Enthusiast
Enthusiast

This gives me the information I am looking for inside VRNI, in case anyone else is searching as well.

flow where firewall ruleid = 2147483656

Reply
0 Kudos
karthickvm
VMware Employee
VMware Employee

Hi ,

Please run this query to see the flows which are inspected by a NSX DFW firewall rule.

flows where firewallrule is set

Karthic.
vRNI TPM
Reply
0 Kudos