Have you created any actual firewall rules?
Yes. There are over 1300 rules in the distributed firewall. I can see that by going to VRNI Entities/Firewall Rules, selecting the NSX Manager of interest and exporting those rules or just noting the count at the top of the results in VRNI. I'm able to see:
Section Section ID Sequence ID Rule ID Configured Source Source Any Configured Destination Destination Any Port Range Display Service Any Status Appliedto Action Logging Enabled Service
However if I do a flow report in VRNI, say "flow where Security Tag = 'ACME'" - the output in the expanded view for firewall at the bottom is consistently..
If I try to export to CSV this data and search for "firewall" within properties to export, Firewall Action, Firewall Rule and Firewall ID are displayed. If I
export this Firewall Rule and Firewall ID are blank and Action is always ALLOW. I'm guess that perhaps this is referencing edge firewall services
and not DFW.
Anyhow I'm puzzled why there appears to be this disconnect. ?
I think I've found the issue. If the DFW rules are set to log, then a Firewall Rule ID is logged with the flow along with the Firewall Action.
But, if the DFW is not set to log then only the action is noted in the flow report and the Firewall Rule ID is blank. That's surprising since
the flow report I would think would just grab all the information about the flow including the firewall rule ID regardless of the syslog
enable/disable status of the particular DFW rule.
Rule logging should not have anything to do with this.
Are you exporting to CSV?
It works for me when I for example run the following query in vRNI: flow where VM = 'app01'
Then I export the results to CSV and make sure to include the "Firewall Rule" and Firewall RuleID" fields.
It could perhaps be because you query on security tag. Security tags are not associated with firewall rules.
I just ran a very simple query: flow where firewall action = 'ALLOW' and Destination IP Address = 220.127.116.11/8
I exported this to CSV and brought into Excel.
For all 20,000 or so results, the Firewall Rule ID is blank but the Firewall Action for each flow is ALLOW.
What does this show you: Flow where firewall action = 'ALLOW' group by firewall rule
Very interesting. So that gave me a two column report Firewall ID and Count of Flows.
If I clicked into one of the flow counts, then it showed those flows with the Firewall Rule
ID and the NSX Manager and the whole shebang.
The query from clicking there is:
firewall action, Bytes, Bytes Rate of Flow where (firewall ruleid='1050') and (firewall action = 'ALLOW')
Based on this I tried firewall action, Bytes, Bytes Rate of Flow where Destination IP Address = 10.10.5.190
And this included a rule ID. But I ran this query with one of the flows that failed to disclose the Rule ID and
it still failed to give me a rule ID. Perhaps it is related to how some NSX managers and setup versus others.
I pulled firewall action, Bytes, Bytes Rate report where flows were limited to specific source and destination
NSX Managers. Only one remote NSX manager would reveal Rule ID for each flow. There must be some
switch in DFW or NSX Manager that permits the Rule ID to be reported on with the flows. ??
In my case this issue was fixed after "Disabling the Data Source IPFIX in vRNI and Re-Enabling it" , Verify if flow count against the NSX Manager is increasing or showing some number.