I have been extracting numerous flows to plan microsegmentation. When I go to export flows I'm
surprised that there is no option to export what DFW rule was hit. There is a Firewall Rule and
Firewall Rule ID and Firewall Action in the options to include in the export. However these are
blank, blank, ALLOW. I'm not sure what firewall this.
Is there any way to get a flow report which will tell me what DFW firewall rule was hit? And
for my information - what is the firewall that's offered in the export of the flows?
Thanks!
Have you created any actual firewall rules?
Best regards,
Rutger
Yes. There are over 1300 rules in the distributed firewall. I can see that by going to VRNI Entities/Firewall Rules, selecting the NSX Manager of interest and exporting those rules or just noting the count at the top of the results in VRNI. I'm able to see:
Section | Section ID | Sequence ID | Rule ID | Configured Source | Source Any | Configured Destination | Destination Any | Port Range Display | Service Any | Status | Appliedto | Action | Logging Enabled | Service |
However if I do a flow report in VRNI, say "flow where Security Tag = 'ACME'" - the output in the expanded view for firewall at the bottom is consistently..
If I try to export to CSV this data and search for "firewall" within properties to export, Firewall Action, Firewall Rule and Firewall ID are displayed. If I
export this Firewall Rule and Firewall ID are blank and Action is always ALLOW. I'm guess that perhaps this is referencing edge firewall services
and not DFW.
Anyhow I'm puzzled why there appears to be this disconnect. ?
I think I've found the issue. If the DFW rules are set to log, then a Firewall Rule ID is logged with the flow along with the Firewall Action.
But, if the DFW is not set to log then only the action is noted in the flow report and the Firewall Rule ID is blank. That's surprising since
the flow report I would think would just grab all the information about the flow including the firewall rule ID regardless of the syslog
enable/disable status of the particular DFW rule.
Rule logging should not have anything to do with this.
Are you exporting to CSV?
It works for me when I for example run the following query in vRNI: flow where VM = 'app01'
Then I export the results to CSV and make sure to include the "Firewall Rule" and Firewall RuleID" fields.
It could perhaps be because you query on security tag. Security tags are not associated with firewall rules.
I just ran a very simple query: flow where firewall action = 'ALLOW' and Destination IP Address = 52.0.0.0/8
I exported this to CSV and brought into Excel.
For all 20,000 or so results, the Firewall Rule ID is blank but the Firewall Action for each flow is ALLOW.
What does this show you: Flow where firewall action = 'ALLOW' group by firewall rule
Very interesting. So that gave me a two column report Firewall ID and Count of Flows.
If I clicked into one of the flow counts, then it showed those flows with the Firewall Rule
ID and the NSX Manager and the whole shebang.
The query from clicking there is:
firewall action, Bytes, Bytes Rate of Flow where (firewall ruleid='1050') and (firewall action = 'ALLOW')
Based on this I tried firewall action, Bytes, Bytes Rate of Flow where Destination IP Address = 10.10.5.190
And this included a rule ID. But I ran this query with one of the flows that failed to disclose the Rule ID and
it still failed to give me a rule ID. Perhaps it is related to how some NSX managers and setup versus others.
I pulled firewall action, Bytes, Bytes Rate report where flows were limited to specific source and destination
NSX Managers. Only one remote NSX manager would reveal Rule ID for each flow. There must be some
switch in DFW or NSX Manager that permits the Rule ID to be reported on with the flows. ??
Bump.
In my case this issue was fixed after "Disabling the Data Source IPFIX in vRNI and Re-Enabling it" , Verify if flow count against the NSX Manager is increasing or showing some number.