Re: NSX-V - Identify firewall rule

Thanksgoditsfri · ‎08-07-2020

Hello there,

We have enviroment with NSX-V 6.4.6 and having a drop traffic that we dont know why is dropping on a specific rule.

Log dfw:

2020-08-06T10:54:59.805Z 48800 INET match PASS domain-c8/1225 OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

2020-08-06T10:54:59.806Z 59736 INET match PASS domain-c8/1225 IN 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

Rule id 1225:

Src: any

Dst: LS_management (10.80.80.0/22)

Service: any

VM A needs to stablish ssh connection to VM B and its drop by the rule above.

VM A: 10.140.40.41

VM B: 10.140.40.42

IP address of vms isnt belongs to LS_management. Is there any way to know why this kind of traffic its matching on that rule?

Thanks!!

bayupw · ‎08-07-2020

Your logs is stating match PASS which means DFW is passing the traffic as per the documentation here: Firewall Logs

If it's dropping the trafic, it should say something like below

2020-08-06T10:54:59.805Z 48800 INET match DROP domain-c8/#### OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

For validating the rule, you can use NSX Central CLI from NSX Manager or vsipioctl from the ESXi host

Check out this blog post for vsipioctl: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx

NSX Central CLI will be something like below and you would need to know the ESXi host id, and the filtername

nsx-manager> show dfw host host-id filter nic-###-sfw.2

addrsets Show addrsets for the virtual nic filter

discoveredips get discovered VM IPs for the virtual nic filter

filterstats Show stats for a virtual nic filter

flows Show flows for the virtual nic filter

rule Show rule for the given rule-id

rules Show rules configured on a virtual nic filter

spoofguard Show spoofguard info for the virtual nic filter

stats Show stats for rules configured on a virtual nic filter

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

Thanksgoditsfri · ‎08-10-2020

Hi,

The previous comment trace shows the policy allowing the traffic. The actual trace when I deny traffic is:

2020-08-06T11:35:59.152Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S
2020-08-06T11:36:00.153Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S

Thanks.

Lalegre · ‎08-10-2020

I can see that your extract is dropping connections between two vms in network 10.140.40.x but on the first post your firewall rule says that traffic is allowed from any source BUT to destination 10.80.80.x.

Is this your only firewall rule you have configured? Because the firewall rule you mentioned above is not matching the conditions of allowing the traffic.

Thanksgoditsfri · ‎08-11-2020

Hi,

There are more rules, but the one indicated by the logs is the one that blocks the traffic and the configuration of the rule does not correspond to the blocking of those addresses, so I transfer the query here.

Can I provide you with any more information about the policy configuration to clarify the blockade?

bayupw · ‎08-11-2020

Do you have access to ESXi SSH or to NSX Manager SSH?

To validate via ESXi SSH: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx

Or using NSX Central CLI, locate the VM, what's the name, in which ESXi Host

For NSX Centrali CLI, SSH to NSX Manager and do the following:

show dfw cluster all < find the cluster-id

show dfw cluster cluster-id < find the host-id (ESXi Host)

show dfw host host-id < find the vm-id

show dfw vm vm-id < find the filter

show dfw host host-id filter nic-###-sfw.2 rules

show dfw host host-id filter nic-###-sfw.2 addrsets

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

Thanksgoditsfri · ‎08-12-2020

Hi Bayu Wibowo

With your commands, I have verified that the IP of one of the machines (VM-B) appeared in the Virtualwire list and that is why it applied the firewall rule, blocking the traffic

addrset ip-virtualwire-37 {

# generation number: 1597225414140

# realization time : 2020-08-12T09:43:39

. . . ....

ip 10.80.82.16,

ip 10.80.82.201,

ip 10.80.82.202,

ip 10.40.40.49,

ip 10.40.40.42,

}

If looking for the virtual machine on the distributed switch it does not appear,

How can I remove the two IPs marked in red in Virtualwire/Distributed Port Group?

Thank you for all

Regards

bayupw · ‎08-12-2020

is ip-virtualwire-37 > Logical Switch LS_management?

Do you have those IPs connected to the LS_Management?

If not, I'm not sure if that's expected or a bug.

I've tested in a lab, one VM has two IPs 10.80.80.x and 10.40.40.x on different vNICs

The Logical Switch object only retrieve the IP address that connected to the LS

As an alternative, you can use different objects e.g. Security Group or IPSet 10.40.40.x/y

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

Thanksgoditsfri · ‎08-12-2020

Hi Bayu Wibowo

We have solved the blocking of the traffic through IPSet as you told us from the beginning and creating a rule explicitly, but we are going to take the case to support so that we can solve the problem, since we do not have the machines connected to this distributed switch.

We will try to include the support actions in this same forum so that you have the answer that they have given us.

Thanks for everything

All

NSX-V - Identify firewall rule