Hi All,
I am new to NSX and wondered if there was a way to clear the connections table on NSX to force client connections to reconnect through the DFW? You can do this on the Cisco ASA by issuing a clear connections command, does something similar exist on NSX?
Thanks
For doing this you should use Application Rule Manager from inside NSX and let the VMs do its normal function.
After that you can select which rules do you want and delete the ones you don't.
Hey garethholder,
Everytime you create a new DFW rule it pushes it directly to the ESXi so if you want to start applying traffic segmentation you can do it immediately without the necessity of cleaning the VTEP table which could cause you connectivity issues.
Are you referring you DFW rules ? We have session timers -Create a Session Timer , those are global values which will have direct impact on the sessions. What are we trying to achieve ?
Hi,
Thanks for the replies. NSX is set to pass all traffic and I am outputting default any any rule logs to a syslog server. I am creating rules as I see the access on the syslog server and disabling logging for the newly created rules so I only capture what I need to create rules for. Traffic to our PLC's are in the connections/state table and I dont see log entries for them once connected. I would like to clear the connections table down if possible on the next production stop to force them to reconnect so I can see if I have missed any rules. Hope this make sense.
Thanks
This will be a tedious job :smileycool: . You should try VRNI for such use cases Recommended Firewall Rules
For doing this you should use Application Rule Manager from inside NSX and let the VMs do its normal function.
After that you can select which rules do you want and delete the ones you don't.
Hi Gareth,
If you are referring to the flows in DFW session, you can clear them by adding VM(s) to Exclusion List, then remove it.
Adding VM(s) to Exclusion list will remove the VM(s) from DFW which would clear the connection
Refer to this KB:
What syslog server do you use?
With NSX, you are entitled to use vRealize Log Insight (vRLI)
If you prefer to use vRLI as oppposed to vRNI to create rules, you can group the logs based on unique source/dest/protocol/port.
See this blog post on how to do that: https://www.sneaku.com/2017/05/05/log-insight-nsx-v-dfw/