Hello guys, I have a NSX lab which we use to show both NSX capabilities as well as the VMs included in it (which are security vendors' virtual appliances)
So we have the following scenario:
On the bottom-left, we have Security vendor#1, with subnet 10.1.10.0 /24.
IP address: .4, .5 and .6 are the Virtual Appliances for that vendor and IP address .99 is a W7 PC for tests.
On the bottom-right, we have security vendor#2, with subnet 10.1.20.0/24
IP address .99 is a web server.
Now, we have a couple of rules deployed in the NSX's Distributed Firewall as follows:
| # Rule | Name | source | destination | service | action | applied to |
|---|---|---|---|---|---|---|
| 1 | block test1 | vDS1 | vDS2 | HTTP | block | Distributed FW |
| 2 | block test 2 | vDS2 | vDS1 | any | block | Distributed FW |
Rule #1 works fine, we test connection through port 80 from 10.1.10.99 to 10.1.20.99 it's been blocked. Nothing odd there.
Rule #2 it's a little bit off, when I test communication from 10.1.20.99 (windows web server) to 10.1.10.99 (PC test), the rule works. It blocks pings, ftp connections, etc.
If test communication from 10.1.20.99 to 10.1.10.4-5-6 the rule doesn't work. The communication is allowed.
Any idea why is this happening?
Is there any requisite this VMs need to have in order for the distributed firewall works correctly?
Accepted Solutions
Hello
Is VMware tools installed on all VMs?
Could you check in the NSX SpoofGuard and see if the IP addresses detected for VM .4, .5, and .6?
Check with Traceflow or Application Rule Manager (if you are using NSX 6.3) and see which firewall rule is used for the particular traffic.
DFW uses VMware tools to associate a VM and its vNICs with IP Addresses, if VMware tools was not installed on a VM, its IP address was not learned.
If for some reason you cannot install VMware Tools, with NSX 6.2 you can use DHCP or ARP snooping on IP Discovery for Virtual Machine
You can also check my blog post here see: Troubleshoot NSX DFW (Distributed Firewall) dropping or blocking traffic
Bayu thank you very much for taking the time to respond so quickly.
I was reading all the info you provide. We have NSX 6.2 and you are correct, the vmware tools can't be installed in those VM (already check vendor documentation)
Cheking the spoofGuard section I don't see those VMs listed. Only those with vmware tools instaled shows up.
Now, I was trying the last option in your post "DHCP or ARP snooping" but I do not have the "action" button in the "installation" -> "host preparation" tab.
I have to add, that this is a NSX eval license, but even though I think that option should be available.
What do you think?