Hello guys, I have a NSX lab which we use to show both NSX capabilities as well as the VMs included in it (which are security vendors' virtual appliances)
So we have the following scenario:
On the bottom-left, we have Security vendor#1, with subnet 10.1.10.0 /24.
IP address: .4, .5 and .6 are the Virtual Appliances for that vendor and IP address .99 is a W7 PC for tests.
On the bottom-right, we have security vendor#2, with subnet 10.1.20.0/24
IP address .99 is a web server.
Now, we have a couple of rules deployed in the NSX's Distributed Firewall as follows:
# Rule | Name | source | destination | service | action | applied to |
---|---|---|---|---|---|---|
1 | block test1 | vDS1 | vDS2 | HTTP | block | Distributed FW |
2 | block test 2 | vDS2 | vDS1 | any | block | Distributed FW |
Rule #1 works fine, we test connection through port 80 from 10.1.10.99 to 10.1.20.99 it's been blocked. Nothing odd there.
Rule #2 it's a little bit off, when I test communication from 10.1.20.99 (windows web server) to 10.1.10.99 (PC test), the rule works. It blocks pings, ftp connections, etc.
If test communication from 10.1.20.99 to 10.1.10.4-5-6 the rule doesn't work. The communication is allowed.
Any idea why is this happening?
Is there any requisite this VMs need to have in order for the distributed firewall works correctly?
I can see that you are on NSX 6.1.x, in that case you would need to manually approve the IP under SpoofGuard.
The steps would be
1. Navigate to SpoofGuard menu in the left pane
2. Add new policy, type the policy name, select enable SpoofGuard, select Manually inspect and approve IP > select the vDS PortGroup > Publish Changes
3. Select the new SpoofGuard policy, under View select inactive Virtual NICs, click the pencil icon under Approved IP > Add approved IP address for each VM, one per VM > Publish Changes
The DFW rules should work now
Please note that NSX 6.1.x is end of support End of General Support: VMware NSX for vSphere 6.1.x (2144769) | VMware KB
Hello
Is VMware tools installed on all VMs?
Could you check in the NSX SpoofGuard and see if the IP addresses detected for VM .4, .5, and .6?
Check with Traceflow or Application Rule Manager (if you are using NSX 6.3) and see which firewall rule is used for the particular traffic.
DFW uses VMware tools to associate a VM and its vNICs with IP Addresses, if VMware tools was not installed on a VM, its IP address was not learned.
If for some reason you cannot install VMware Tools, with NSX 6.2 you can use DHCP or ARP snooping on IP Discovery for Virtual Machine
You can also check my blog post here see: Troubleshoot NSX DFW (Distributed Firewall) dropping or blocking traffic
Bayu thank you very much for taking the time to respond so quickly.
I was reading all the info you provide. We have NSX 6.2 and you are correct, the vmware tools can't be installed in those VM (already check vendor documentation)
Cheking the spoofGuard section I don't see those VMs listed. Only those with vmware tools instaled shows up.
Now, I was trying the last option in your post "DHCP or ARP snooping" but I do not have the "action" button in the "installation" -> "host preparation" tab.
I have to add, that this is a NSX eval license, but even though I think that option should be available.
What do you think?
I can see that you are on NSX 6.1.x, in that case you would need to manually approve the IP under SpoofGuard.
The steps would be
1. Navigate to SpoofGuard menu in the left pane
2. Add new policy, type the policy name, select enable SpoofGuard, select Manually inspect and approve IP > select the vDS PortGroup > Publish Changes
3. Select the new SpoofGuard policy, under View select inactive Virtual NICs, click the pencil icon under Approved IP > Add approved IP address for each VM, one per VM > Publish Changes
The DFW rules should work now
Please note that NSX 6.1.x is end of support End of General Support: VMware NSX for vSphere 6.1.x (2144769) | VMware KB
Bayu,
I created a SpoofGuard Rule, by manually adding the IPs included in that segment (vDS1)
The rule now is working like it should be.
If you have any info on why the "action" button doesn't appear y the host preparation section please let me know.
Thanks again for the guidence.
DHCP & ARP Snooping for IP Discovery is available starting NSX 6.2. From your screenshot you are on NSX 6.1.x so the only workaround would be using SpoofGuard.
Regarding the "Action" button, try to right click the cluster or the ESXi host in that Installation > Host Preparation menu
IP Discovery for Virtual Machines
In NSX 6.2 you can configure clusters to detect virtual machine IP addresses with DHCP snooping, ARP snooping, or both