VMware Networking Community
Perttu
Enthusiast
Enthusiast
‎02-02-2021 01:28 AM

FQDN based DFW rules doesn't apply with REJECT action. NSX-T 3.1.1

Hi, 

It seems that FQDN based rules don't take effect if action is REJECT. If action is DROP rules seem to work. Is this a bug or a feature? Hosts are ESXi 6.5.

In documentation it states that

Note:ESXi and KVM hosts are supported. ESXi supports droplisting action for URL rules. KVM supports the allowlisting feature.

It hints that this is a feature? Really?

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-63262728-CA72-47D2-8E4F-...

0 Kudos
2 Replies
mauricioamorim
VMware Employee
VMware Employee
‎02-03-2021 06:46 AM

I have tried it here and it works fine. Make sure the fqdn is getting correctly translated to an IP address in the DFW dataplane. Also enable logging for the rule to see if it is correctly matching the desired rule.

 

Useful commands in the ESXi host the VM you are using to test:

 

summarize-dvfilter | grep -A 2 VM_NAME

This will give you the filter name that should look something like nic-xxxxx-ethx-vmware-sfw.2

 

With this you can check rules applied to the VMs filter with:

vsipioctl getfwconfig -f nic-xxxxx-ethx-vmware-sfw.2

vsipioctl getfqdnentries -f nic-xxxxx-ethx-vmware-sfw.2

 

And check logs at /var/log/dfwpktlogs.log

A good way to see if your test is not matching the right rule is to log all FQDN rules you are testing and under those create a permit any rule for that test VM. This way if the rule does not match the reject rule it should probably log in the permit rule.

 

The most probable reason for FQDN rule not working is that the DNS snooping did not find out the IP address of that FQDN. This usually happens if the host caches the DNS entry and thus there is nothing to snoop. It is good to flush dns cache to make sure that all DNS requests can be snooped and the firewall can learn the IPs for each FQDN.

Perttu
Enthusiast
Enthusiast
‎02-03-2021 07:51 AM

Thanks for these excellent commands. I've probably missed in my experiments the fact that youtube.com doesn't match to .*\.youtube\.com and typed www.youtube.com while the rule was in DROP mode and  youtube.com while it was in REJECT mode. Apparently the rule didn't catch the latter. It seems to work now and I cannot come into any other conclusion.

container ad6f388d-140c-4159-b3d2-8fb60600cbce {
# generation number: 29148
# realization time : 2021-02-03T15:33:19
FQDN : youtu\.be(544fb25f-c321-8157-f3ba-71d99ea14091),
FQDN : .*\.youtube\.com(c4456e71-61d4-ecf4-bb63-f5461c8ed09f),
}

 

Tags (1)
0 Kudos