VMware Networking Community
vmmedmed
Enthusiast
Enthusiast
‎02-15-2017 04:00 PM

Find the host in the many firewalls

In NSX/Networking & Security/Firewall we have perhaps 20 different firewalls setup each with a number of rules.

I want to be able to quickly search for a VM or IP address and find out which firewall/s is referring to this specific

host.

By the same token I would like to be able to go to NSX/Networking & Security/NSX Edges and search all edges

for existence of a particular VM or IP address.

Any advice on how to go about these searches? Thank you.

5 Replies
bayupw
Leadership
Leadership
‎02-15-2017 04:05 PM

Could you explain on what are you referring to when you talk about host? ESXi host or Guest VM or something else?

If you are using Security Composer, you will have visibility on which Security Policy is applied on a specific VM or the other way around which VMs get which Security Policy.

For the edge, are you trying to identify which edge is a particular VM connected to?

Are you looking for solution through the vSphere Web Client UI or it can be anything (REST API, PowerNSX, etc)?

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
rajeevsrikant
Expert
Expert
‎02-15-2017 04:10 PM

I am not sure if i understood your question clearly.

If you are looking for searching which firewall policy is applied to a particular VM just use the filter option as shown in the attached screen shot.

Select the VM for which you are looking for the firewall policies & search it. It will show you all the firewall policies applied.

Preview file
29 KB
0 Kudos
vmmedmed
Enthusiast
Enthusiast
‎02-15-2017 04:11 PM

For host - I am referring to either the IP address of a particular guest VM or the name of a specific VM. If I could search also by

name of a virtual server or pool - bonus points.

When I go to NSX edge I want to find the same - a paricular IP address of a guest VM, VM guest name, virtual server or pool.

The issue is that a ticket comes in requesting that a tweak to a certain load balancer configuration or firewall. They maybe

send me a host name or virtual server name. I end up hunting through several NSX Edge/Load Balancer configs or firewall

sets manually to try and hunt down where I should be aiming my efforts. There's surely a better way. 🙂

0 Kudos
rajeevsrikant
Expert
Expert
‎02-15-2017 04:12 PM

sorry didnt see the reply from bayupw

0 Kudos
bayupw
Leadership
Leadership
‎02-18-2017 12:25 PM

You can probably use REST API / vRO workflow to take input of IP address then search across all Edge/Firewall and return you the Edge name.

Or maybe use write a function based on PowerNSX NSX Edge Load Balancer and Get-NsxEdge | Get-NsxLoadBalancer and find a a value such as IP address and return you the Edge name/Edge-ID

I don't think this feature is available out of the box.

Try to use traceroute for finding NSX Edge and Traceflow to find DFW rule

Unfortunately Traceflow cannot have an NSX Edge in the path between Source and Destination VMs

VMware Documentation Library - Use Traceflow for Troubleshooting

ttp://networkinferno.net/whats-new-in-nsx-6-2-traceflow

64950_64950.pngtraceflow1.png64951_64951.pngtraceflow2.png

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw