SivaMa
Contributor
Contributor

How to check packet is blocked by DFW

Jump to solution

in the above topology is vPOD router is physical network. Is there a way in NSX to check the packet received or not at each hop.

For example Administrator wants to access a app01 on port 4360. How do I verify whether the port is blocked or allowed on firewall. Instead of checking config, is there any operational method to verify like packetracer in cisco ASA firewall.

To put in a simple way: Administrator says I am not able to access app01 on port 4360 but we have allowed the port on firewall. Now how we prove that firewall is allowing traffic for app01 on 4360. Is there anything like I can do from nsx edge or some point telnet app01 4360. I need to isolate either problem is nsx network (after vpod router) or in physical network.

0 Kudos
1 Solution

Accepted Solutions
Sreec
VMware Employee
VMware Employee

There are multiple methods to know the rule hits/blocked state.

1. Perform packet capture and analyze the same using wireshark. VMware Knowledge Base

2. If you have VRNI it is certainly a good option , probably that is something you should be serious about if you are interested in flow monitoring and traffic flow analysis.

3. Rely on NSX/ESXI host CLI Troubleshooting Distributed Firewall

4. Syslog servers with DFW logging enabled at NSX will also capture the flows and help you understand the same. For eg : Loginsight.

There are plenty of articles floating around on each method. So feel free to browse and revert if you have any doubts.

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
4 Replies
KaBalint
Enthusiast
Enthusiast

Hi SivaMa,

I think what you are looking for is the Traceflow tool, where you can set up, which vm on which port is reachable.

If you create a Test network, where is located a vm, which is allowed to communicate with the app01 , the traceflow will show you the full packet walk.

Also you can start the traceflow test from the web vm to the app01 vm. where you configure on which port should it communicate.

Kind Regards,

BK

0 Kudos
SivaMa
Contributor
Contributor

Thanks BK,

Traceflow works well to check packet flow VM to VM. So here Source (Administrator) which is in physical network and destination (app 01) is VM, In trace flow i don't have option to select IP as source, I can either select VM or logical port. so traceflow is not helping in this case, any other method or any options in trace flow to monitor traffic.

Thanks

SIva Marthala

0 Kudos
Sreec
VMware Employee
VMware Employee

There are multiple methods to know the rule hits/blocked state.

1. Perform packet capture and analyze the same using wireshark. VMware Knowledge Base

2. If you have VRNI it is certainly a good option , probably that is something you should be serious about if you are interested in flow monitoring and traffic flow analysis.

3. Rely on NSX/ESXI host CLI Troubleshooting Distributed Firewall

4. Syslog servers with DFW logging enabled at NSX will also capture the flows and help you understand the same. For eg : Loginsight.

There are plenty of articles floating around on each method. So feel free to browse and revert if you have any doubts.

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
Please KUDO helpful posts and mark the thread as solved if answered

View solution in original post

0 Kudos
lmoglie
Enthusiast
Enthusiast

Hi SivaMa,

I agree with what Sreec wrote... but I would like to suggest also the following:

- first of all, if is not enabled; ENABLE log (of the rule that you would like to check).

- get access to the ESXi host where the VM running

- execute the command .... # cat /var/log/dfwpktlogs.log | grep <IP VM to check example 172.16.15.10>

and the output will be something like this

2018-11-25T16:47:21.175Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

2018-11-25T16:47:21.690Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

2018-11-25T16:47:22.205Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

in this example 1008 is the ID of the rule matched.

regards

LM

0 Kudos