Re: Identity Firewall on NSX-T question

LukaszDziwisz · ‎02-07-2023

Hello Everyone,

I'm hoping to get some feedback here on what I believe is a problem with Identity Based Firewall rules but can't get anywhere with it with VMware.

Here is the scenario:

Group 1 - AB based Group

VMGroup 1 - Group defined using VMname starts with. VMs live in the cluster managed with NSXT

VMGroup2 -Group Defined using IPs. VMs live in completely separate datacenter/vcenter cluster

Rules:

Rule1 - Source: Group 1, Dest: VMGroup 1, allow RDP applied to DFW

Rule2 - Source: Group 1, Dest: VMGroup 2, allow RDP applied to DFW

Rule 2 - Source: Any, Dest Any, Drop RDP applied to DFW

In this scenario I only want some users to be able to RDP other VMs in the same cluster and be able to rdp some external servers. Rule 2 works just fine but Rule 1 does not. It doesn't matter what criteria I use it doesn't work

On NSX-V we had those rules in place and they worked fine and after migration it does not. We started with NSX-T 3.1 and we are on 3.2.2 and it still doesn't function. VMtools is 12.1.5 with NSX introspection enabled

Did anybody encounter that behavior?

ShahabKhan · ‎02-08-2023

Hi,

Please follow the steps in the document to check whether Rule 1 is getting applied to the DFW.

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-7BCCF652-7825-4023-A5F3-...

If possible, please share the screenshots of the same.

LukaszDziwisz · ‎02-09-2023

Did you want outputs from all of the commands in article or just some specific ones?

LukaszDziwisz · ‎02-09-2023

I sent you private message

All

Identity Firewall on NSX-T question

identity firewall