vmmedmed
Enthusiast
Enthusiast

In VRNI is there a means to see what NSX DFW rule a flow has passed through

I have been extracting numerous flows to plan microsegmentation. When I go to export flows I'm

surprised that there is no option to export what DFW rule was hit. There is a Firewall Rule and

Firewall Rule ID and Firewall Action in the options to include in the export. However these are

blank, blank, ALLOW. I'm not sure what firewall this.

Is there any way to get a flow report which will tell me what DFW firewall rule was hit? And

for my information - what is the firewall that's offered in the export of the flows?

Thanks!

Tags (1)
0 Kudos
10 Replies
serbl
Enthusiast
Enthusiast

Have you created any actual firewall rules?

Best regards,

Rutger

Best regards, Rutger
0 Kudos
vmmedmed
Enthusiast
Enthusiast

Yes. There are over 1300 rules in the distributed firewall. I can see that by going to VRNI Entities/Firewall Rules, selecting the NSX Manager of interest and exporting those rules or just noting the count at the top of the results in VRNI. I'm able to see:

SectionSection IDSequence IDRule IDConfigured SourceSource AnyConfigured DestinationDestination AnyPort Range DisplayService AnyStatusAppliedtoActionLogging EnabledService

However if I do a flow report in VRNI, say "flow where Security Tag = 'ACME'" - the output in the expanded view for firewall at the bottom is consistently..

pastedImage_0.png

If I try to export to CSV this data and search for "firewall" within properties to export, Firewall Action, Firewall Rule and Firewall ID are displayed. If I

export this Firewall Rule and Firewall ID are blank and Action is always ALLOW. I'm guess that perhaps this is referencing edge firewall services

and not DFW.

Anyhow I'm puzzled why there appears to be this disconnect. ?

0 Kudos
vmmedmed
Enthusiast
Enthusiast

I think I've found the issue. If the DFW rules are set to log, then a Firewall Rule ID is logged with the flow along with the Firewall Action.

But, if the DFW is not set to log then only the action is noted in the flow report and the Firewall Rule ID is blank. That's surprising since

the flow report I would think would just grab all the information about the flow including the firewall rule ID regardless of the syslog

enable/disable status of the particular DFW rule.

0 Kudos
serbl
Enthusiast
Enthusiast

Rule logging should not have anything to do with this.

Are you exporting to CSV?

It works for me when I for example run the following query in vRNI: flow where VM = 'app01'

Then I export the results to CSV and make sure to include the "Firewall Rule" and Firewall RuleID" fields.

It could perhaps be because you query on security tag. Security tags are not associated with firewall rules.

Best regards, Rutger
0 Kudos
vmmedmed
Enthusiast
Enthusiast

I just ran a very simple query: flow where firewall action = 'ALLOW' and Destination IP Address = 52.0.0.0/8

I exported this to CSV and brought into Excel.

For all 20,000 or so results, the Firewall Rule ID is blank but the Firewall Action for each flow is ALLOW.

0 Kudos
serbl
Enthusiast
Enthusiast

What does this show you: Flow where firewall action = 'ALLOW' group by firewall rule

Best regards, Rutger
0 Kudos
vmmedmed
Enthusiast
Enthusiast

Very interesting. So that gave me a two column report Firewall ID and Count of Flows.

If I clicked into one of the flow counts, then it showed those flows with the Firewall Rule

ID and the NSX Manager and the whole shebang.

The query from clicking there is:

firewall action, Bytes, Bytes Rate of Flow where (firewall ruleid='1050') and (firewall action = 'ALLOW')

Based on this I tried firewall action, Bytes, Bytes Rate of Flow where Destination IP Address = 10.10.5.190

And this included a rule ID. But I ran this query with one of the flows that failed to disclose the Rule ID and

it still failed to give me a rule ID. Perhaps it is related to how some NSX managers and setup versus others.

0 Kudos
vmmedmed
Enthusiast
Enthusiast

I pulled firewall action, Bytes, Bytes Rate report where flows were limited to specific source and destination

NSX Managers. Only one remote NSX manager would reveal Rule ID for each flow. There must be some

switch in DFW or NSX Manager that permits the Rule ID to be reported on with the flows. ??

0 Kudos
vmmedmed
Enthusiast
Enthusiast

Bump.

0 Kudos
NetArcher
VMware Employee
VMware Employee

In my case this issue was fixed after "Disabling the Data Source IPFIX in vRNI and Re-Enabling it"  , Verify if flow count against the NSX Manager is increasing or showing some number.

0 Kudos