NSX Distributed Firewall rule issue

Makana80 · ‎09-13-2016

Hallo together,

we have the following constallation in my environment.

1 Cluster

3 DVI Switches, one for the DMZ, one for iSCSI and one for my internal networks. Everthing works propperly.

now i have VM with two nic on nic is attached to a virtual wire for expample vit-wire-5000

The other one is attached to a portgroup of the iSCSI distributed Switch.

So I try to create a rule that allows traffic for port 13/udp from the vm in virt-wire-5000 to a storage connected on Port Group iSCSI. The iSCSI DVI Switch is not managed by NSX !

if apply this rule with a specific port eq 13/udp the traffic is blocked, If set "any" in stat of udp/13 the traffic is passed.

Some ideas for a solution guys?

cnrz · ‎09-14-2016

dFW rules can be applied Vlan and Vxlan backed vNICs, so the rule should work for both ISCSI Vlan and Logical Switch Vxlan level. ISCSI dVS need not to be managed by NSX, only requirement for NSX VTEP is a common dVS per Cluster.

How is the source and destination Source Groups for this Rule configured? Also the Scope of the Rule may be important, as by default it is applied to all VNICs. What is the Applied to Field show? (By default it is Distributed Firewall).

It seems the problem is related to the rule configured, there may be additional ports used so it may help enabling logging for this Rule. dFW Rule logs may be collected with a Syslog server from the ESXi host, or /var/log/dfwpktlogs.log on the ESXi host.

This KB article may also be helpful for detailed explanation

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=21254...

Location of VMware NSX for vSphere 6.1.x and later Firewall Rule logs (2128082) | VMware KB

All

NSX Distributed Firewall rule issue