Gomez_2020
Contributor
Contributor

NSX-T DFW LOGS and firewall not working.

Hi, 

I have deployed NSX-T on my ESX hosts using VLAN backed segments only.

I have deployed a couple of rules for this for testing purposes.  I seems the DFW is not immediatly responsding or logging for the new rules.

When looking at the effective rules for the given machine i can see the rules have logging enabled and should for example dropping traffic for RDP from host 10.20.46.249 (host no on ESX) however this is not the case.

vsipioctl getrules -f nic-25311485-eth0-vmware-sfw.2
ruleset mainrs {
# generation number: 0
# realization time : 2021-05-12T15:16:35
# FILTER rules
rule 2025 at 1 inout protocol udp from ip 10.21.88.0/23 to addrset 4ed8cc1e-0925-489b-9de3-c08b9be141aa port {53, 88, 389, 445, 636} accept with log tag 'AD';
rule 2025 at 2 inout protocol tcp strict from ip 10.21.88.0/23 to addrset 4ed8cc1e-0925-489b-9de3-c08b9be141aa port {49152-65535, 53, 88, 389, 445, 636} accept with log tag 'AD';
rule 2031 at 3 inout protocol tcp strict from ip 10.20.46.249 to addrset 48aea5e5-f41d-4bb3-a409-4fbd27d6149d port 3389 drop with log tag 'DROP-RDP';
rule 2027 at 4 inout protocol any from addrset rdst2028 to addrset a470994e-cf2e-491b-ab67-ee23b4e92694 accept with log tag 'LABEL';
rule 2028 at 5 inout protocol any from addrset a470994e-cf2e-491b-ab67-ee23b4e92694 to addrset rdst2028 accept with log tag 'LABEL';
rule 2029 at 6 inout protocol any from addrset e24c2c82-becc-49ab-8dc8-7114d71c1af9 to addrset 48aea5e5-f41d-4bb3-a409-4fbd27d6149d accept with log tag 'LABEL';
rule 2030 at 7 inout protocol icmp from addrset 48aea5e5-f41d-4bb3-a409-4fbd27d6149d to addrset e24c2c82-becc-49ab-8dc8-7114d71c1af9 accept with log tag 'LABEL';
rule 2030 at 8 inout protocol ipv6-icmp from addrset 48aea5e5-f41d-4bb3-a409-4fbd27d6149d to addrset e24c2c82-becc-49ab-8dc8-7114d71c1af9 accept with log tag 'LABEL';
rule 2 at 9 inout protocol any from any to any accept;
}

ruleset mainrs_L2 {
# generation number: 0
# realization time : 2021-05-12T15:16:35
# FILTER rules
rule 1 at 1 inout ethertype any stateless from any to any accept;
}

any ideas why the logging is not showing up in /var/log/dfwpktlogs.log and the rdp traffic is not getting dropped.

 

 

0 Kudos
2 Replies
p0wertje
Hot Shot
Hot Shot

Hi,

 

check the addreset to see if the correct dest ip is in there. (vsipioctl getaddrsets)

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT
Please kudo helpful posts and mark the thread as solved if solved
0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Yes, you need to make sure the destination IP is in this address set: addrset 48aea5e5-f41d-4bb3-a409-4fbd27d6149d

0 Kudos