HI,
I have been looking at the NSX-T product documentation on the DFW/L7 packet flow, and it only talks about the flow for a new packet (with no match in the flow table), but it does not mention what happens to the packet that already has an entry in the flow table?
it is the consensus of people in the field that the DFW only inspects the first couple of packets in the flow, and the rest is fast pathed for the sake of performance , I have been looking for any document that negates this but could not find any
TIA for any assistance
Regards
Wise
Hi,
Is this what you are looking for ? :
https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093
Page 116 "NSX-T DFW Policy Lookup and Packet Flow"
Hi p0wertje
the document says on page 117
"Subsequent packets in this TCP session checked against this flow in the flow table for the state match. Once the session terminates, theflow information is removed from the flow table"
so since the rest of the flow is only checked through the flow table, I guess that this means that it will not be checked against the rule table. i.e. not inspected! or am i missing something here ?
Hi,
This is what i can find about the Layer7 profiling: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-5A73D94A-1B37-4D3C-9E09-...
When a context-profile has been used in a rule, any traffic coming in from a virtual machine is matched against the rule-table based on 5-tuple. If the rule matches the flow also includes a Layer 7 context profile, that packet is redirected to a user-space component called the vDPI engine. A few subsequent packets are punted to that vDPI engine for each flow, and after it has determined the App Id, this information is stored in the in-kernel context-table. When the next packet for the flow comes in, the information in the context table is compared with the rule table again and is matched on 5-tuple, and on the layer 7 App Id. The appropriate action as defined in the fully matched rule is taken, and if there is an ALLOW-rule, all subsequent packets for the flow are process in the kernel, and matched against the connection table. For fully matched DROP rule a reject packet is generated. Logs generated by the firewall will include the Layer 7 App Id and applicable URL, if that flow was punted to DPI.
Hi,
Yes, this is exactly my question, all the documents I found have this in common :
2. If no flow/state is found, the flow is matched against the rule-table based on 5-tuple and an entry is created in the flow table.
so what happens to the following packet, when there is a hit in the flow table? it says it checks the rule table if there is no flow found in the flow table!
Thanks
Hi,
The following packet is matched against the flow table. And thus not matches against a rule ( because it is part of the established flow)
If there is not an established flow it is matched against the rules. and added to the flow table, next packets, as part of the est. flow, match against the flow table and 'bypassing' the rules again.
Thanks,
not what I was hoping for, but thanks for the help
Best Regards
Hi,
It is pretty common to do it this way. Cisco fw does the same