EvertAM's Posts

Not PowerCLI, but you should be able to retrieve all DFW rules through the API as well.   Loop through this to get all policy id's: GET /policy/api/v1/infra/domains/<domain-id>/security-policies Then use the results to loop through this to get an overview of all the rule-ids within each policy: GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules And finally, you could loop this to get the details for every rule within the policy: GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id> This should allow you to output it all in JSON.  Alternatively, consider managing the rulebase through IaC, that should give you a permanent overview of your rules in a repository.

The client is in charge of choosing it's TCP source port, either completely dynamically, like you'll see with a browser, or a fixed port (or pool of ports) for something like DHCP for example. It appears that the client (the source in this logs) has setup multiple connections to the same host. It's hard to tell if this is normal in this specific instance, tcp/343 is not an IANA assigned port and I personally don't really recognize it.

Gotcha. Only other config item I can think of is that the alert itself might be set for "Rolling window" instead of instance. It might be worth a check, my personal next stap would be to contact support and ask them

It should be possible (the Terraform provider supports it at least). Make sure you have the syntax completely correct. Based on the output there, you'll need both expression AND expressions in your body.

It doesn't seem to be universal, we've recently upgrade to 22.1.4 but did not encounter the issue. Based in the expiration dates, it seems like your System-Default-Root-CA was somehow renewed. Our controllers show the same expiration dates for both the root and the Secure-Channel-Cert (with the root expiring one second earlier). You could try to renew the Secure-Channel-Cert, but that might be bit risky in a production environment.

We're in the process of doing this right now now. Some of our experiences below: - Try to add other sources outside of your VMware environment (switches, loadbalancers, ...), this will help in identifying flows that aren't necessarily virtual.  - vRNI has a LOT of information, and it can be quite a challenge to sift through it - Flows are only ever stored for 30 days, something to keep in mind if you have flows that might only occur every so often - Define your applications and tiers in vRNI (under Applications -> All Applications -> Add). This will help tremendously in analyzing flows I don't believe it's a good idea to use vRNI to define the contents of your waves. Identify (some of) your applications, and sort those into waves. Secure based on an application, not a VM.

That's probably not gonna work for your goal. The out filter will filter out routes that the T0 advertises to the outside world. Based on your message, you want to apply something like this to the the MPLS peers (incoming): 0.0.0.0/0 Deny Any          Allow This will cause the MPLS peers to not accept a default route from the remote side, this in turn will cause the T0 to not install a default route from the MPLS peers in it's routing table. You might additionally want to add some extra rules in there for other public IP's, but that will depend on your environment.  For this usecase, you don't necessarily need any other filters I believe. It is best practice to only allow your own public address space on an outgoing BGP filter (even though your ISP should be filtering this as well), and to deny any incoming private subnets from your ISP (again, they should not send this, but if everyone did there job properly, most of us would be out of a job). All of this assumes that you are directly peering to an ISP of course

Where did you apply these exactly?  You'll generally use prefix lists to filter which routes you accept into the routing table, and which prefixes you want to advertise.  Your screenshots don't have the name on them, but one of them outright denies everything right at the top, so that's a likely culprit. The list will be checked top to bottom and hit on the first match.   Am I understanding correctly that you're trying to force internet traffic through the internet line, and all other traffic through the MPLS?