4 Replies Latest reply on Dec 9, 2019 3:15 PM by lmoglie

    How to check packet is blocked by DFW

    SivaMa Lurker

      in the above topology is vPOD router is physical network. Is there a way in NSX to check the packet received or not at each hop.

       

       

      For example Administrator wants to access a app01 on port 4360. How do I verify whether the port is blocked or allowed on firewall. Instead of checking config, is there any operational method to verify like packetracer in cisco ASA firewall.

       

      To put in a simple way: Administrator says I am not able to access app01 on port 4360 but we have allowed the port on firewall. Now how we prove that firewall is allowing traffic for app01 on 4360. Is there anything like I can do from nsx edge or some point telnet app01 4360. I need to isolate either problem is nsx network (after vpod router) or in physical network.

        • 1. Re: How to check packet is blocked by DFW
          KaBalint Novice

          Hi SivaMa,

           

          I think what you are looking for is the Traceflow tool, where you can set up, which vm on which port is reachable.

          If you create a Test network, where is located a vm, which is allowed to communicate with the app01 , the traceflow will show you the full packet walk.

          Also you can start the traceflow test from the web vm to the app01 vm. where you configure on which port should it communicate.

           

          Kind Regards,

          BK

          • 2. Re: How to check packet is blocked by DFW
            SivaMa Lurker

            Thanks BK,

             

            Traceflow works well to check packet flow VM to VM. So here Source (Administrator) which is in physical network and destination (app 01) is VM, In trace flow i don't have option to select IP as source, I can either select VM or logical port. so traceflow is not helping in this case, any other method or any options in trace flow to monitor traffic.

             

            Thanks

            SIva Marthala

            • 3. Re: How to check packet is blocked by DFW
              Sreec Master
              vExpertCommunity Warriors

              There are multiple methods to know the rule hits/blocked state.

               

              1. Perform packet capture and analyze the same using wireshark. VMware Knowledge Base

              2. If you have VRNI it is certainly a good option , probably that is something you should be serious about if you are interested in flow monitoring and traffic flow analysis.

              3. Rely on NSX/ESXI host CLI Troubleshooting Distributed Firewall

              4. Syslog servers with DFW logging enabled at NSX will also capture the flows and help you understand the same. For eg : Loginsight.

               

              There are plenty of articles floating around on each method. So feel free to browse and revert if you have any doubts.

              • 4. Re: How to check packet is blocked by DFW
                lmoglie Enthusiast
                vExpert

                Hi SivaMa,

                 

                I agree with what Sreec wrote... but I would like to suggest also the following:

                - first of all, if is not enabled; ENABLE log (of the rule that you would like to check).

                - get access to the ESXi host where the VM running

                - execute the command .... # cat /var/log/dfwpktlogs.log | grep <IP VM to check example 172.16.15.10>

                 

                and the output will be something like this

                2018-11-25T16:47:21.175Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

                2018-11-25T16:47:21.690Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

                2018-11-25T16:47:22.205Z 60860 INET match REJECT domain-c41/1008 IN 52 TCP 172.16.1.100/50284->172.16.15.10/22 S

                 

                in this example 1008 is the ID of the rule matched.

                 

                regards

                LM