8 Replies Latest reply on Aug 12, 2020 11:21 PM by Thanksgoditsfriday

    NSX-V - Identify firewall rule

    Thanksgoditsfriday Lurker

      Hello there,

       

      We have enviroment with NSX-V 6.4.6 and having a drop traffic that we dont know why is dropping on a specific rule.

       

      Log dfw:

       

      2020-08-06T10:54:59.805Z 48800 INET match PASS domain-c8/1225 OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

      2020-08-06T10:54:59.806Z 59736 INET match PASS domain-c8/1225 IN 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

       

      Rule id 1225:

      Src: any

      Dst: LS_management (10.80.80.0/22)

      Service: any

       

      VM A needs to stablish ssh connection to VM B and its drop by the rule above.

      VM A: 10.140.40.41

      VM B: 10.140.40.42

       

      IP address of vms isnt belongs to LS_management. Is there any way to know why this kind of traffic its matching on that rule?

       

      Thanks!!

        • 1. Re: NSX-V - Identify firewall rule
          Bayu Wibowo Master
          User ModeratorsCommunity Warriors

          Your logs is stating match PASS which means DFW is passing the traffic as per the documentation here: Firewall Logs

           

          If it's dropping the trafic, it should say something like below

          2020-08-06T10:54:59.805Z 48800 INET match DROP domain-c8/#### OUT 48 TCP 10.140.40.41/37308->10.140.40.42/22 S

           

          For validating the rule, you can use NSX Central CLI from NSX Manager or vsipioctl from the ESXi host

          Check out this blog post for vsipioctl: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx

           

          NSX Central CLI will be something like below and you would need to know the ESXi host id, and the filtername

          nsx-manager> show dfw host host-id filter nic-###-sfw.2

            addrsets       Show addrsets for the virtual nic filter

            discoveredips  get discovered VM IPs for the virtual nic filter

            filterstats    Show stats for a virtual nic filter

            flows          Show flows for the virtual nic filter

            rule           Show rule for the given rule-id

            rules          Show rules configured on a virtual nic filter

            spoofguard     Show spoofguard info for the virtual nic filter

            stats          Show stats for rules configured on a virtual nic filter

          Bayu Wibowo | VCIX6-DCV/NV
          Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
          https://github.com/bayupw/PowerNSX-Scripts
          https://nz.linkedin.com/in/bayupw | twitter @bayupw
          • 2. Re: NSX-V - Identify firewall rule
            Thanksgoditsfriday Lurker

            Hi,

             

            The previous comment trace shows the policy allowing the traffic. The actual trace when I deny traffic is:

             

            2020-08-06T11:35:59.152Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S

            2020-08-06T11:36:00.153Z 48800 INET match DROP domain-c8/1225 OUT 48 TCP 10.140.40.41/37512->10.140.40.42/22 S

             

            Thanks.

            • 3. Re: NSX-V - Identify firewall rule
              Lalegre Expert

              I can see that your extract is dropping connections between two vms in network 10.140.40.x but on the first post your firewall rule says that traffic is allowed from any source BUT to destination 10.80.80.x.

               

              Is this your only firewall rule you have configured? Because the firewall rule you mentioned above is not matching the conditions of allowing the traffic.

              • 4. Re: NSX-V - Identify firewall rule
                Thanksgoditsfriday Lurker

                Hi,

                 

                There are more rules, but the one indicated by the logs is the one that blocks the traffic and the configuration of the rule does not correspond to the blocking of those addresses, so I transfer the query here.

                 

                Can I provide you with any more information about the policy configuration to clarify the blockade?

                • 5. Re: NSX-V - Identify firewall rule
                  Bayu Wibowo Master
                  User ModeratorsCommunity Warriors

                  Do you have access to ESXi SSH or to NSX Manager SSH?

                   

                  To validate via ESXi SSH: https://networkinferno.net/validating-distributed-firewall-rulesets-in-nsx

                   

                  Or using NSX Central CLI, locate the VM, what's the name, in which ESXi Host

                  For NSX Centrali CLI, SSH to NSX Manager and do the following:

                  show dfw cluster all < find the cluster-id

                  show dfw cluster cluster-id < find the host-id (ESXi Host)

                  show dfw host host-id < find the vm-id

                  show dfw vm vm-id < find the filter

                  show dfw host host-id filter nic-###-sfw.2 rules

                  show dfw host host-id filter nic-###-sfw.2 addrsets

                  Bayu Wibowo | VCIX6-DCV/NV
                  Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
                  https://github.com/bayupw/PowerNSX-Scripts
                  https://nz.linkedin.com/in/bayupw | twitter @bayupw
                  • 6. Re: NSX-V - Identify firewall rule
                    Thanksgoditsfriday Lurker

                    Hi Bayu Wibowo

                     

                    With your commands, I have verified that the IP of one of the machines (VM-B) appeared in the Virtualwire list and that is why it applied the firewall rule, blocking the traffic

                     

                    addrset ip-virtualwire-37 {

                    # generation number: 1597225414140

                    # realization time : 2020-08-12T09:43:39

                    .  .  .  ....

                    .  .  .  ....

                    .  .  .  ....

                    ip 10.80.82.16,

                    ip 10.80.82.201,

                    ip 10.80.82.202,

                    ip 10.40.40.49,

                    ip 10.40.40.42,

                    }

                     

                    If looking for the virtual machine on the distributed switch it does not appear,

                    How can I remove the two IPs marked in red in Virtualwire/Distributed Port Group?

                     

                    Thank you for all

                    Regards

                    • 7. Re: NSX-V - Identify firewall rule
                      Bayu Wibowo Master
                      Community WarriorsUser Moderators

                      is ip-virtualwire-37 > Logical Switch LS_management?

                      Do you have those IPs connected to the LS_Management?

                      If not, I'm not sure if that's expected or a bug.

                       

                      I've tested in a lab, one VM has two IPs 10.80.80.x and 10.40.40.x on different vNICs

                       

                      The Logical Switch object only retrieve the IP address that connected to the LS

                       

                      As an alternative, you can use different objects e.g. Security Group or IPSet 10.40.40.x/y

                      Bayu Wibowo | VCIX6-DCV/NV
                      Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
                      https://github.com/bayupw/PowerNSX-Scripts
                      https://nz.linkedin.com/in/bayupw | twitter @bayupw
                      • 8. Re: NSX-V - Identify firewall rule
                        Thanksgoditsfriday Lurker

                        Hi Bayu Wibowo

                         

                        We have solved the blocking of the traffic through IPSet as you told us from the beginning and creating a rule explicitly, but we are going to take the case to support so that we can solve the problem, since we do not have the machines connected to this distributed switch.

                         

                        We will try to include the support actions in this same forum so that you have the answer that they have given us.

                         

                         

                        Thanks for everything