NSX 6.2 Centralized CLI, Distributed Firewall

 
In NSX 6.2 we have developed a centralized CLI to help troubleshoot DFW, Edge, VXLAN, and DLR issues. The majority of these commands are only to gather information rather than make changes, but it allows our users to the opportunity to login into a single machine rather than logging into a controller, an edge, the manager and a host. All of these CLI commands will be run from the NSX manager and these specific distributed firewall commands are replacing the vsipioctl commands that you would typically run on an ESXi host. Below is a list of all of the commands you can use at this point.
 

‘show dfw’ commands

 

show dfw cluster all
show dfw cluster 
show dfw host 
show dfw vm 
show dfw vnic 
show dfw host filter  rules
show dfw host filter  addrsets
show dfw host filter  flows
show dfw host filter  spoofguard
show dfw host filter   stats
show dfw host filter  rule 
show dfw host filter  discoveredips
show dfw host filter  discoveredips stats

 

Again, these are all show commands so they will only gather information, but they will definitely come in handy when troubleshooting any DFW issues. One thing to note is that these commands will not provide any information about cross vCenter instances, only their local instances. You can still log into the secondary NSX managers and run the same commands to gather same site firewall data.

 

Workflow

 
First, you will want to drill down to the VM starting from the cluster; you can list all of the clusters with the following command. This will give you the name, datacenter, firewall status and the cluster-id which you will use in the next command.
 

nsxmgr-01a> show dfw cluster all
No.  Cluster Name                Cluster Id               Datacenter Name     Firewall Status
1    Compute Cluster A           domain-c33               Datacenter Site A   Enabled
2    Management & Edge Cluster   domain-c41               Datacenter Site A   Enabled

 

Next, you will list the hosts in the cluster based on the cluster-id that pulled was from the previous command.
 

nsxmgr-01a> show dfw cluster domain-c33
Datacenter: Datacenter Site A
Cluster: Compute Cluster A
No.  Host Name            Host Id                  Installation Status
1    esx-02a.corp.local   host-32                  Ready
2    esx-01a.corp.local   host-28                  Ready

 

Once you find the host you are looking into, you can list all of the VMs that are on that host, their power status, as well as the vm-id.
 

nsxmgr-01a> show dfw host host-32
Datacenter: Datacenter Site A
Cluster: Compute Cluster A
Host: esx-02a.corp.local
No.  VM Name   VM Id     Power Status
1    db-01a    vm-218    on
2    web-01a   vm-216    on
3    db-02a    vm-266    on
4    app-01a   vm-217    on

 

After finding the vm-id it starts to get interesting! First, let’s list the vNics, their IDs, and the filters applied to the virtual machine.
 

nsxmgr-01a> show dfw vm vm-218
Datacenter: Datacenter Site A
Cluster: Compute Cluster A
Host: esx-02a.corp.local
VM: db-01a
Virtual Nics List:
1.
Vnic Name      db-01a - Network adapter 1
Vnic Id        502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000
Filters        nic-38074-eth0-vmware-sfw.2

 

Once you know which vNic you will be troubleshooting, you can run the following command to see the port group ID as well as the mac address.
 

nsxmgr-01a> show dfw vnic 502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000
Vnic Name      db-01a - Network adapter 1
Vnic Id        502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000
Mac Address    00:50:56:ae:d4:2b
Port Group Id  dvportgroup-360
Filters        nic-38074-eth0-vmware-sfw.2

 

Finally, you can list all of the rules that have been applied to the vNic from the DFW. All of the rule IDs are listed, as well as the protocol, source, destination, port, accept/deny, and if logging is enabled.
 

nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 rules
ruleset domain-c33 {
  # Filter rules
  rule 1008 at 1 inout protocol any from addrset ip-securitygroup-10 to addrset ip-securitygroup-10 drop with log;
  rule 1007 at 2 inout protocol icmp icmptype 8 from any to addrset dst1007 accept;
  rule 1007 at 3 inout protocol tcp from any to addrset dst1007 port 443 accept;
  rule 1006 at 4 inout protocol tcp from addrset ip-securitygroup-10 to addrset ip-securitygroup-11 port 8443 accept;
  rule 1006 at 5 inout protocol icmp icmptype 8 from addrset ip-securitygroup-10 to addrset ip-securitygroup-11 accept;
  rule 1005 at 6 inout protocol tcp from addrset ip-securitygroup-11 to addrset ip-securitygroup-12 port 3306 accept;
  rule 1005 at 7 inout protocol icmp icmptype 8 from addrset ip-securitygroup-11 to addrset ip-securitygroup-12 accept;
  rule 1003 at 8 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1003 at 9 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1002 at 10 inout protocol udp from any to any port 68 accept;
  rule 1002 at 11 inout protocol udp from any to any port 67 accept;
  rule 1001 at 12 inout protocol any from any to any accept;
}

ruleset domain-c33_L2 {
  # Filter rules
  rule 1004 at 1 inout ethertype any from any to any accept;
}

 

A couple other useful commands you can run are below. For instance, the following command will show you packets and bytes in and out of each rule on the vnic. As you can see below, rule 105 has passed 526 bytes incoming and 1901 bytes outgoing.
 

nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 stats
rule  1008: 6 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1007: 6 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1007: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1006: 2 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1006: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1005: 6 evals, in 8 out 8 pkts, in 526 out 1901 bytes
rule  1005: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1003: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1003: 4 evals, in 0 out 1 pkts, in 0 out 64 bytes
rule  1002: 4 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1002: 0 evals, in 0 out 0 pkts, in 0 out 0 bytes
rule  1001: 4 evals, in 4 out 9 pkts, in 240 out 560 bytes
rule  1004: 10 evals, in 15 out 24 pkts, in 904 out 2801 bytes

 

You can also list a specific rule if you know the rule ID. These rule IDs can be found by logging into the vSphere Web Client -> Networking & Security -> Firewall and checking in the Rule ID box as shown below. Once you have the Rule ID you can run a command to only filter by that specific rule.
 
1

 

nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 rule 1001
1001 at 12 inout protocol any from any to any accept;

 

Hopefully everyone else is as excited as I am that we now have a centralized CLI in NSX 6.2. I know we will continue to develop this CLI more, but it’s a great start and a time saver for sure! I’ll develop a few more posts on CLI commands for Edges, VXLAN, and DLRs very soon!

 

Posted by:

Sean Whitney

2 Comments

  1. Rajeev -  August 17, 2016 - 8:24 pm 515

    Can you explain regarding the IN/OUT direction option when using the NSX DLF rule.
    What is the IN & OUT direction in NSX firewall indicate.
    Is there any recommendation from Vmware where to use IN Direction , where to use OUT & where to use IN/OUT direction.

    Please help in understanding this direction.

    Reply
  2. Carsten -  September 14, 2016 - 12:58 am 521

    Very good blog.
    I have a question.
    i have the following constallation in my environment.
    1 Cluster
    3 DVI Switches, one for the DMZ, one for iSCSI and one for my internal networks. Everthing works propperly.
    now i have VM with two nic on nic is attached to a virtual wire for expample vit-wire-5000
    The other one is attached to a portgroup of the iSCSI distributed Switch.
    So I try to create a rule that allows traffic for port 13/udp from the vm in virt-wire-5000 to a storage connected on Port Group iSCSI. The iSCSI DVI Switch is not managed by NSX !
    if apply this rule with a specific port eq 13/udp the traffic is blocked, If set “any” in stat of udp/13 the traffic is passed.

    maybe you have a statement for me?

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top