Manage and report on a Distributed Firewall using NSX Manager and ESXi CLI commands

 

NSX Manager

 
I wasn’t able to find any commands on NSX Manager to manage and report on the Dsitrbited Firewall. I will go ahead and skip to the ESXi commands. However, if anyone has more information, please comment below and I can add it in!
 

ESXi CLI

 
There are two different commands that are application for this section: summarize-dvfilter and vsipioctl. Luckily, summarize-dvfilter is easy to memorize, and you can tab complete it, unlucky for me and you, vsipioctl does not tab complete.. and isn’t the easiest to remember. I suggest thinking of some type of acronym to memorize the command.
 
First, let’s look at summarize-dvfilter. There doesn’t appear to be any arguments for this command, it just prints out all of the dvfilters as shown below.
 

~ # summarize-dvfilter
Fastpaths:
agent: dvfilter-faulter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter
agent: ESXi-Firewall, refCount: 5, rev: 0x1010000, apiRev: 0x1010000, module: esxfw
agent: vmware-sfw, refCount: 4, rev: 0x1010000, apiRev: 0x1010000, module: vsip
agent: dvfilter-generic-vmware-swsec, refCount: 8, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-switch-security
agent: bridgelearningfilter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: vdrb
agent: dvfilter-generic-vmware, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-generic-fastpath
agent: dvfg-igmp, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfg-igmp

Slowpaths:

Filters:
world 0 
 port 33554438 vmk0
  vNic slot 0
   name: nic-0-eth4294967295-ESXi-Firewall.0
   agentName: ESXi-Firewall
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failOpen
   slowPathID: none
   filter source: Invalid
 port 67108878 vmk1
  vNic slot 0
   name: nic-0-eth4294967295-ESXi-Firewall.0
   agentName: ESXi-Firewall
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failOpen
   slowPathID: none
   filter source: Invalid
...
...cont.

You will want to take this command, and grep out the specific UUID of a VM and use that for the vsipioctl command. For example, let’s look at my “Windows7_(Web_2)” Virtual Machine.
 

~ # summarize-dvfilter | grep "Windows7_(Web_2)"
world 2861488 vmm0:Windows7_(Web_2) vcUuid:'50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09'

 
From there, you can use vsipioctl command to crosscheck the VM and it’s policies. Before I dig into vsipioctl, let’s look at the command usage. Type vsipioctl in the command prompt, then hit enter. This will show you all of the arguments.
 

~ # vsipioctl
Usage: vsipioctl  
  below is a list of available cmd:
    getfilters      : get list of filters
    getfwfilters    : obsolete, use getfilters instead
    getrules        : get rules of a filter
    getfwrules      : obsolte, use getrules instead
    getaddrsets     : get addrsets of a filter
    getfwaddrsets   : obsolte, use getaddrsets instead
    getspoofguard   : get spoofguard setting of a filter
    getfwspoofguard : obsolete, use getspoofguard instead
    getflows        : get flows of a filter
    getfwflows      : obsolete, use getflows instead
    help            : this help message
  run `vsipioctl  -h' to find out available options of a cmd.

 
Starting with the first command “getfilters” we see the following output. Notice the VM UUID, this should match the UUID from the summarize-dvfilter command.
 

~ # vsipioctl getfilters

Filter Name              : nic-2861488-eth0-vmware-sfw.2
VM UUID                  : 50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09
VNIC Index               : 0
Service Profile          : --NOT SET--

Filter Name              : nic-395190-eth0-vmware-sfw.2
VM UUID                  : 50 16 bb 2b 14 9e 7f ef-af 64 7f 0c 7e 6b ec ff
VNIC Index               : 0
Service Profile          : --NOT SET--

Filter Name              : nic-6278897-eth0-vmware-sfw.2
VM UUID                  : 50 1d bf 62 79 98 52 f3-84 ad 43 40 14 12 b3 ee
VNIC Index               : 0
Service Profile          : --NOT SET---

Match the UUIDs to find the Filter Name, in this case it’s the first one and the filter name is nic-2861488-eth0-vmware-sfw.2. You will use this filter name to find what rules are associated with that filter by running the getrules argument.
 

~ # vsipioctl getrules -f nic-2861488-eth0-vmware-sfw.2
ruleset domain-c123 {
  # Filter rules
  rule 1006 at 1 inout protocol any from addrset ip-securitygroup-10 to any drop;
  rule 1005 at 2 inout protocol icmp icmptype 8 from addrset ip-securitygroup-10 to any accept;
  rule 1004 at 3 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1004 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1003 at 5 inout protocol udp from any to any port 67 accept;
  rule 1003 at 6 inout protocol udp from any to any port 68 accept;
  rule 1002 at 7 inout protocol any from any to any accept;
}

ruleset domain-c123_L2 {
  # Filter rules
  rule 1001 at 1 inout ethertype any from any to any accept;
}

 
As always, I recommend playing around with the vsipioctl command to see what the different arguments achieve.
 

3 Comments

  1. Rajeev -  February 14, 2016 - 7:33 pm 416

    Hi Sean

    Would like to know how to measure the performance of the Distributed Firewall.
    I have been asked to compare the performance of the NSX Virtual Firewall with that of the Physical firewall.
    Needs to know how can i measure it & also would like to know how can i check & ensure that the Virtual Distributed firewall is not slowing down the performance of the virtual machines.

    Reply
  2. Rajeev -  August 17, 2016 - 9:17 am 514

    I have a VM under NSX where I have applied the distributed firewall policies.The VM has 2 vNIC.
    One vNIC is connected to the NSX logical switch & the other vNIC is connected to a standard port group out of NSX.
    By default the distributed firewall rule will apply the policies to both the vNIC of the VM.
    Is there any way I can configure that the policies are applied to vNIC1 & no policies are getting applied to vNIC2.

    How to achieve this.

    Reply
    • Fletcher -  March 23, 2017 - 12:53 pm 576

      Either build the policy to include the specific vNIC of the in LS or use the Applied To field.

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top