NSX 6.2 Centralized CLI, Distributed Firewall
In NSX 6.2 we have developed a centralized CLI to help troubleshoot DFW, Edge, VXLAN, and DLR issues. The majority of these commands are only to gather information rather than make changes, but it allows our users to the opportunity to login into a single machine rather than logging into a controller, an edge, the manager and a host. All of these CLI commands will be run from the NSX manager and these specific distributed firewall commands are replacing the vsipioctl commands that you would typically run on an ESXi host. Below is a list of all of the commands you can use at this point.
‘show dfw’ commands
show dfw cluster all show dfw clustershow dfw host show dfw vm show dfw vnic show dfw host filter rules show dfw host filter addrsets show dfw host filter flows show dfw host filter spoofguard show dfw host filter stats show dfw host filter rule show dfw host filter discoveredips show dfw host filter discoveredips stats
Again, these are all show commands so they will only gather information, but they will definitely come in handy when troubleshooting any DFW issues. One thing to note is that these commands will not provide any information about cross vCenter instances, only their local instances. You can still log into the secondary NSX managers and run the same commands to gather same site firewall data.
Workflow
First, you will want to drill down to the VM starting from the cluster; you can list all of the clusters with the following command. This will give you the name, datacenter, firewall status and the cluster-id which you will use in the next command.
nsxmgr-01a> show dfw cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 Compute Cluster A domain-c33 Datacenter Site A Enabled 2 Management & Edge Cluster domain-c41 Datacenter Site A Enabled
Next, you will list the hosts in the cluster based on the cluster-id that pulled was from the previous command.
nsxmgr-01a> show dfw cluster domain-c33 Datacenter: Datacenter Site A Cluster: Compute Cluster A No. Host Name Host Id Installation Status 1 esx-02a.corp.local host-32 Ready 2 esx-01a.corp.local host-28 Ready
Once you find the host you are looking into, you can list all of the VMs that are on that host, their power status, as well as the vm-id.
nsxmgr-01a> show dfw host host-32 Datacenter: Datacenter Site A Cluster: Compute Cluster A Host: esx-02a.corp.local No. VM Name VM Id Power Status 1 db-01a vm-218 on 2 web-01a vm-216 on 3 db-02a vm-266 on 4 app-01a vm-217 on
After finding the vm-id it starts to get interesting! First, let’s list the vNics, their IDs, and the filters applied to the virtual machine.
nsxmgr-01a> show dfw vm vm-218 Datacenter: Datacenter Site A Cluster: Compute Cluster A Host: esx-02a.corp.local VM: db-01a Virtual Nics List: 1. Vnic Name db-01a - Network adapter 1 Vnic Id 502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000 Filters nic-38074-eth0-vmware-sfw.2
Once you know which vNic you will be troubleshooting, you can run the following command to see the port group ID as well as the mac address.
nsxmgr-01a> show dfw vnic 502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000 Vnic Name db-01a - Network adapter 1 Vnic Id 502e7284-eee7-e3bb-d5ed-b55c9b360ac8.000 Mac Address 00:50:56:ae:d4:2b Port Group Id dvportgroup-360 Filters nic-38074-eth0-vmware-sfw.2
Finally, you can list all of the rules that have been applied to the vNic from the DFW. All of the rule IDs are listed, as well as the protocol, source, destination, port, accept/deny, and if logging is enabled.
nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 rules
ruleset domain-c33 {
# Filter rules
rule 1008 at 1 inout protocol any from addrset ip-securitygroup-10 to addrset ip-securitygroup-10 drop with log;
rule 1007 at 2 inout protocol icmp icmptype 8 from any to addrset dst1007 accept;
rule 1007 at 3 inout protocol tcp from any to addrset dst1007 port 443 accept;
rule 1006 at 4 inout protocol tcp from addrset ip-securitygroup-10 to addrset ip-securitygroup-11 port 8443 accept;
rule 1006 at 5 inout protocol icmp icmptype 8 from addrset ip-securitygroup-10 to addrset ip-securitygroup-11 accept;
rule 1005 at 6 inout protocol tcp from addrset ip-securitygroup-11 to addrset ip-securitygroup-12 port 3306 accept;
rule 1005 at 7 inout protocol icmp icmptype 8 from addrset ip-securitygroup-11 to addrset ip-securitygroup-12 accept;
rule 1003 at 8 inout protocol ipv6-icmp icmptype 136 from any to any accept;
rule 1003 at 9 inout protocol ipv6-icmp icmptype 135 from any to any accept;
rule 1002 at 10 inout protocol udp from any to any port 68 accept;
rule 1002 at 11 inout protocol udp from any to any port 67 accept;
rule 1001 at 12 inout protocol any from any to any accept;
}
ruleset domain-c33_L2 {
# Filter rules
rule 1004 at 1 inout ethertype any from any to any accept;
}
A couple other useful commands you can run are below. For instance, the following command will show you packets and bytes in and out of each rule on the vnic. As you can see below, rule 105 has passed 526 bytes incoming and 1901 bytes outgoing.
nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 stats rule 1008: 6 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1007: 6 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1007: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1006: 2 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1006: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1005: 6 evals, in 8 out 8 pkts, in 526 out 1901 bytes rule 1005: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1003: 5 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1003: 4 evals, in 0 out 1 pkts, in 0 out 64 bytes rule 1002: 4 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1002: 0 evals, in 0 out 0 pkts, in 0 out 0 bytes rule 1001: 4 evals, in 4 out 9 pkts, in 240 out 560 bytes rule 1004: 10 evals, in 15 out 24 pkts, in 904 out 2801 bytes
You can also list a specific rule if you know the rule ID. These rule IDs can be found by logging into the vSphere Web Client -> Networking & Security -> Firewall and checking in the Rule ID box as shown below. Once you have the Rule ID you can run a command to only filter by that specific rule.
nsxmgr-01a> show dfw host host-32 filter nic-38074-eth0-vmware-sfw.2 rule 1001 1001 at 12 inout protocol any from any to any accept;
Hopefully everyone else is as excited as I am that we now have a centralized CLI in NSX 6.2. I know we will continue to develop this CLI more, but it’s a great start and a time saver for sure! I’ll develop a few more posts on CLI commands for Edges, VXLAN, and DLRs very soon!
3 Comments
Can you explain regarding the IN/OUT direction option when using the NSX DLF rule.
What is the IN & OUT direction in NSX firewall indicate.
Is there any recommendation from Vmware where to use IN Direction , where to use OUT & where to use IN/OUT direction.
Please help in understanding this direction.
Very good blog.
I have a question.
i have the following constallation in my environment.
1 Cluster
3 DVI Switches, one for the DMZ, one for iSCSI and one for my internal networks. Everthing works propperly.
now i have VM with two nic on nic is attached to a virtual wire for expample vit-wire-5000
The other one is attached to a portgroup of the iSCSI distributed Switch.
So I try to create a rule that allows traffic for port 13/udp from the vm in virt-wire-5000 to a storage connected on Port Group iSCSI. The iSCSI DVI Switch is not managed by NSX !
if apply this rule with a specific port eq 13/udp the traffic is blocked, If set “any” in stat of udp/13 the traffic is passed.
maybe you have a statement for me?
thanks very good