Manage and report on a Distributed Firewall using NSX Manager and ESXi CLI commands
NSX Manager
I wasn’t able to find any commands on NSX Manager to manage and report on the Dsitrbited Firewall. I will go ahead and skip to the ESXi commands. However, if anyone has more information, please comment below and I can add it in!
ESXi CLI
There are two different commands that are application for this section: summarize-dvfilter and vsipioctl. Luckily, summarize-dvfilter is easy to memorize, and you can tab complete it, unlucky for me and you, vsipioctl does not tab complete.. and isn’t the easiest to remember. I suggest thinking of some type of acronym to memorize the command.
First, let’s look at summarize-dvfilter. There doesn’t appear to be any arguments for this command, it just prints out all of the dvfilters as shown below.
~ # summarize-dvfilter Fastpaths: agent: dvfilter-faulter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter agent: ESXi-Firewall, refCount: 5, rev: 0x1010000, apiRev: 0x1010000, module: esxfw agent: vmware-sfw, refCount: 4, rev: 0x1010000, apiRev: 0x1010000, module: vsip agent: dvfilter-generic-vmware-swsec, refCount: 8, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-switch-security agent: bridgelearningfilter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: vdrb agent: dvfilter-generic-vmware, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-generic-fastpath agent: dvfg-igmp, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfg-igmp Slowpaths: Filters: world 0port 33554438 vmk0 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid port 67108878 vmk1 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid ... ...cont.
You will want to take this command, and grep out the specific UUID of a VM and use that for the vsipioctl command. For example, let’s look at my “Windows7_(Web_2)” Virtual Machine.
~ # summarize-dvfilter | grep "Windows7_(Web_2)" world 2861488 vmm0:Windows7_(Web_2) vcUuid:'50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09'
From there, you can use vsipioctl command to crosscheck the VM and it’s policies. Before I dig into vsipioctl, let’s look at the command usage. Type vsipioctl in the command prompt, then hit enter. This will show you all of the arguments.
~ # vsipioctl Usage: vsipioctlbelow is a list of available cmd: getfilters : get list of filters getfwfilters : obsolete, use getfilters instead getrules : get rules of a filter getfwrules : obsolte, use getrules instead getaddrsets : get addrsets of a filter getfwaddrsets : obsolte, use getaddrsets instead getspoofguard : get spoofguard setting of a filter getfwspoofguard : obsolete, use getspoofguard instead getflows : get flows of a filter getfwflows : obsolete, use getflows instead help : this help message run `vsipioctl -h' to find out available options of a cmd.
Starting with the first command “getfilters” we see the following output. Notice the VM UUID, this should match the UUID from the summarize-dvfilter command.
~ # vsipioctl getfilters Filter Name : nic-2861488-eth0-vmware-sfw.2 VM UUID : 50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09 VNIC Index : 0 Service Profile : --NOT SET-- Filter Name : nic-395190-eth0-vmware-sfw.2 VM UUID : 50 16 bb 2b 14 9e 7f ef-af 64 7f 0c 7e 6b ec ff VNIC Index : 0 Service Profile : --NOT SET-- Filter Name : nic-6278897-eth0-vmware-sfw.2 VM UUID : 50 1d bf 62 79 98 52 f3-84 ad 43 40 14 12 b3 ee VNIC Index : 0 Service Profile : --NOT SET---
Match the UUIDs to find the Filter Name, in this case it’s the first one and the filter name is nic-2861488-eth0-vmware-sfw.2. You will use this filter name to find what rules are associated with that filter by running the getrules argument.
~ # vsipioctl getrules -f nic-2861488-eth0-vmware-sfw.2
ruleset domain-c123 {
# Filter rules
rule 1006 at 1 inout protocol any from addrset ip-securitygroup-10 to any drop;
rule 1005 at 2 inout protocol icmp icmptype 8 from addrset ip-securitygroup-10 to any accept;
rule 1004 at 3 inout protocol ipv6-icmp icmptype 135 from any to any accept;
rule 1004 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
rule 1003 at 5 inout protocol udp from any to any port 67 accept;
rule 1003 at 6 inout protocol udp from any to any port 68 accept;
rule 1002 at 7 inout protocol any from any to any accept;
}
ruleset domain-c123_L2 {
# Filter rules
rule 1001 at 1 inout ethertype any from any to any accept;
}
As always, I recommend playing around with the vsipioctl command to see what the different arguments achieve.
3 Comments
Hi Sean
Would like to know how to measure the performance of the Distributed Firewall.
I have been asked to compare the performance of the NSX Virtual Firewall with that of the Physical firewall.
Needs to know how can i measure it & also would like to know how can i check & ensure that the Virtual Distributed firewall is not slowing down the performance of the virtual machines.
I have a VM under NSX where I have applied the distributed firewall policies.The VM has 2 vNIC.
One vNIC is connected to the NSX logical switch & the other vNIC is connected to a standard port group out of NSX.
By default the distributed firewall rule will apply the policies to both the vNIC of the VM.
Is there any way I can configure that the policies are applied to vNIC1 & no policies are getting applied to vNIC2.
How to achieve this.
Either build the policy to include the specific vNIC of the in LS or use the Applied To field.