Manage and report on a Distributed Firewall using NSX Manager and ESXi CLI commands

 

NSX Manager

 
I wasn’t able to find any commands on NSX Manager to manage and report on the Dsitrbited Firewall. I will go ahead and skip to the ESXi commands. However, if anyone has more information, please comment below and I can add it in!
 

ESXi CLI

 
There are two different commands that are application for this section: summarize-dvfilter and vsipioctl. Luckily, summarize-dvfilter is easy to memorize, and you can tab complete it, unlucky for me and you, vsipioctl does not tab complete.. and isn’t the easiest to remember. I suggest thinking of some type of acronym to memorize the command.
 
First, let’s look at summarize-dvfilter. There doesn’t appear to be any arguments for this command, it just prints out all of the dvfilters as shown below.
 

~ # summarize-dvfilter
Fastpaths:
agent: dvfilter-faulter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter
agent: ESXi-Firewall, refCount: 5, rev: 0x1010000, apiRev: 0x1010000, module: esxfw
agent: vmware-sfw, refCount: 4, rev: 0x1010000, apiRev: 0x1010000, module: vsip
agent: dvfilter-generic-vmware-swsec, refCount: 8, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-switch-security
agent: bridgelearningfilter, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: vdrb
agent: dvfilter-generic-vmware, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfilter-generic-fastpath
agent: dvfg-igmp, refCount: 1, rev: 0x1010000, apiRev: 0x1010000, module: dvfg-igmp

Slowpaths:

Filters:
world 0 
 port 33554438 vmk0
  vNic slot 0
   name: nic-0-eth4294967295-ESXi-Firewall.0
   agentName: ESXi-Firewall
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failOpen
   slowPathID: none
   filter source: Invalid
 port 67108878 vmk1
  vNic slot 0
   name: nic-0-eth4294967295-ESXi-Firewall.0
   agentName: ESXi-Firewall
   state: IOChain Attached
   vmState: Detached
   failurePolicy: failOpen
   slowPathID: none
   filter source: Invalid
...
...cont.

You will want to take this command, and grep out the specific UUID of a VM and use that for the vsipioctl command. For example, let’s look at my “Windows7_(Web_2)” Virtual Machine.
 

~ # summarize-dvfilter | grep "Windows7_(Web_2)"
world 2861488 vmm0:Windows7_(Web_2) vcUuid:'50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09'

 
From there, you can use vsipioctl command to crosscheck the VM and it’s policies. Before I dig into vsipioctl, let’s look at the command usage. Type vsipioctl in the command prompt, then hit enter. This will show you all of the arguments.
 

~ # vsipioctl
Usage: vsipioctl  
  below is a list of available cmd:
    getfilters      : get list of filters
    getfwfilters    : obsolete, use getfilters instead
    getrules        : get rules of a filter
    getfwrules      : obsolte, use getrules instead
    getaddrsets     : get addrsets of a filter
    getfwaddrsets   : obsolte, use getaddrsets instead
    getspoofguard   : get spoofguard setting of a filter
    getfwspoofguard : obsolete, use getspoofguard instead
    getflows        : get flows of a filter
    getfwflows      : obsolete, use getflows instead
    help            : this help message
  run `vsipioctl  -h' to find out available options of a cmd.

 
Starting with the first command “getfilters” we see the following output. Notice the VM UUID, this should match the UUID from the summarize-dvfilter command.
 

~ # vsipioctl getfilters

Filter Name              : nic-2861488-eth0-vmware-sfw.2
VM UUID                  : 50 16 85 37 57 b1 81 e4-0f 7e 63 17 e0 d6 02 09
VNIC Index               : 0
Service Profile          : --NOT SET--

Filter Name              : nic-395190-eth0-vmware-sfw.2
VM UUID                  : 50 16 bb 2b 14 9e 7f ef-af 64 7f 0c 7e 6b ec ff
VNIC Index               : 0
Service Profile          : --NOT SET--

Filter Name              : nic-6278897-eth0-vmware-sfw.2
VM UUID                  : 50 1d bf 62 79 98 52 f3-84 ad 43 40 14 12 b3 ee
VNIC Index               : 0
Service Profile          : --NOT SET---

Match the UUIDs to find the Filter Name, in this case it’s the first one and the filter name is nic-2861488-eth0-vmware-sfw.2. You will use this filter name to find what rules are associated with that filter by running the getrules argument.
 

~ # vsipioctl getrules -f nic-2861488-eth0-vmware-sfw.2
ruleset domain-c123 {
  # Filter rules
  rule 1006 at 1 inout protocol any from addrset ip-securitygroup-10 to any drop;
  rule 1005 at 2 inout protocol icmp icmptype 8 from addrset ip-securitygroup-10 to any accept;
  rule 1004 at 3 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1004 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1003 at 5 inout protocol udp from any to any port 67 accept;
  rule 1003 at 6 inout protocol udp from any to any port 68 accept;
  rule 1002 at 7 inout protocol any from any to any accept;
}

ruleset domain-c123_L2 {
  # Filter rules
  rule 1001 at 1 inout ethertype any from any to any accept;
}

 
As always, I recommend playing around with the vsipioctl command to see what the different arguments achieve.
 

3 Comments

  1. Rajeev -  February 14, 2016 - 7:33 pm 416

    Hi Sean

    Would like to know how to measure the performance of the Distributed Firewall.
    I have been asked to compare the performance of the NSX Virtual Firewall with that of the Physical firewall.
    Needs to know how can i measure it & also would like to know how can i check & ensure that the Virtual Distributed firewall is not slowing down the performance of the virtual machines.

    Reply
  2. Rajeev -  August 17, 2016 - 9:17 am 514

    I have a VM under NSX where I have applied the distributed firewall policies.The VM has 2 vNIC.
    One vNIC is connected to the NSX logical switch & the other vNIC is connected to a standard port group out of NSX.
    By default the distributed firewall rule will apply the policies to both the vNIC of the VM.
    Is there any way I can configure that the policies are applied to vNIC1 & no policies are getting applied to vNIC2.

    How to achieve this.

    Reply
    • Fletcher -  March 23, 2017 - 12:53 pm 576

      Either build the policy to include the specific vNIC of the in LS or use the Applied To field.

      Reply

Reply Cancel

Your email address will not be published. Required fields are marked (required):

Back to Top