SEC5894

Deploying, Troubleshooting, and Monitoring VMware

NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware

#SEC5894

Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall

3-Tier Application (3 VXLANs) or (1 VXLAN)

Multi-Tenant Scenario

Troubleshooting NSX Firewall

Deployment of NSX Firewall (RBAC, Audit Logging, )
Monitoring NSX Firewall
2

Hypervisor Kernel Embedded Firewall

Benefits

Is built right in to the Hypervisor

Line Rate Performance (15Gbps+ per host)
No VM can circumvent Firewall
Better compliance model

Distributed Virtual Firewall

VM

VM

VM

VM
VM
VM
VM

VM
VM
VM
VM

Benefits
No Choke Point
Scale Out
Enforcement closest to VM

VM

VM
VM

VM

Flexible Access Control Mechanisms

VM VM VM

VM

VM

VM

VM VM VM

VM

VM

VM

VM

VM VM

VM VM
VM VM
VM

VM

VM

VM

VM VM

VM VM
VM VM
VM

VM

VM

VM

VM VM

VM VM VM

VM

VM VM

VM

VM VM

VM VM VM

VM

VM VM

Benefits

IP/VLAN: Support physical infrastructure based rules

Security Groups: Logical grouping of VMs
VM Asset Tags: Dynamic VM attributes
Rules follow the VMs

Identity Based Access Control

Eric Frost
Active Directory

IP: 192.168.10.75

Rule Table
Source

Destination

Services

Action

Engineering

Ent-Sharepoint

http

Permit, Log

Logs
User

AD Group

App Name

Originating VM
Name

Destination
VM Name

Source IP

Destination IP

Eric Frost

Engineering

SPDesigner.exe

Eric-Win7

Ent-Sharepoint

192.168.10.75

192.168.10.78

Packet Path Source & Destination on same Host

Destination

Source

Traffic between two VMs on the

same host does not hit the
physical switch

Firewalling enforced close to

the source VM

vSwitch
Firewalling also done as traffic
enters the Destination VMs
vNIC
External Network

8 | 2012, Palo Alto Networks. Confidential and Proprietary.

Packet Path Traffic across Hosts

Source

Destination

Traffic between two

VMs on different hosts
hit the physical switches

vSwitch

vSwitch

Firewalling enforced at
source and destination
VM vNICs
Similar flow for Virtual to
Physical Traffic

External Network

9 | 2012, Palo Alto Networks. Confidential and Proprietary.

Firewall Management Life Cycle

Prepare

Deploy firewall on hosts

Enable Logging
VMTools for VMs, Activity Monitoring

Policy

vCenter Objects
Configure Access Rules
Sections

Troubleshoot

Logs with Rule IDs

Rule Hit Count
Enforced Rules on a Host
Packet Captures

Monitor

Flow Monitoring

Activity Monitoring

Operations

Audit Tracking
Role Based Access Control
Import/Export of Configutations

10

Prepare
Deploy Firewall
Enable Logging
Deploy VMTools

11

Deploy NSX Firewall

12

Network Setup

13

Enable Firewall Logging

Syslog.global.logHost

14

tcp://10.24.131.189:514

Enable VMTools

15

Policy
Policy Objects
Access Control Rules

16

3-Tier Application Deployment

External
Networks

Client
Logical Switch

Single Logical
Switch

Vxlan-5000

Vxlan-5004

Editable Text Here

Websv-02a

Client01

Websv-01a

App-sv01a

Client02

17

Db-sv01a

Web Services

App Services

DB Services

Logical Switch

Logical Switch

Logical Switch

Vxlan-5002

Vxlan-5003

Vxlan-5001

App-sv02a

Db-sv02a

Create Security Groups (Static VM Assignment)

18

Create Security TAGs for PCI & DevTest Zones

19

Define AD Domain (for IDFW Rules)

20

Create User Based Access Rules

21

Multi-Tenancy With NSX Firewall

External
Networks

Routing, VPN, NAT

VM
Tenant 1
Logical Switch

22

Tenant 2
Tenant 2
Logical Switch
Logical Switch

VM
Tenant Specific

VM

VM

VM

VM

Micro-segmentation

Tenant-01 Access Rules

Objects
ALL-CUST-VXLANS
Tenant01-VXLAN

Tenant02-VXLAN

Tenan01-Services (192.168.10.0/24)

Tenant02-FIN-Apps (192.168.10.0/24)

Tenant-01 Section
Source

Destination

Services

Action

Apply To

Tenant01-VXLAN

Tenant01-Services

Any

Permit

Tenant01-VXLAN

Tenant01-VXLAN

Tenant01-VXLAN

Tenant01-VXLAN

Any

Deny

Tenant01-VXLAN

Apply To

SP Tenant-01 Section
Source

Destination

Services

Action

ALL-CUST-VXLANS

Tenant01-VXLAN

Any

Deny

Tenant01-VXLAN

ALL-CUST-VXLANS

Any

Deny

23

Tenant-02 Access Rules

Tenant-02 Section
Source

Destination

Services

Action

Apply To

Tenant02-FINANCE

Tenant02-FIN-Apps

http, https

Permit, log

Tenant02-VXLAN

Tenant02-VXLAN

Tenant02-VXLAN

Tenant02-VXLAN

Any

Deny

Tenant02-VXLAN

Apply To

SP Tenant-02 Section
Source

Destination

Services

Action

ALL-CUST-VXLANS

Tenant02-VXLAN

Any

Deny

Tenant02-VXLAN

ALL-CUST-VXLANS

Any

Deny

24

Host And Network Security Services

Anti Virus
Vulnerability Scanner
DLP

IPS
NGFW

25

Dynamic Security Group Membership

Firewall Rule Table

26

Troubleshooting
Log Policy
Rule Hit Count
Enforced Per Host Rules
Packet Capture

27

vCenter Host Kernel Log

28

Log Insight

Source

Dest

SPORT

DPORT

Action

Rule ID

10.113.132.192

172.25.40.101

62517

3389

DROP

1011

29

Lookup Rules By ID

30

Rule Statistics

31

Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;
rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}
ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
32

Packet Capture
summarize-dvfilter
pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile
test.pcap

33

Monitoring
Flow Monitor
Activity Monitor

34

Flow Monitoring
All flows from the VMs accumulated on NSX Manager

Provides aggregated historic data for dropped, active and inactive flows

35

Flow Monitoring, Details

36

Live Flows

37

Enable Activity Monitoring for VMs

38

Activity Monitoring

39

Operations
Audit Log
Users & RBAC
Config Backup/Restore

40

Audit Log

41

User Management & RBAC

42

Firewall Config Backup/Restore

43

Summary

NSX
Firewall

East/West Traffic Control

Identity & VM Awareness

High Performance & Scale-out

Operational
Workflows

Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation

Take Aways

Enables Business Agility

Delivers Superior Performance & Scale
Simplifies Firewall Management

44

Other VMware Activities Related to This Session

HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform

Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik

45

THANK YOU

SEC5894
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware

#SEC5894

The Transformative Value of Network Virtualization

Increase in Business Velocity

Innovation Speed & New Business

Labor/OPEX Savings

93%
Reduction*

88%
Reduction*

83%
Reduction*

* Projected savings off current baseline spend, steady

state 75% reduction in IT infrastructure spending.
Source: Large US-based Financial Services company

62

Valuable labor moves to SDDC architects, away from high-cost siloed orgs
Manual design, config & deploy moves to automated / self service provisioning
Complex / custom hardware configuration moves to simplified IP forwarding
Box-based net security moves to centrally defined, scale-out security policies
Physical Infra labor moves to rack-n-stack with limited operator functions
Adds/moves/changes no longer require full manual re-provisioning effort

Introducing VMware NSX

2014

2013

vCloud Network & Security

vCNS v5.1
vCloud Suite (Network & Security) v5.1

63

vCloud Suite (Network & Security) v5.5