Академический Документы
Профессиональный Документы
Культура Документы
#SEC5894
Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall
Multi-Tenant Scenario
Benefits
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits
No Choke Point
Scale Out
Enforcement closest to VM
VM
VM
VM
VM
VM VM VM
VM
VM
VM
VM VM VM
VM
VM
VM
VM
VM VM
VM VM
VM VM
VM
VM
VM
VM
VM VM
VM VM
VM VM
VM
VM
VM
VM
VM VM
VM VM VM
VM
VM VM
VM
VM VM
VM VM VM
VM
VM VM
Benefits
Eric Frost
Active Directory
IP: 192.168.10.75
Rule Table
Source
Destination
Services
Action
Engineering
Ent-Sharepoint
http
Permit, Log
Logs
User
AD Group
App Name
Originating VM
Name
Destination
VM Name
Source IP
Destination IP
Eric Frost
Engineering
SPDesigner.exe
Eric-Win7
Ent-Sharepoint
192.168.10.75
192.168.10.78
Source
vSwitch
Firewalling also done as traffic
enters the Destination VMs
vNIC
External Network
Destination
vSwitch
vSwitch
Firewalling enforced at
source and destination
VM vNICs
Similar flow for Virtual to
Physical Traffic
External Network
Policy
vCenter Objects
Configure Access Rules
Sections
Troubleshoot
Monitor
Flow Monitoring
Activity Monitoring
Operations
Audit Tracking
Role Based Access Control
Import/Export of Configutations
10
Prepare
Deploy Firewall
Enable Logging
Deploy VMTools
11
12
Network Setup
13
Syslog.global.logHost
14
tcp://10.24.131.189:514
Enable VMTools
15
Policy
Policy Objects
Access Control Rules
16
Client
Logical Switch
Single Logical
Switch
Vxlan-5000
Vxlan-5004
Client01
Websv-01a
App-sv01a
Client02
17
Db-sv01a
Web Services
App Services
DB Services
Logical Switch
Logical Switch
Logical Switch
Vxlan-5002
Vxlan-5003
Vxlan-5001
App-sv02a
Db-sv02a
18
19
20
21
External
Networks
VM
Tenant 1
Logical Switch
22
Tenant 2
Tenant 2
Logical Switch
Logical Switch
VM
Tenant Specific
VM
VM
VM
VM
Micro-segmentation
Tenant02-VXLAN
Tenan01-Services (192.168.10.0/24)
Tenant02-FIN-Apps (192.168.10.0/24)
Tenant-01 Section
Source
Destination
Services
Action
Apply To
Tenant01-VXLAN
Tenant01-Services
Any
Permit
Tenant01-VXLAN
Tenant01-VXLAN
Tenant01-VXLAN
Tenant01-VXLAN
Any
Deny
Tenant01-VXLAN
Apply To
SP Tenant-01 Section
Source
Destination
Services
Action
ALL-CUST-VXLANS
Tenant01-VXLAN
Any
Deny
Tenant01-VXLAN
ALL-CUST-VXLANS
Any
Deny
23
Tenant-02 Section
Source
Destination
Services
Action
Apply To
Tenant02-FINANCE
Tenant02-FIN-Apps
http, https
Permit, log
Tenant02-VXLAN
Tenant02-VXLAN
Tenant02-VXLAN
Tenant02-VXLAN
Any
Deny
Tenant02-VXLAN
Apply To
SP Tenant-02 Section
Source
Destination
Services
Action
ALL-CUST-VXLANS
Tenant02-VXLAN
Any
Deny
Tenant02-VXLAN
ALL-CUST-VXLANS
Any
Deny
24
Anti Virus
Vulnerability Scanner
DLP
IPS
NGFW
25
26
Troubleshooting
Log Policy
Rule Hit Count
Enforced Per Host Rules
Packet Capture
27
28
Log Insight
Source
Dest
SPORT
DPORT
Action
Rule ID
10.113.132.192
172.25.40.101
62517
3389
DROP
1011
29
Lookup Rules By ID
30
Rule Statistics
31
Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;
rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}
ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
32
Packet Capture
summarize-dvfilter
pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile
test.pcap
33
Monitoring
Flow Monitor
Activity Monitor
34
Flow Monitoring
All flows from the VMs accumulated on NSX Manager
Provides aggregated historic data for dropped, active and inactive flows
35
36
Live Flows
37
38
Activity Monitoring
39
Operations
Audit Log
Users & RBAC
Config Backup/Restore
40
Audit Log
41
42
43
Summary
NSX
Firewall
Operational
Workflows
Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation
Take Aways
44
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
45
THANK YOU
SEC5894
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
#SEC5894
93%
Reduction*
88%
Reduction*
83%
Reduction*
62
Valuable labor moves to SDDC architects, away from high-cost siloed orgs
Manual design, config & deploy moves to automated / self service provisioning
Complex / custom hardware configuration moves to simplified IP forwarding
Box-based net security moves to centrally defined, scale-out security policies
Physical Infra labor moves to rack-n-stack with limited operator functions
Adds/moves/changes no longer require full manual re-provisioning effort
2013
vCNS v5.1
vCloud Suite (Network & Security) v5.1
63