VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall

8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall

1/49

Deploying, Troubleshooting, and Monitoring VMwareNSX Distributed Firewall

Srinivas Nimmagadda, VMware

Shadab Shah, VMware

SEC589

#SEC5894


2/49

2

Agenda

Introduce NSX Firewall

Architecture and Packet Path for NSX Firewall

Demonstrate powerful provisioning paradigms of NSX Firewall

• 3-Tier Application – (3 VXLANs) or (1 VXLAN)

• Multi-Tenant Scenario

Troubleshooting NSX Firewall

Deployment of NSX Firewall (RBAC, Audit Logging, …)

Monitoring NSX Firewall


3/49

3

Hypervisor Kernel Embedded Firewall

Benefits… • Is built right in to the Hypervisor• “Line Rate” Performance (15Gbps+ per host) • No VM can circumvent Firewall• Better compliance model


4/49

4

Distributed Virtual Firewall

VM

VM

VM VM

VM

VMVM

VM

VM

VM

VM

VM

VM

VM

VM

Benefits… • No “Choke Point” • Scale Out• Enforcement closest to VM


5/49

5

Flexible Access Control Mechanisms

Benefits… • IP/VLAN: Support physical infrastructure based rules

• Security Groups: Logical grouping of VMs• VM Asset Tags: Dynamic VM attributes• Rules follow the VMs

VM

VM

VM VM

VMVM

VM

VM

VMVM

VM

VM

VM

VM

VM VM VM

VM

VMVMVM

VM VM

VM VM VM

VM

VM

VM

VM

VM

VM

VM VM

VMVM

VM

VM

VMVM

VM

VM

VM

VM

VM VM VM

VM

VMVMVM

VM VM

VM VM VM

VM

VM

VM

VM


6/49

6

Identity Based Access Control

Active Directory

Eric Frost

User AD Group App Name Originating VMName

DestinationVM Name

Source IP Destination IP

Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78

IP: 192.168.10.75

Source Destination Services Action

Engineering Ent-Sharepoint http Permit, Log

Rule Table

Logs


7/49

8 8 | ©2012, Palo Alto Networks. Confidentia l and Proprietary.

Packet Path – Source & Destination on same Host

External Network

Source Destination

vSwitch

Traffic between two VMs on thesame host does not hit thephysical switch

Firewalling enforced close tothe source VM

Firewalling also done as traffic

enters the Destination VM’svNIC


8/49

9 9 | ©2012, Palo Alto Networks. Confidentia l and Proprietary.

Packet Path – Traffic across Hosts

External Network

Source Destination

vSwitch vSwitch

Traffic between twoVMs on different hostshit the physical switches

Firewalling enforced atsource and destinationVM vNICs

Similar flow for Virtual toPhysical Traffic


9/49

10

Firewall Management Life Cycle

Prepare Deploy firewall on hostsEnable Logging

VMTools for VMs, Activity Monitoring

Policy vCenter ObjectsConfigure Access Rules

Sections

TroubleshootLogs with Rule IDs

Rule Hit Count

Enforced Rules on a Host

Packet Captures

Monitor Flow Monitoring

Activity Monitoring

Operations Audit TrackingRole Based Access Control

Import/Export of Configutations


10/49

11

PrepareDeploy FirewallEnable LoggingDeploy VMTools


11/49

12

Deploy NSX Firewall


12/49

13

Network Setup


13/49

14

Enable Firewall Logging

Syslog.global.logHost tcp://10.24.131.189:514


14/49

15

Enable VMTools


15/49

16

PolicyPolicy Objects

Access Control Rules


16/49

17

Editable Text Here

External

NetworksSingle Logical

Switch

Vxlan-5004

Web-sv-02a

App-sv-02a

Db-sv-02a

Client

Logical Switch

Vxlan-5000

Client-01

Client-02

Web Services

Logical Switch

Vxlan-5002

App Services

Logical Switch

Vxlan-5003

DB Services

Logical Switch

Vxlan-5001

Web-sv-01a

App-sv-01a

Db-sv-01a

3-Tier Application Deployment


17/49

18

Create Security Groups (Static VM Assignment)


18/49

19

Create Security TAGs for PCI & DevTest Zones


19/49

20

Define AD Domain (for IDFW Rules)


20/49

21

Create User Based Access Rules


21/49

22

Multi-Tenancy With NSX Firewall

External

Networks

Tenant 2

Logical SwitchTenant 1

Logical Switch

VM

VM

VM

VM

VM

VM

Routing, VPN, NAT

Tenant Specific

Micro-segmentation

Tenant 2

Logical Switch


22/49

23

Tenant-01 Access Rules

Objects

ALL-CUST-VXLANS

Tenant01-VXLAN Tenant02-VXLAN

Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)

Tenant-01 Section

Source Destination Services Action Apply ToTenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN

… … … … Tenant01-VXLAN

Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN

SP Tenant-01 Section

Source Destination Services Action Apply To

ALL-CUST-VXLANS Tenant01-VXLAN Any Deny

Tenant01-VXLAN ALL-CUST-VXLANS Any Deny


23/49

24

Tenant-02 Access Rules

Tenant-02 Section


Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN

… … … … Tenant02-VXLAN

Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN

SP Tenant-02 Section


ALL-CUST-VXLANS Tenant02-VXLAN Any Deny

Tenant02-VXLAN ALL-CUST-VXLANS Any Deny


24/49


25/49

26

Dynamic Security Group Membership

Firewall Rule Table


26/49

27

TroubleshootingLog Policy

Rule Hit CountEnforced Per Host Rules

Packet Capture


27/49

28

vCenter Host Kernel Log


28/49

29

Log Insight

Source Dest SPORT DPORT Action Rule ID10.113.132.192 172.25.40.101 62517 3389 DROP 1011


29/49

30

Lookup Rules By ID


30/49

31

Rule Statistics


31/49

32

Per VM Rules

> summarize-dvfilter

> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2

ruleset domain-c7 {

# Filter rules

rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to

addrset ip-securitygroup-29 port 80 accept with log;rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to

addrset ip-securitygroup-29 port 443 accept with log;

rule 1002 at 11 inout protocol any from any to any accept with log;

}ruleset domain-c7_L2 {

rule 1001 at 1 inout ethertype any from any to any accept;

}


32/49

33

Packet Capture

summarize-dvfilter

pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfiletest.pcap


33/49

34

MonitoringFlow Monitor

Activity Monitor


34/49

35

Flow Monitoring

• All flows from the VMs accumulated on NSX Manager

• Provides aggregated historic data for dropped, active and inactive flows

l l


35/49

36

Flow Monitoring, Details

Li Fl


36/49

37

Live Flows

E bl A i i M i i f VM


37/49

38

Enable Activity Monitoring for VMs

A i i M i i


38/49

39

Activity Monitoring


39/49

40

Operations Audit Log

Users & RBACConfig Backup/Restore

A dit L


40/49

41

Audit Log

U M g t & RBAC


41/49

42

User Management & RBAC

Firewall Config Backup/Restore


42/49

43

Firewall Config Backup/Restore

Summary


43/49

44

Summary

NSXFirewall

East/West Traffic Control

Identity & VM Awareness

High Performance & Scale-out

OperationalWorkflows

Policy Management

Troubleshooting

Monitoring

RBAC

REST API & Automation

Take Aways Enables Business Agility

Delivers Superior Performance & Scale

Simplifies Firewall Management

Other VMware Activities Related to This Session


44/49

45

Other VMware Activities Related to This Session

HOL:HOL-SDC-1303

VMware NSX Network Virtualization PlatformGroup Discussions:SEC1000-GDDistributed Virtual Firewall - Management, Architecture, Scalability andPerformance with Serge Maskalik


45/49

THANK YOU


46/49


47/49

Deploying, Troubleshooting, and Monitoring VMwareNSX Distributed Firewall

Srinivas Nimmagadda, VMware

Shadab Shah, VMware

SEC589

#SEC5894

The Transformative Value of Network Virtualization


48/49

62

The Transformative Value of Network Virtualization

Labor/OPEX Savings

Innovation Speed & New Business

83%Reduction*

88%Reduction*

93%Reduction*

Increase in Business Velocity

* Projected savings off current baseline spend, steadystate 75% reduction in IT infrastructure spending.Source: Large US-based Financial Services company

• Valuable labor moves to SDDC architects, away from high-cost siloed orgs• Manual design, config & deploy moves to automated / self service provisioning• Complex / custom hardware configuration moves to simplified IP forwarding• Box-based net security moves to centrally defined, scale-out security policies• Physical Infra labor moves to “rack -n- stack” with limited “operator” functions

• Adds/moves/changes no longer require full manual re-provisioning effort

Introducing VMware NSX


49/49

Introducing VMware NSX

2013

vCNS v5.1

vCloud Suite (Network & Security) v5.1

vCloud Suite (Network & Security) v5.5

2014

vCloud Network & Security

Documents

VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall