VMware NSX

  • 1.  application level gateway

    Posted Feb 17, 2017 06:08 PM

    hello community ,

    is ALG "application level gateway" enabled on NSX firewall , and how we disable it ?

    Thanks,

    shamy



  • 2.  RE: application level gateway

    Broadcom Employee
    Posted Feb 17, 2017 06:48 PM

    Yes, excerpt from the             Creating Firewall Rules from Application Rule Manager section of the NSX-V admin guide: "Distributed Firewall supports ALG (Application Level Gateway) for the following protocols: FTP, CIFS, ORACLE TNS, MS-RPC, and SUN-RPC. Edge supports ALG for FTP only."

    The ALG is enabled by default when the firewall is enabled, and disabling it is generally not a good idea from a security perspective, however, it can be disabled by VMware support if it's causing an issue.



  • 3.  RE: application level gateway

    Posted Feb 17, 2017 09:27 PM

    thanks ihoffer,

    there is no steps i can follow to disable it for ORACLE TNS as i want to do it quickly !

    Thanks,

    shamy



  • 4.  RE: application level gateway

    Broadcom Employee
    Posted Feb 17, 2017 09:35 PM

    Unfortunately no.  According to Oracle connections time out when forwarded through the VMware NSX for vSphere 6.1.x Edge (2126674) | VMware KB it needs to be done by support so it probably requires root access to the affected elements.



  • 5.  RE: application level gateway

    Posted Feb 17, 2017 10:36 PM

    Out of curiosity, what are you trying to achieve or fix?

    This blog post: Distributed Firewall ALG - The Network Virtualization Blog‌ shows that a new rule specifying the TCP/UDP port (of Oracle TNS in your case) should have higher precedence over the ALG.

    But if you are looking to disable it, as mentioned by lhoffer‌ referenced to the KB - open a Support Request to VMware GSS



  • 6.  RE: application level gateway

    Posted Feb 18, 2017 10:08 AM

    dear ihoffer

    how can we disable firewall ?



  • 7.  RE: application level gateway

    Posted Feb 18, 2017 10:08 AM

    dear ihoffer

    how can we disable firewall please?



  • 8.  RE: application level gateway

    Posted Feb 18, 2017 11:58 AM

    use REST API or through GUI

    https://nsxmgr-ip/api/4.0/firewall/domainID/enable/true|false



  • 9.  RE: application level gateway

    Posted Feb 18, 2017 07:46 PM

    There are multiple ways:

    1. From GUI which will be done in cluster leve

    2. From CLI which can be done per ESXi host

    VMware Documentation Library - Checking Distributed Firewall—Commands Run from Hosts

    SSH into ESXi host and run below command

    /etc/init.d/vShield-Stateful-Firewall stop

    /etc/init.d/vShield-Stateful-Firewall {start|stop|status|restart}

    3. REST API

    4. Exclude VM from DFW

    Exclude Virtual Machines from Firewall Protection - Exclude Virtual Machines from Firewall Protection

    5. Create negate rules

    VMware Documentation Library - Add a Firewall Rule

    You can use negate on source/destionation/service or ports so you can choose which object to negate/exclude from DFW

    I had an issue with ALG where I was using traffic direction and it wasn't work because of ALG.

    In that case I use negate rules to exclude that particular traffic/VMs so it doesn't get redirected to the third party service VMs