VMware NSX

Finally, finally, we can move away from NSX-V to NSX-T. But in preparation of the migration we're evaluating all firewall and NAT rules and see which ones are still being hit and which not. I have syslog to Log Insight, but I have trouble matching the accept/reject/drop events to a specific rule. 

For example:

firewall[]: [63ca28a6-xxxx-xxxx-xxxx-xxxxxxxxxx]: ACCEPT_3IN= OUT=vNic_0 SRC=yy.yy.yy.yy DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=37594 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 

Is searching for source and destination in the ruleset the only way to identify the rule that was hit?

You have the Rule ID as well, that is probably the easiest way to identify which rule that was hit.

In your example below the Rule ID is 1881, that matches the specific firewall line/rule with that ID.

/Martin

Finally, finally, we can move away from NSX-V to NSX-T. But in preparation of the migration we're evaluating all firewall and NAT rules and see which ones are still being hit and which not. I have syslog to Log Insight, but I have trouble matching the accept/reject/drop events to a specific rule. 

For example:

firewall[]: [63ca28a6-xxxx-xxxx-xxxx-xxxxxxxxxx]: ACCEPT_3IN= OUT=vNic_0 SRC=yy.yy.yy.yy DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=37594 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 

Is searching for source and destination in the ruleset the only way to identify the rule that was hit?

Hi,

Thanks, but I can't find that Rule ID anywhere in my ruleset strangely enough. Also at the start you see "accept_3" which also looks like an identification somehow, but that rule doesn't match at all the log line. I'm aware that the IP addresses could also be caught by a different rule because of subnets etc.

You have the Rule ID as well, that is probably the easiest way to identify which rule that was hit.

In your example below the Rule ID is 1881, that matches the specific firewall line/rule with that ID.

/Martin

Finally, finally, we can move away from NSX-V to NSX-T. But in preparation of the migration we're evaluating all firewall and NAT rules and see which ones are still being hit and which not. I have syslog to Log Insight, but I have trouble matching the accept/reject/drop events to a specific rule. 

For example:

firewall[]: [63ca28a6-xxxx-xxxx-xxxx-xxxxxxxxxx]: ACCEPT_3IN= OUT=vNic_0 SRC=yy.yy.yy.yy DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=1881 DF PROTO=TCP SPT=37594 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 

Is searching for source and destination in the ruleset the only way to identify the rule that was hit?