VMware NSX

  • 1.  What does NSX dFW logs SEW Flags mean?

    Posted Jun 08, 2016 07:38 AM

    Hello,

    After configuring ESXi hosts to send NSX dFW logs to a syslog server, the logs are able to be observed:

    Could not find information about the S, or SEW Flags on the log entries. The documentation mentions about the Rule Id, Cluster Id, Pass or Drop fields. Is it possible that each TCP session log composing multiple log entries?

    Flag

    Flag for TCP

    Vsphere 5.5 Administration Guide:

    https://pubs.vmware.com/NSX-6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-ECEE0A32-88D5-4E82-A9B1-4847A91E1EBF.html&src=vmw_so_vex_ahanc_265

    Vsphere 6 Doc:

    https://pubs.vmware.com/NSX-62/index.jsp#com.vmware.nsx.admin.doc/GUID-6F9DC53E-222D-464B-8613-AB2D517CE5E3.html

    2015-12-03T08:56:25.241Z esx03 dfwpktlogs: INET match PASS domain-c41/1001 OUT 60 TCP 192.168.1.11/33790->192.168.1.12/22 S (for some entries SEW)

    http://www.breekeenbeen.nl/2015/12/03/nsx-dfw-logging-to-syslog-server/

    Entity

    Possible Values

    AF Value

    INET, INET6

    Reason

    Possible values: match, bad-offset, fragment, short, normalize, memory, bad-timestamp, congestion, ip-option, proto-cksum, state-mismatch, state-insert, state-limit, src-limit, synproxy, spoofguard

    Action

    PASS, DROP, SCRUB, NOSCRUB, NAT, NONAT, BINAT, NOBINAT, RDR, NORDR, SYNPROXY_DROP, PUNT, REDIRECT, COPY

    Rule identifier

    Identifier

    Rule value

    Ruleset ID and Rule position (Internal details)

    Rule set identifier

    Identifier

    Rule set value

    Ruleset name

    Rule ID identifier

    Identifier

    Rule ID

    ID matched

    Direction

    ROUT, IN

    Length identifier

    Len followed by variable

    Length value

    Packet length

    Source identifier

    SRC

    Source IP address

    IP address

    Destination identifier

    IP address

    Protocol

    TCP, UDP, PROTO

    Source port identifier

    SPORT

    Source port

    Source port number for TDP and UDP

    Source port identifier

    Destination port identifier

    Destination port

    Destination port number for TDP and UDP

    Flag

    Flag for TCP



  • 2.  RE: What does NSX dFW logs SEW Flags mean?
    Best Answer

    Posted Jun 10, 2016 05:20 AM

    S: Syn Flag

    E: Outside Back Connection

    W: WaaS