VMware NSX

 View Only
  • 1.  Distributed Firewall odd behavior

    Posted Mar 03, 2017 06:36 PM

    Hello guys, I have a NSX lab which we use to show both NSX capabilities as well as the VMs included in it (which are security vendors' virtual appliances)

    So we have the following scenario:

    On the bottom-left, we have Security vendor#1, with subnet /24.

    IP address: .4, .5 and .6 are the Virtual Appliances for that vendor and IP address .99 is a W7 PC for tests.

    On the bottom-right, we have security vendor#2, with subnet

    IP address .99 is a web server.

    Now, we have a couple of rules deployed in the NSX's Distributed Firewall as follows:

    # RuleNamesourcedestinationserviceactionapplied to
    1block test1vDS1vDS2HTTPblockDistributed FW
    2block test 2vDS2vDS1anyblockDistributed FW

    Rule #1 works fine, we test connection through port 80 from to it's been blocked. Nothing odd there.

    Rule #2 it's a little bit off, when I test communication from (windows web server) to (PC test), the rule works. It blocks pings, ftp connections, etc.

    If test communication from to the rule doesn't work. The communication is allowed.

    Any idea why is this happening?

    Is there any requisite this VMs need to have in order for the distributed firewall works correctly?

  • 2.  RE: Distributed Firewall odd behavior

    Posted Mar 03, 2017 07:13 PM


    Is VMware tools installed on all VMs?

    Could you check in the NSX SpoofGuard and see if the IP addresses detected for VM .4, .5, and .6?

    Check with Traceflow or Application Rule Manager (if you are using NSX 6.3) and see which firewall rule is used for the particular traffic.

    Image result for nsx traceflow

    DFW uses VMware tools to associate a VM and its vNICs with IP Addresses, if VMware tools was not installed on a VM, its IP address was not learned.

    If for some reason you cannot install VMware Tools, with NSX 6.2 you can use DHCP or ARP snooping on IP Discovery for Virtual Machine

    You can also check my blog post here see: Troubleshoot NSX DFW (Distributed Firewall) dropping or blocking traffic

  • 3.  RE: Distributed Firewall odd behavior

    Posted Mar 03, 2017 09:32 PM

    Bayu thank you very much for taking the time to respond so quickly.

    I was reading all the info you provide. We have NSX 6.2 and you are correct, the vmware tools can't be installed in those VM (already check vendor documentation)

    Cheking the spoofGuard section I don't see those VMs listed. Only those with vmware tools instaled shows up.

    Now, I was trying the last option in your post "DHCP or ARP snooping" but I do not have the "action" button in the "installation" -> "host preparation" tab.

    I have to add, that this is a NSX eval license, but even though I think that option should be available.

    What do you think?

  • 4.  RE: Distributed Firewall odd behavior
    Best Answer

    Posted Mar 03, 2017 09:54 PM

    I can see that you are on NSX 6.1.x, in that case you would need to manually approve the IP under SpoofGuard.

    The steps would be

    1. Navigate to SpoofGuard menu in the left pane

    2. Add new policy, type the policy name, select enable SpoofGuard, select Manually inspect and approve IP > select the vDS PortGroup > Publish Changes

    3. Select the new SpoofGuard policy, under View select inactive Virtual NICs, click the pencil icon under Approved IP > Add approved IP address for each VM, one per VM > Publish Changes

    The DFW rules should work now

    Please note that NSX 6.1.x is end of support End of General Support: VMware NSX for vSphere 6.1.x (2144769) | VMware KB

  • 5.  RE: Distributed Firewall odd behavior

    Posted Mar 03, 2017 09:54 PM


    I created a SpoofGuard Rule, by manually adding the IPs included in that segment (vDS1)

    The rule now is working like it should be.

    If you have any info on why the "action" button doesn't appear y the host preparation section please let me know.

    Thanks again for the guidence.

  • 6.  RE: Distributed Firewall odd behavior

    Posted Mar 03, 2017 10:00 PM

    DHCP & ARP Snooping for IP Discovery is available starting NSX 6.2. From your screenshot you are on NSX 6.1.x so the only workaround would be using SpoofGuard.

    Regarding the "Action" button, try to right click the cluster or the ESXi host in that Installation > Host Preparation menu

    IP Discovery for Virtual Machines

    In NSX 6.2 you can configure clusters to detect virtual machine IP addresses with DHCP snooping, ARP snooping, or both