Posted by 
Anybody working with NSX micro-segmentation knows the importance of monitoring application traffic and the associated distributed firewall rules.
Today I just want to share a simple and quick way to increase visibility in the NSX distributed firewall logs.
For this short article I’m using NSX-T 2.4.1 and vRealize Log Insight 4.8. vRealize Log Insight has been configured as the syslog target within NSX-T and on the ESXi hosts.
Step 1 – Enable DFW rule logging
It all starts by enabling logging for the distributed firewall rules of interest. This can be done in a number of different ways, but today I’ll stick to the NSX Manager UI.
Select Security > Distributed Firewall and select the firewall rule(s) of interest. Click the three dots in the bar on the top and select Enable > Enable rule logs:
Step 2 – Tag the rule
Click the little gear icon all the way on the right side of the rule:
Now add a tag with a name that makes sense to you. In my example I will add the infra-dns tag to the rule. Click Apply:
Step 3 – Happy tracing!
You’ll have to wait until traffic hits your tagged firewall rule, but once it does, log in to vRealize Log Insight and select the Interactive Analytics tab. Here you type your firewall rule’s tag in the search bar and hit search:
Voilà! Log entries for the firewall rule.
Conclusion
Placing tags on firewall rules makes it just a little easier to find and follow up on log entries for these rule. Yes, we do have the firewall rule ID too, but that’s a number and not very human readable.
rutgerblom.com 