NSX DFW Quick Tip: Tag and Trace

Anybody working with NSX micro-segmentation knows the importance of monitoring application traffic and the associated distributed firewall rules.

Today I just want to share a simple and quick way to increase visibility in the NSX distributed firewall logs.

For this short article I’m using NSX-T 2.4.1 and vRealize Log Insight 4.8. vRealize Log Insight has been configured as the syslog target within NSX-T and on the ESXi hosts.

Step 1 – Enable DFW rule logging

It all starts by enabling logging for the distributed firewall rules of interest. This can be done in a number of different ways, but today I’ll stick to the NSX Manager UI.

Select Security > Distributed Firewall and select the firewall rule(s) of interest. Click the three dots in the bar on the top and select Enable > Enable rule logs:

Step 2 – Tag the rule

Click the little gear icon all the way on the right side of the rule:

Now add a tag with a name that makes sense to you. In my example I will add the infra-dns tag to the rule. Click Apply:

Step 3 – Happy tracing!

You’ll have to wait until traffic hits your tagged firewall rule, but once it does, log in to vRealize Log Insight and select the Interactive Analytics tab. Here you type your firewall rule’s tag in the search bar and hit search:

Voilà! Log entries for the firewall rule.

Conclusion

Placing tags on firewall rules makes it just a little easier to find and follow up on log entries for these rule. Yes, we do have the firewall rule ID too, but that’s a number and not very human readable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s