Post on 07-Jul-2018
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
1/49
Deploying, Troubleshooting, and Monitoring VMwareNSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC589
#SEC5894
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
2/49
2
Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall
• 3-Tier Application – (3 VXLANs) or (1 VXLAN)
• Multi-Tenant Scenario
Troubleshooting NSX Firewall
Deployment of NSX Firewall (RBAC, Audit Logging, …)
Monitoring NSX Firewall
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
3/49
3
Hypervisor Kernel Embedded Firewall
Benefits… • Is built right in to the Hypervisor• “Line Rate” Performance (15Gbps+ per host) • No VM can circumvent Firewall• Better compliance model
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
4/49
4
Distributed Virtual Firewall
VM
VM
VM VM
VM
VMVM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits… • No “Choke Point” • Scale Out• Enforcement closest to VM
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
5/49
5
Flexible Access Control Mechanisms
Benefits… • IP/VLAN: Support physical infrastructure based rules
• Security Groups: Logical grouping of VMs• VM Asset Tags: Dynamic VM attributes• Rules follow the VMs
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VM
VMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VMVM
VM
VM
VMVM
VM
VM
VM
VM
VM VM VM
VM
VMVMVM
VM VM
VM VM VM
VM
VM
VM
VM
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
6/49
6
Identity Based Access Control
Active Directory
Eric Frost
User AD Group App Name Originating VMName
DestinationVM Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
IP: 192.168.10.75
Source Destination Services Action
Engineering Ent-Sharepoint http Permit, Log
Rule Table
Logs
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
7/49
8 8 | ©2012, Palo Alto Networks. Confidentia l and Proprietary.
Packet Path – Source & Destination on same Host
External Network
Source Destination
vSwitch
Traffic between two VMs on thesame host does not hit thephysical switch
Firewalling enforced close tothe source VM
Firewalling also done as traffic
enters the Destination VM’svNIC
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
8/49
9 9 | ©2012, Palo Alto Networks. Confidentia l and Proprietary.
Packet Path – Traffic across Hosts
External Network
Source Destination
vSwitch vSwitch
Traffic between twoVMs on different hostshit the physical switches
Firewalling enforced atsource and destinationVM vNICs
Similar flow for Virtual toPhysical Traffic
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
9/49
10
Firewall Management Life Cycle
Prepare Deploy firewall on hostsEnable Logging
VMTools for VMs, Activity Monitoring
Policy vCenter ObjectsConfigure Access Rules
Sections
TroubleshootLogs with Rule IDs
Rule Hit Count
Enforced Rules on a Host
Packet Captures
Monitor Flow Monitoring
Activity Monitoring
Operations Audit TrackingRole Based Access Control
Import/Export of Configutations
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
10/49
11
PrepareDeploy FirewallEnable LoggingDeploy VMTools
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
11/49
12
Deploy NSX Firewall
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
12/49
13
Network Setup
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
13/49
14
Enable Firewall Logging
Syslog.global.logHost tcp://10.24.131.189:514
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
14/49
15
Enable VMTools
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
15/49
16
PolicyPolicy Objects
Access Control Rules
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
16/49
17
Editable Text Here
External
NetworksSingle Logical
Switch
Vxlan-5004
Web-sv-02a
App-sv-02a
Db-sv-02a
Client
Logical Switch
Vxlan-5000
Client-01
Client-02
Web Services
Logical Switch
Vxlan-5002
App Services
Logical Switch
Vxlan-5003
DB Services
Logical Switch
Vxlan-5001
Web-sv-01a
App-sv-01a
Db-sv-01a
3-Tier Application Deployment
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
17/49
18
Create Security Groups (Static VM Assignment)
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
18/49
19
Create Security TAGs for PCI & DevTest Zones
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
19/49
20
Define AD Domain (for IDFW Rules)
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
20/49
21
Create User Based Access Rules
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
21/49
22
Multi-Tenancy With NSX Firewall
External
Networks
Tenant 2
Logical SwitchTenant 1
Logical Switch
VM
VM
VM
VM
VM
VM
Routing, VPN, NAT
Tenant Specific
Micro-segmentation
Tenant 2
Logical Switch
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
22/49
23
Tenant-01 Access Rules
Objects
ALL-CUST-VXLANS
Tenant01-VXLAN Tenant02-VXLAN
Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)
Tenant-01 Section
Source Destination Services Action Apply ToTenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN
… … … … Tenant01-VXLAN
Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN
SP Tenant-01 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant01-VXLAN Any Deny
Tenant01-VXLAN ALL-CUST-VXLANS Any Deny
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
23/49
24
Tenant-02 Access Rules
Tenant-02 Section
Source Destination Services Action Apply To
Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN
… … … … Tenant02-VXLAN
Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN
SP Tenant-02 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant02-VXLAN Any Deny
Tenant02-VXLAN ALL-CUST-VXLANS Any Deny
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
24/49
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
25/49
26
Dynamic Security Group Membership
Firewall Rule Table
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
26/49
27
TroubleshootingLog Policy
Rule Hit CountEnforced Per Host Rules
Packet Capture
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
27/49
28
vCenter Host Kernel Log
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
28/49
29
Log Insight
Source Dest SPORT DPORT Action Rule ID10.113.132.192 172.25.40.101 62517 3389 DROP 1011
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
29/49
30
Lookup Rules By ID
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
30/49
31
Rule Statistics
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
31/49
32
Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
32/49
33
Packet Capture
summarize-dvfilter
pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfiletest.pcap
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
33/49
34
MonitoringFlow Monitor
Activity Monitor
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
34/49
35
Flow Monitoring
• All flows from the VMs accumulated on NSX Manager
• Provides aggregated historic data for dropped, active and inactive flows
l l
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
35/49
36
Flow Monitoring, Details
Li Fl
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
36/49
37
Live Flows
E bl A i i M i i f VM
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
37/49
38
Enable Activity Monitoring for VMs
A i i M i i
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
38/49
39
Activity Monitoring
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
39/49
40
Operations Audit Log
Users & RBACConfig Backup/Restore
A dit L
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
40/49
41
Audit Log
U M g t & RBAC
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
41/49
42
User Management & RBAC
Firewall Config Backup/Restore
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
42/49
43
Firewall Config Backup/Restore
Summary
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
43/49
44
Summary
NSXFirewall
East/West Traffic Control
Identity & VM Awareness
High Performance & Scale-out
OperationalWorkflows
Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation
Take Aways Enables Business Agility
Delivers Superior Performance & Scale
Simplifies Firewall Management
Other VMware Activities Related to This Session
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
44/49
45
Other VMware Activities Related to This Session
HOL:HOL-SDC-1303
VMware NSX Network Virtualization PlatformGroup Discussions:SEC1000-GDDistributed Virtual Firewall - Management, Architecture, Scalability andPerformance with Serge Maskalik
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
45/49
THANK YOU
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
46/49
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
47/49
Deploying, Troubleshooting, and Monitoring VMwareNSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC589
#SEC5894
The Transformative Value of Network Virtualization
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
48/49
62
The Transformative Value of Network Virtualization
Labor/OPEX Savings
Innovation Speed & New Business
83%Reduction*
88%Reduction*
93%Reduction*
Increase in Business Velocity
* Projected savings off current baseline spend, steadystate 75% reduction in IT infrastructure spending.Source: Large US-based Financial Services company
• Valuable labor moves to SDDC architects, away from high-cost siloed orgs• Manual design, config & deploy moves to automated / self service provisioning• Complex / custom hardware configuration moves to simplified IP forwarding• Box-based net security moves to centrally defined, scale-out security policies• Physical Infra labor moves to “rack -n- stack” with limited “operator” functions
• Adds/moves/changes no longer require full manual re-provisioning effort
Introducing VMware NSX
8/18/2019 VMWorld 2013 - Deploying, Troubleshooting, And Monitoring VMware NSX Distributed Firewall
49/49
Introducing VMware NSX
2013
vCNS v5.1
vCloud Suite (Network & Security) v5.1
vCloud Suite (Network & Security) v5.5
2014
vCloud Network & Security