Checking NSX DFW rules and rule sets

Posted on July 18, 2017 by josh@sostechblog.com

The new VMware Docs page has a cheatsheet of CLI commands but here’s what you need to list the rules enforced on a VMs vnic.

SSH to NSX Manager

{Note that you can enable SSH if needed from the “Summary” page of the appliance config page – but not from the Web Client.}

show cluster all (to get the cluster IDs)

manager> show cluster all
No. Cluster Name Cluster Id Datacenter Name Firewall Status
1 NSXCluster domain-c7 Datacenter Enabled

show cluster <cluster-id> (to get the host IDs)

manager> show cluster domain-c7
Datacenter: Datacenter
Cluster: NSXCluster
No. Host Name Host Id Installation Status
1 esxitwo.corp.local host-21 Enabled
2 esxione.corp.local host-10 Enabled

show host <host-id> to get the VM IDs

manager> show host host-21
Datacenter: Datacenter
Cluster: NSXCluster
Host: esxitwo.corp.local
No. VM Name VM Id Power Status
1 VMware vRealize Network Insight Platform vm-144 off
2 TinyOne vm-52 off
3 VMware vRealize Network Insight Proxy vm-145 off
4 Tiny10 vm-203 off
5 NSX_Controller_5d671e3b-91ca-4351-9c1b-e13277d873f7 vm-124 on

show vm <vm-id> to get the filters list

manager> show vm vm-60
Datacenter: Datacenter
Cluster: NSXCluster
Host: esxione.corp.local
Host-ID: host-10
VM: Tiny10
Virtual Nics List:
1.
Vnic Name Tiny10 - Network adapter 1
Vnic Id 5039be1d-ac25-cdda-5d37-2f5435146776.000
Filters nic-650978-eth0-vmware-sfw.2

what you want is the Filters nic-650978-eth0-vmware-sfw.2 as that with the host ID will get you the rules.

show dfw host <host-ID filter <filterID> rules

manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 rules
ruleset domain-c7 {
 # Filter rules
 rule 1006 at 1 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 443 accept;
 rule 1006 at 2 inout protocol tcp from addrset ip-securitygroup-13 to addrset ip-securitygroup-10 port 80 accept;
 rule 1005 at 3 inout protocol tcp from any to addrset ip-securitygroup-10 port 22 accept;
 rule 1003 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
 rule 1003 at 5 inout protocol ipv6-icmp icmptype 135 from any to any accept;
 rule 1002 at 6 inout protocol udp from any to any port 68 accept;
 rule 1002 at 7 inout protocol udp from any to any port 67 accept;
 rule 1001 at 8 inout protocol any from any to any accept;
}
ruleset domain-c7_L2 {
 # Filter rules
 rule 1004 at 1 inout ethertype any from any to any accept;
}

show dfw host <host-ID filter <filterID> addrsets

manager> show dfw host host-10 filter nic-650978-eth0-vmware-sfw.2 addrsets
addrset ip-securitygroup-10 {
}
addrset ip-securitygroup-13 {
ip 192.168.100.20,
ip 192.168.182.128,
ip 192.168.182.197,
ip 192.168.182.198,
ip fe80::250:56ff:feb9:db4d,
}

Note that powered off VMs won’t be included in the addrsets, neither will the VM’s own IP address even if its in the group.

This entry was posted in CLI, Firewall, Network, NSX, Virtualization, VMware and tagged , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.