Viewing and managing SIP (NetX partner redirection) Network Introspection service

Products

VMware NSX for vSphere

Issue/Introduction

Running summarize-dvfilter, filter on slot 4 will be seen.
Note: Slot 4 is used by partner Service Integration solutions (SIP) that redirect network traffic to a partner device for additional packet inspection services.
If a slot 4 filter is configured to redirect traffic incorrectly, it could block network communications, which may not be desirable for critical service VMs such as storage appliances.

Environment

VMware NSX for vSphere 6.2.x

VMware NSX for vSphere 6.3.x

VMware NSX for vSphere 6.4.x

Resolution

To determine/control whether a VM has a slot 4 filter created for it, review the service profile for the partner service.

Navigate to Networking & Security > Service Definitions.
Select the Service in question (for example, Palo Alto Network NGFW), and double click or click the Edit (pencil) button.
On the left-pane, under the Service, navigate to the "Service Instances" label with a number.
Click on the Service Instances, and a new section will appear below listing the Service Instances.
Select the one in question (for example Palo Alto Networks NGFW-GlobalInstance).
On the Related Objects tab, all the Service Profiles associated with this Service Instance will be visible.
Select one by clicking on the name, and navigate to Manage tab.
Selecting the Applied Objects, there will be a list of all the objects this service profile is applied to. It can be applied to Distributed Port Groups, Security Groups, or Logical Switches.
If Creating a Network Introspection rules as part of a Service Composer Policy, then Service Composer will automatically add the Security Groups the policy is applied to in the Applied On list (and remove it when the policy is no longer applied to that object). However, if manual creation of Layer 3 redirection rules was performed in the Partner Security Services section of the NSX Firewall, it will require manual addition of the appropriate objects so that the filter can be applied.

Note: The same settings can also be viewed by using the API call: GET https://<NSX-Manager-IP-Address>/api/4.0/firewall/layer3redirect/profiles
Once the profile has been applied to an object, VMs that are part of that object will show a filter for slot 4 when running the summarize-dvfilter command on the ESXi host the VM is running on.

Example:
port 5######3 vm.eth0
vNic slot 4
name: nic-9214649-eth0-serviceinstance-5.4
agentName: serviceinstance-5
state: IOChain Attached
vmState: Attached
failurePolicy: failClosed
slowPathID: 509
filter source: Dynamic Filter Creation

The specific rules that are applied can be listed by using the vsipioctl getrules command, providing the name of the slot 4 filter found above: vsipioctl getrules -f nic-9214649-eth0-serviceinstance-5.4 which will return rules in the following format.

Note: "punt" indicates traffic matching the rule will be redirected to the partner appliance. Punt rules should always be created in pairs for bi-directional traffic to work, since the return traffic must be sent back to the partner appliance for it to track stateful flows, and the return traffic is sent to the partner service before it can be inspected by the stateful DFW to determine if it matches an existing flow. Only adding one rule will result in the partner appliance only seeing one side of the traffic flow, which could result in unintended network communication failure for the VM.

ruleset 7854
{
# Filter rules
rule 13982 at 1 inout protocol any from addrset ip-vm-194 to any punt with log;
rule 13979 at 2 inout protocol any from any to addrset ip-vm-194 punt with log;
rule 13973 at 3 inout protocol any from addrset ip-securitygroup-11 to addrset ip-securitygroup-11 punt with log;
rule 13969 at 4 inout protocol any from addrset ip-securitygroup-11 to addrset ip-securitygroup-11 punt with log;
}

ruleset 7854_L2
{
}