IDFW rule(s) do not work due to traffic being dropped or denied by an incorrect rule
search cancel

IDFW rule(s) do not work due to traffic being dropped or denied by an incorrect rule

book

Article ID: 372744

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • You are using Guest Introspection(VMtools) or Event log scraping for log user log in events.
  • You observe IDFW rules present on the host using the below commands:

[root@<ESXI-HostName>~] summarize-dvfilter | grep -A 9 <VM-Name>
 port 671##### UPSAv2-02.eth0
 vNic slot 2

   name: nic-######-eth0-vmware-sfw.2  <<< VM-Filter-Name
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 4
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-20737187

[root@<ESXI-HostName>~] vsipioctl getrules -f <VM-Filter-Name>

  • You Observe that user Log in events are detected in the UI.
  • You observe the AD group SID is populated on the host using the below command

[root@localhost:~] vsipioctl getsidcache  -f VM-Filter-Name>

  • If the IDFW rules are applied to the gateway firewall they can be checked in the CLI as admin user.
  • You observe that that the network traffic (e.g RDP ) is not reaching the destination VM.
  • If logging for the rules is enabled, you can identify which rule is being hit, from the /var/run/log/dfwpktlogs.log on the ESXi hosts where the Source and Destination VMs reside.

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

 

Resolution

Following are the rule and group configuration recommendations for IDFW rules:

  • For VM to VM communication the IDFW rule published should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The source VM in the "applied to" field.
      • When we add the source VM to the applied to field the rule will only be published to the host where that source VM resides.
  • For Physical devices to VM communication the IDFW rule should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The destination VM in the "applied to" field.
      • When we are add the destination to the applied to field the rule will only be published to the host where that destination VM resides.
  • From Physical to VM communication using the Identity with Gateway Firewall the rule should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The rule will be applied to the Gateway firewall. By default this is the gateway uplink unless it is specified.

 

Powered by Wolken Software