IDFW traffic being dropped due to rule replacement
search cancel

IDFW traffic being dropped due to rule replacement

book

Article ID: 372744

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • You are using Guest Introspection(VMtools) or Event log scraping for log user log in events.
  • You observe IDFW rules present on the host using the below commands:

[root@<ESXI-HostName>~] summarize-dvfilter | grep -A 9 <VM-Name>
 port 67108898 UPSAv2-02.eth0
 vNic slot 2

   name: nic-34829825-eth0-vmware-sfw.2  <<< VM-Filter-Name
   agentName: vmware-sfw
   state: IOChain Attached
   vmState: Attached
   failurePolicy: failClosed
   serviceVMID: 4
   filter source: Dynamic Filter Creation
   moduleName: nsxt-vsip-20737187

[root@<ESXI-HostName>~] vsipioctl getrules -f <VM-Filter-Name>

  • You Observe that user Log in events are detected in the UI.
  • You observe the AD group SID is populated on the host using the below command

[root@localhost:~] vsipioctl getsidcache  -f VM-Filter-Name>

  • If the IDFW rules are applied to the gateway firewall they can be checked in the CLI as admin user.
  • You observe that that the network traffic (e.g RDP ) is not reaching the destination VM.

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

Resolution

Rule placement for IDFW should work depending on needs to be achieved.

  • For VM to VM communication the IDFW rule published should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The source VM in the "applied to" field.
      • When we add the source VM to the applied to filed the rule will only be published to the host where that source VM resides.
  • For Physical devices to VM communication the IDFW rule should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The destination VM in the "applied to" field.
      • When we are add the destination to the applied to filed the rule will only be published to the host where that destination VM resides.
  • From Physical to VM communication using the Identity with Gateway Firewall the rule should be created as per below:
    • The source in the rule should be the AD group.
    • The Destination should be the destination group or IP
    • The rule will be applied to the Gateway firewall. By default this is the gateway uplink unless it is specified.

Powered by Wolken Software