Steps to troubleshooting GI (Guest Introspection) based IDFW (Identity based Firewall)
Article ID: 377600
Updated On:
Products
Issue/Introduction
This document guides NSX administrators in systematically troubleshooting NSX GI-based Identity Firewall (IDFW) issues. IDFW allows administrators to implement security policies based on user identity, thus securing environments where applications are accessed based on user roles or identities. However, due to its complexity, issues may arise with deployment or performance, requiring a structured approach to troubleshooting.
This KB will take you through the step-by-step process of identifying and resolving potential issues related to GI-based IDFW.
Resolution
In an exclusively GI-based IDFW configuration "Event Log Server" is NOT configured.
- To determine the user SID, execute "wmic useraccount" from the guest VM.
PS C:\Users\Administrator> wmic useraccount
AccountType Caption Description Domain SID SIDType Status
512 IDFWDMEOTFPUHQ\Administrator Built-in account IDFWDMEOTFPUHQ S-1-5-21-2972043103-4218427138-1095897438-500 1 OK <<<< UserSID
512 IDFWDMEOTFPUHQ\cyg_server <cygwin home> IDFWDMEOTFPUHQ S-1-5-21-2972043103-4218427138-1095897438-1005 1 OK
Alternatively, execute "whoami /user" from the guest VM to get the user's SID
Alternatively, execute "Get-ADUser <username>" from the powershell - To determine the group SID, execute "wmnic group" from guest VM
PS C:\Users\Administrator> wmic group
Caption Description Domain Name SID SIDType Status
IDFWDMEOTFPUHQ\Access Control <snip> IDFWDMEOTFPUHQ Access Control Assistance Operators S-1-5-32-579 4 OK
IDFWDMEOTFPUHQ\Administrators Administrators IDFWDMEOTFPUHQ Administrators S-1-5-32-544 4 OK <<<< User Group SID
Alternatively, execute "wmic group where name='Administrators' get sid" from the guest VM to get the group SID - Verify it the vspeflt driver is running. Execute fltmc on the guest VM. If the vsepflt is not showing up drivers are probably not installed. Refer https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-0A2860E3-761C-4189-8087-92F0A0A855C0.html to install
PS C:\Users\Administrator> fltmc
Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
vsepflt 4 328200 0 << This driver need to be loaded for the GI based IDFW
<SNIP>
- Determining whether the rules are applied to the VM. We expect to see "with extended source"
4a. Execute "summarize-dvfilter | grep <VM-name> -A 9" to find the filter name
[root@ESX:]summarize-dvfilter | grep VM-A -A 9 <<< grep with the VM name
world 5420242 vmm0:VM-A vcUuid:'50 1b ca df 2f 20 cc 0d-58 71 a7 c7 66 74 b7 8a'
port 67109004 VM-A.eth1
vNic slot 2
name: nic-535485-eth1-vmware-sfw.2 <<<< Filter name
agentName: vmware-sfw
state: IOChain Attached
vmState: Attached
4b. Execute "vsipioctl getrules -f <filtername>" to check the rules
[root@ESX:] vsipioctl getrules -f nic-535485-eth1-vmware-sfw.2
ruleset mainrs {
<SNIP>
rule 1001 at 1 inout protocol tcp strict from any to any port {80, 443} with extended src 957534f8-c85f-4643-aaf8-42ab343ec582 drop;
- Verify if the SID of the user is active on the ESXi host and verify if the user group SID shows up by executing "vsipioctl getsidcache -f <filtername>"
[root@ESX:] vsipioctl getsidcache -f nic-535485-eth1-vmware-sfw.2
uid2sid map size : 1172
uid2sid map num entries : 1
User ID : S-1-5-21-2972043103-4218427138-1095897438-500 <<<< UserSID
Status : Active <<<<<
NoConn : 30
CorrID : 88698765
{
SID : S-1-1-0
<SNIP>
SID : S-1-5-32-544 <<<< User group SID.
- Verify if the container(from the rule) contains relevant User group, by executing "vsipioctl getcontainers -f <filtername>"
[root@ESX:] vsipioctl getcontainers -f nic-535485-eth1-vmware-sfw.2
containers are shared for this filter
global containers
container 957534f8-c85f-4643-aaf8-42ab343ec582 {
# generation number: 1
# realization time : 2024-03-14T10:42:43
WIN_SID : S-1-5-32-544,
}
- To determine if the ESXi host is recognizing the log in event. Execute egrep "SESSION_TYPE_CONNECT|SESSION_TYPE_LOGON|SESSION_TYPE_DISCONNECT" /var/run/log/nsx-syslog.log
[root@ESX:/vmfs/volumes/65b29b4b-a2775a57-edaa-005056811440/log] egrep "SESSION_TYPE_CONNECT|SESSION_TYPE_LOGON|SESSION_TYPE_DISCONNECT" /var/run/log/nsx-syslog.log | tail -n 10
2024-03-14T10:24:42.984Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531419" level="INFO"] Context: Session dump - vcUuid: 52642f7c-d566-f4a9-8f38-7876dac3772a, dfwKey: , sid: , uid: -1, type: SESSION_TYPE_DISCONNECT, user name: , domain name: , session id: 2, client ip: , ip version: 65535, timestamp: 1710411882984, group count: 0, group hash: 0
2024-03-14T10:24:47.528Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531415" level="INFO"] Context: Session dump - vcUuid: 52642f7c-d566-f4a9-8f38-7876dac3772a, dfwKey: , sid: , uid: -1, type: SESSION_TYPE_CONNECT, user name: , domain name: , session id: 2, client ip: , ip version: 65535, timestamp: 1710411887526, group count: 0, group hash: 0
2024-03-14T10:24:48.519Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531418" level="INFO"] Context: Session dump - vcUuid: 52642f7c-d566-f4a9-8f38-7876dac3772a, dfwKey: S-1-5-21-2972043103-4218427138-1095897438-500, sid: S-1-5-21-2972043103-4218427138-1095897438-500, uid: -1, type: SESSION_TYPE_LOGON, user name: Administrator, domain name: IDFWDMEOTFPUHQ, session id: 2, client ip: 10.198.xxx.xx, ip version: 0, timestamp: 1710411888500, group count: 15, group hash: 0
- Verify if the IDFW rules are working.
Feedback
