NSX Identity Based Firewall ( IDFW ) using Guest Introspection ( GI ) not detecting logins
search cancel

NSX Identity Based Firewall ( IDFW ) using Guest Introspection ( GI ) not detecting logins

book

Article ID: 377877

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

There are firewall rules configured in NSX to use Identity Based Firewall ( IDFW ) but logins are not being detected by Guest Introspection when a user logs into Windows.  Please go through KB 377600 first.  Proceed with this KB login if login messages are not seen in nsx-syslog.log in the ESXi host.

Environment

NSX-T 3.x
NSX 4.x
vDefend Firewall

Cause

See the following KB for general troubleshooting on Identity Based Firewall ( IDFW ) using Guest Introspection  https://knowledge.broadcom.com/external/article/377600

 

Verify if GI detects a login

  1. Verify by checking via NSX Manager nsxapi.log.
    1. Log into NSX Manager CLI.  We can't tell which Manager will handle the login, so it is best to check all three NSX Managers.
    2. "st en" to get to engineering mode
    3. Log into the VM
      1. It needs to be a first time login, not just merely unlocking the screen.  If unsure, log off of Windows and then log back in
      2. Successful detection looks like the following.
        grep  'USER_SESSION_EVENT_TYPE_USER_LOGIN' /var/log/proton/nsxapi.log

        2024-09-17T21:57:30.365Z  INFO IDFW-Vertical1 LoginLogoutEventListener 4692 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1/1: Add event: [USER_SESSION_EVENT_TYPE_USER_LOGIN] user: [######\####] VM-session: ####..####/4, timestamp: 2024/09/17 21:57:18

        2024-09-17T21:57:30.368Z  INFO IDFW-Vertical1 IdfwEventProcessorImpl 4692 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] 1/1: Process login event: [USER_SESSION_EVENT_TYPE_USER_LOGIN] user: [######\####] VM-session: ####..####/4, timestamp: 2024/09/17 21:57:18
    4. If the above logs aren't seen in NSX Manager, check the ESXi host to see if the login is seen there.
  2. Verify by checking via ESXi nsx-syslog.log 
    1. egrep "SESSION_TYPE_CONNECT|SESSION_TYPE_LOGON|SESSION_TYPE_DISCONNECT" /var/run/log/nsx-syslog.log

      2024-03-14T10:24:42.984Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531419" level="INFO"] Context: Session dump - vcUuid: ########-####-####-####-############, dfwKey: , sid: , uid: -1, type: SESSION_TYPE_DISCONNECT, user name: , domain name: , session id: 2, client ip: , ip version: 65535, timestamp: 1710411882984, group count: 0, group hash: 0

      2024-03-14T10:24:47.528Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531415" level="INFO"] Context: Session dump - vcUuid: ########-####-####-####-############, dfwKey: , sid: , uid: -1, type: SESSION_TYPE_CONNECT, user name: , domain name: , session id: 2, client ip: , ip version: 65535, timestamp: 1710411887526, group count: 0, group hash: 0

      2024-03-14T10:24:48.519Z nsx-opsagent[531333]: NSX 531333 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="531418" level="INFO"] Context: Session dump - vcUuid: ########-####-####-####-############, dfwKey: S-#-#-##-##########-##########-##########-###, sid: S-#-#-##-##########-##########-##########-###, uid: -1, type: SESSION_TYPE_LOGON, user name: ####, domain name: ######, session id: 2, client ip: ##.##.##.##, ip version: 0, timestamp: 1710411888500, group count: 15, group
  3. If login is not seen on ESXi in /var/run/log/nsx-syslog.log then proceed to the Resolution section.

Resolution

See the following KB for general troubleshooting on Identity Based Firewall ( IDFW ) using Guest Introspection  https://knowledge.broadcom.com/external/article/377600

 

  1. In an elevated command prompt, verify NSX File Introspection Driver and NSX Network Introspection Driver are installed and running 
    1. sc query vsepflt
    2. sc query vsepwfp
    3. Successful query looks like below:
    4. If "sc query vsepflt" returns "The specified service does not exist as an installed service.", then
      1. Verify the dll and drivers are present on the VM
        1. C:\Windows\System32\drivers\vsepflt
        2. C:\Windows\System32\drivers\vswpWFP.syslog
        3. C:\Program Files\VMware\VMware Tools\vsepumc.dll
      2. If any of the files are missing then:
        1. In the VMware tools install, ensure NSX File Introspection Driver and NSX Network Introspection Driver are installed.
        2. If the installer shows the features are installed but the files are missing, then uninstall/reinstall the NSX File Introspection Driver and NSX Network Introspection Features.
    5. If this doesn't resolve the issue, then enable DEBUG logging for vsep
      1. In the guest VM, create the vmtools config file if not present already (by default there is only a tools.conf.example)
      2. notepad 'C:\ProgramData\VMware\VMware Tools\tools.conf'
      3. Add following line into the above config file and save it.  No need to restart any services
        [logging]
        log = true

        vsep.level = debug
        vsep.handler = file
        vsep.data = c:/Windows/Temp/vsep.log
      4. Get the host side logs too with nsx-opsagent set to trace
        1. Enable TRACE logging from the ESXi command prompt
          1. nsxcli -c set service nsx-opsagent logging-level trace
        2. Find the logs in nsx-syslog.log
      5. Logout of the vm and back in. 
        1. Gather the vsep logs at c:/Windows/Temp/vsep.log in the VM
        2. Gather the ESXi host bundle to get the nsx-opsagent logs in nsx-syslog.log
      6. Set nsx-opsagent logging back to INFO
          1. nsxcli -c set service nsx-opsagent logging-level info
      7. Upload logs to Broadcom ANS Security Support.

 



Powered by Wolken Software