Unable to review logs for gateway firewall rules that have logging enabled since the firewallpkt.log file is not present in the edge nodes

VMware NSX

The issue of not being able to find the firewallpkt.log file in the NSX Edge nodes may arise if the logging is not enabled for the intended rule(s)  If logging is enabled but the log file is not created, it may indicate that no traffic has been processed by the firewall or the traffic is not hitting the intended rule. In this case, it is recommended to initiate some traffic and check for the creation of the log file. If the file still does not appear, performing a Traceflow is necessary to verify whether the traffic is hitting the firewall rules as expected. This will help identify if the issue lies within the firewall configuration or something else.

1. Enable Gateway Firewall rule Logging. See step #17 here: https://docs.vmware.com/en/VMware-NSX/4.2/administration/GUID-DE6FE8CB-017E-41C8-85FC-D71CF27F85C2.html


2. Generate traffic from the source VM to the destination.


3. After initiating traffic, SSH into the NSX Edge node as root and check the /var/log/ directory for the firewallpkt.log file. Use the following command:
   
   
   
   
   1. ls -l /var/log/firewallpkt.log
   
   
   
   


4. If the log file is still not found, conduct a Traceflow to determine if traffic is hitting the firewall rules. Access the Traceflow feature in the NSX Manager:
   
   
   
   1. Navigate to Plan&Troubleshoot  > Traceflow.
   
   
   2. Configure the source, destination, and protocol, then start the trace.
   
   
   3. Analyze the results to see if the packets are being processed by the firewall.
   
   
   
   


5. If Traceflow indicates that traffic is not hitting the firewall, review your environment configuration to ensure that the traffic is hitting the right Tier 0 or Tier 1 gateway.