Steps to troubleshooting ELS (Event Log Scraping) based IDFW (Identity based Firewall)
search cancel

Steps to troubleshooting ELS (Event Log Scraping) based IDFW (Identity based Firewall)

book

Article ID: 436006

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

This document guides NSX administrators in systematically troubleshooting NSX ELS based Identity Firewall (IDFW) issues. IDFW allows administrators to implement security policies based on user identity, thus securing environments where applications are accessed based on user roles or identities. However, due to its complexity, issues may arise with deployment or performance, requiring a structured approach to troubleshooting.

This KB will take you through the step-by-step process of identifying and resolving potential issues related to ELS based IDFW.

Environment

VMware vDefend Firewall

Resolution

The purpose of ELS IDFW is to detect logins on physical devices and to use those logins to allow/block connections to VM's in the NSX environment.  ELS can be used to detect logins to VM's, however Guest Introspection is the recommended method to be used in this case.

  • Check the prerequisites
    • Go to Security - Distributed Firewall - Settings - Identity Firewall Settings 
      • Verify that the toggle switch "Identity Firewall Service" is enabled
      • Verify that the proper vCenter Clusters are also enabled

    • Ensure Event Log Scraping is enabled as a log source
      • Go to Security - General Settings - Identity Firewall Even Log Sources
      • Verify  that the toggle switch "AD Log Scraper" is enabled.

    • Go to System - Identity Firewall AD and ensure your Active Directory domain is defined
      • LDAP Servers - At least one LDAP Server must be created to sync the AD Groups and Users, but you do not need all AD servers listed.
      • Event Log ServerAll AD servers MUST be entered here as a user login could be logged on any AD server in your environment, thus we must scrape all the AD servers to catch all the logins.
      • If you have chosen to only Sync selected Organizational Units (OU's) then verify you select the OU's containing the groups and the OU"s containing the Users as both are needed for IDFW.

  • DFW rules using ELS are written slightly differently from Guest Introspection ( GI ) rules
    • The source group MUST contain at least one LDAP Group that contains the users that are significant for the rule.
    • The DFW rule must be applied to the Destination VM or VM's.   This is different from GI IDFW rules that are applied to the Source VM

  • Once the rules are written, confirm the rules are applied to the destination VM(s).
    • Log into the ESXi host where the destination VM resides
    • To get the filter ID, execute summarize-dvfilter | grep <VM-name> -A 9
      world ###### vmm0:test-vm vcUuid:'## ## ## ## ## ## ##-## ## ## ## ## ## ## ##'
       port ######### test-vm.eth1 
       vNic slot 2
       name: nic-######-eth1-vmware-sfw.2 <---- This is the dvfilter ID we'll use in the next command.
       agentName: vmware-sfw
       state: IOChain Attached
       vmState: Attached
       failurePolicy: failClosed
       serviceVMID: 1
       filter source: Dynamic Filter Creation
       moduleName: nsxt-vsip-#########
    • Execute vsipioctl getfwconfig -f nic-######-eth1-vmware-sfw.2 | less
      ruleset mainrs {
      # generation number: 0
      # realization time : 2026-03-27T17:41:38
      # FILTER (APP Category) rules

       rule 4079 at 6 inout protocol tcp strict from any to addrset de0cfb61-3c7b-4948-b7e4-########### port 3389 with extended src 6663cd67-c20c-4264-9463-############ with attribute profile da8fa8a4-2dbd-4bcd-8162-############ accept with log tag 'IDFW RDP to jumpbox from physical machine';
      }

      addrset de0cfb61-3c7b-4948-b7e4-############ {
      # generation number: 0
      # realization time : 2026-03-27T17:41:38
      # refs: 1, 0 flags: 0x30000025 (ROOT,GLOBAL,PER,ACT,ANCREF)
      ip ##.##.##.##                         <----- Destination VM must be part of this NSX Group and IP must be displayed here

      container 6663cd67-c20c-4264-9463-############ {
      # generation number: 1
      # realization time : 2026-03-27T17:41:38
      # refs: 2, 0 flags: 0x30000025 (ROOT,GLOBAL,PER,ACT,ANCREF)
      WIN_SID : S-#-#-##-##########-##########-##########-####,   <----- The extended src group must contain the SID of the AD Group(s) that contain the significant users
      }

      container da8fa8a4-2dbd-4bcd-8162-############ {     <---- This rule has a context profile for RDP.  Context Profiles are not necessary for an IDFW rule but only here as an example.
      # generation number: 1731025376652
      # realization time : 2026-03-27T17:41:38
      # refs: 2, 0 flags: 0x30000025 (ROOT,GLOBAL,PER,ACT,ANCREF)
      APP_ID : APP_RDP,
      }
    • Once a login is detected that matches the AD Group, the rule will be slightly different in vsipioctl.
      rule 4079 at 6 inout protocol tcp strict from any to addrset de0cfb61-3c7b-4948-b7e4-########### port 3389 with extended src 6663cd67-c20c-4264-9463-############ with ext_src_ip addreset rextip4079 with attribute profile da8fa8a4-2dbd-4bcd-8162-############ accept with log tag 'IDFW RDP to jumpbox from physical machine';
    • The extended_src_ip group rextip4079 is created once a matching login is detected and the IP of the physical Windows machine, where the login occurred, is inserted into the group.

    • Once a login is detected, you will find a session in the UI at Security - Security Overview - Configuration in the Identity Firewall User Sessions section, on the bottom left side of the screen.
  • The rule should now work, if not contact support.
Powered by Wolken Software