vvmworld 2013: deploying, troubleshooting, and monitoring vmware nsx distributed firewall
DESCRIPTION
VMworld 2013 Srinivas Nimmagadda, VMware Shadab Shah, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
![Page 1: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/1.jpg)
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC5894
#SEC5894
![Page 2: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/2.jpg)
2
Agenda
Introduce NSX Firewall
Architecture and Packet Path for NSX Firewall
Demonstrate powerful provisioning paradigms of NSX Firewall
• 3-Tier Application – (3 VXLANs) or (1 VXLAN)
• Multi-Tenant Scenario
Troubleshooting NSX Firewall
Deployment of NSX Firewall (RBAC, Audit Logging, …)
Monitoring NSX Firewall
![Page 3: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/3.jpg)
3
Hypervisor Kernel Embedded Firewall
Benefits… • Is built right in to the Hypervisor
• “Line Rate” Performance (15Gbps+ per host)
• No VM can circumvent Firewall
• Better compliance model
![Page 4: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/4.jpg)
4
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits… • No “Choke Point”
• Scale Out
• Enforcement closest to VM
![Page 5: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/5.jpg)
5
Flexible Access Control Mechanisms
Benefits… • IP/VLAN: Support physical infrastructure based rules
• Security Groups: Logical grouping of VMs
• VM Asset Tags: Dynamic VM attributes
• Rules follow the VMs
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
VM
VM
VM VM
VM VM
VM
VM
VM VM
VM
VM
VM
VM
VM VM VM
VM VM VM VM
VM VM
VM VM VM
VM
VM
VM
VM
![Page 6: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/6.jpg)
6
Identity Based Access Control
Active Directory
Eric Frost
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric Frost Engineering SPDesigner.exe Eric-Win7 Ent-Sharepoint 192.168.10.75 192.168.10.78
IP: 192.168.10.75
Source Destination Services Action
Engineering Ent-Sharepoint http Permit, Log
Rule Table
Logs
![Page 7: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/7.jpg)
8 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Packet Path – Source & Destination on same Host
External Network
Source Destination
vSwitch
Traffic between two VMs on the
same host does not hit the
physical switch
Firewalling enforced close to
the source VM
Firewalling also done as traffic
enters the Destination VM’s
vNIC
![Page 8: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/8.jpg)
9 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Packet Path – Traffic across Hosts
External Network
Source Destination
vSwitch vSwitch
Traffic between two
VMs on different hosts
hit the physical switches
Firewalling enforced at
source and destination
VM vNICs
Similar flow for Virtual to
Physical Traffic
![Page 9: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/9.jpg)
10
Firewall Management Life Cycle
Prepare Deploy firewall on hosts
Enable Logging
VMTools for VMs, Activity Monitoring
Policy vCenter Objects
Configure Access Rules
Sections
Troubleshoot Logs with Rule IDs
Rule Hit Count
Enforced Rules on a Host
Packet Captures
Monitor Flow Monitoring
Activity Monitoring
Operations Audit Tracking
Role Based Access Control
Import/Export of Configutations
![Page 10: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/10.jpg)
11
Prepare Deploy Firewall
Enable Logging
Deploy VMTools
![Page 11: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/11.jpg)
12
Deploy NSX Firewall
![Page 12: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/12.jpg)
13
Network Setup
![Page 13: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/13.jpg)
14
Enable Firewall Logging
Syslog.global.logHost tcp://10.24.131.189:514
![Page 14: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/14.jpg)
15
Enable VMTools
![Page 15: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/15.jpg)
16
Policy Policy Objects
Access Control Rules
![Page 16: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/16.jpg)
17
Editable Text Here
External
Networks Single Logical
Switch
Vxlan-5004
Web-
sv-02a
App-sv-
02a
Db-sv-
02a
Client
Logical Switch
Vxlan-5000
Client-
01
Client-
02
Web Services
Logical Switch
Vxlan-5002
App Services
Logical Switch
Vxlan-5003
DB Services
Logical Switch
Vxlan-5001
Web-
sv-01a App-sv-
01a Db-sv-
01a
3-Tier Application Deployment
![Page 17: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/17.jpg)
18
Create Security Groups (Static VM Assignment)
![Page 18: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/18.jpg)
19
Create Security TAGs for PCI & DevTest Zones
![Page 19: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/19.jpg)
20
Define AD Domain (for IDFW Rules)
![Page 20: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/20.jpg)
21
Create User Based Access Rules
![Page 21: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/21.jpg)
22
Multi-Tenancy With NSX Firewall
External
Networks
Tenant 2
Logical Switch
Tenant 1
Logical Switch
VM
VM
VM
VM
VM
VM
Routing, VPN, NAT
Tenant Specific
Micro-segmentation
Tenant 2
Logical Switch
![Page 22: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/22.jpg)
23
Tenant-01 Access Rules
Objects
ALL-CUST-VXLANS
Tenant01-VXLAN Tenant02-VXLAN
Tenan01-Services (192.168.10.0/24) Tenant02-FIN-Apps (192.168.10.0/24)
Tenant-01 Section
Source Destination Services Action Apply To
Tenant01-VXLAN Tenant01-Services Any Permit Tenant01-VXLAN
… … … … Tenant01-VXLAN
Tenant01-VXLAN Tenant01-VXLAN Any Deny Tenant01-VXLAN
SP Tenant-01 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant01-VXLAN Any Deny
Tenant01-VXLAN ALL-CUST-VXLANS Any Deny
![Page 23: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/23.jpg)
24
Tenant-02 Access Rules
Tenant-02 Section
Source Destination Services Action Apply To
Tenant02-FINANCE Tenant02-FIN-Apps http, https Permit, log Tenant02-VXLAN
… … … … Tenant02-VXLAN
Tenant02-VXLAN Tenant02-VXLAN Any Deny Tenant02-VXLAN
SP Tenant-02 Section
Source Destination Services Action Apply To
ALL-CUST-VXLANS Tenant02-VXLAN Any Deny
Tenant02-VXLAN ALL-CUST-VXLANS Any Deny
![Page 24: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/24.jpg)
25
Host And Network Security Services
Anti Virus
Vulnerability Scanner
DLP
IPS
NGFW
![Page 25: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/25.jpg)
26
Dynamic Security Group Membership
Firewall Rule Table
![Page 26: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/26.jpg)
27
Troubleshooting Log Policy
Rule Hit Count
Enforced Per Host Rules
Packet Capture
![Page 27: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/27.jpg)
28
vCenter Host Kernel Log
![Page 28: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/28.jpg)
29
Log Insight
Source Dest SPORT DPORT Action Rule ID
10.113.132.192 172.25.40.101 62517 3389 DROP 1011
![Page 29: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/29.jpg)
30
Lookup Rules By ID
![Page 30: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/30.jpg)
31
Rule Statistics
![Page 31: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/31.jpg)
32
Per VM Rules
> summarize-dvfilter
> vsipioctl getrules -f nic-1000942032-eth0-vmware-sfw.2
ruleset domain-c7 {
# Filter rules
rule 1024 at 1 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 80 accept with log;
rule 1024 at 2 inout protocol tcp from addrset ip-securitygroup-34 to
addrset ip-securitygroup-29 port 443 accept with log;
rule 1002 at 11 inout protocol any from any to any accept with log;
}
ruleset domain-c7_L2 {
rule 1001 at 1 inout ethertype any from any to any accept;
}
![Page 32: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/32.jpg)
33
Packet Capture
summarize-dvfilter
pktcap-uw --dvfilter nic-1000942032-eth0-vmware-sfw.2 --outfile
test.pcap
![Page 33: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/33.jpg)
34
Monitoring Flow Monitor
Activity Monitor
![Page 34: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/34.jpg)
35
Flow Monitoring
• All flows from the VMs accumulated on NSX Manager
• Provides aggregated historic data for dropped, active and inactive flows
![Page 35: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/35.jpg)
36
Flow Monitoring, Details
![Page 36: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/36.jpg)
37
Live Flows
![Page 37: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/37.jpg)
38
Enable Activity Monitoring for VMs
![Page 38: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/38.jpg)
39
Activity Monitoring
![Page 39: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/39.jpg)
40
Operations Audit Log
Users & RBAC
Config Backup/Restore
![Page 40: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/40.jpg)
41
Audit Log
![Page 41: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/41.jpg)
42
User Management & RBAC
![Page 42: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/42.jpg)
43
Firewall Config Backup/Restore
![Page 43: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/43.jpg)
44
Summary
NSX Firewall
East/West Traffic Control
Identity & VM Awareness
High Performance & Scale-out
Operational Workflows
Policy Management
Troubleshooting
Monitoring
RBAC
REST API & Automation
Take Aways Enables Business Agility
Delivers Superior Performance & Scale
Simplifies Firewall Management
![Page 44: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/44.jpg)
45
Other VMware Activities Related to This Session
HOL:
HOL-SDC-1303
VMware NSX Network Virtualization Platform
Group Discussions:
SEC1000-GD
Distributed Virtual Firewall - Management, Architecture, Scalability and
Performance with Serge Maskalik
SEC5894
![Page 45: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/45.jpg)
THANK YOU
![Page 46: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/46.jpg)
![Page 47: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/47.jpg)
Deploying, Troubleshooting, and Monitoring VMware
NSX Distributed Firewall
Srinivas Nimmagadda, VMware
Shadab Shah, VMware
SEC5894
#SEC5894
![Page 48: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/48.jpg)
62
The Transformative Value of Network Virtualization
Labor/OPEX Savings
Innovation Speed & New Business
83%
Reduction*
88%
Reduction*
93%
Reduction*
Increase in Business Velocity
* Projected savings off current baseline spend, steady
state 75% reduction in IT infrastructure spending.
Source: Large US-based Financial Services company
• Valuable labor moves to SDDC architects, away from high-cost siloed orgs
• Manual design, config & deploy moves to automated / self service provisioning
• Complex / custom hardware configuration moves to simplified IP forwarding
• Box-based net security moves to centrally defined, scale-out security policies
• Physical Infra labor moves to “rack-n-stack” with limited “operator” functions
• Adds/moves/changes no longer require full manual re-provisioning effort
![Page 49: vVMworld 2013: Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall](https://reader033.vdocuments.mx/reader033/viewer/2022042602/558d3200d8b42ac1268b47a6/html5/thumbnails/49.jpg)
63
Introducing VMware NSX
2013
vCNS v5.1
vCloud Suite (Network & Security) v5.1
vCloud Suite (Network & Security) v5.5
2014
vCloud Network & Security