Do I need this firewall rule anymore? …. Anyone !?

In this article we shall discuss how vRNI can help with that question – Do I need this firewall rule? Read on, or click the link in your Alexa app.

For those of us who have completed Firewall migrations, this is not an uncommon question. What usually happens if we cannot validate a rule is we take the path of least risk, i.e. migrate the rule over and leave the operations guys to determine validity at a later day. This is obviously not the best approach but a number of factors, e.g. time and project cost can come into play resulting in this route. We won’t get into the philosophical discussion about the rights and wrongs, but the key point is whether there are tools within the VMware stack that can help solve this question.

A good friend and colleague of mine, Nikodim Nikodimov, was, or is, depending on when you are reading this article, running an NSX Advanced Implementation Livefire Class in Sofia, Bulgaria. During this class he was posed this very question. The first thought was how about using the NSX-V logging capabilities but the customer was afraid of the impact of logging on host resources, and also the overloading the syslog collector e.g. vRealize Log Insight. The question posed was whether vRNI could provide anything useful?

Nikodim approach me to see if I had any ideas, and my initial thought was vRNI must have some capability. It’s our go to tool for Day 2 Operations for networking within the SDDC stack. After a bit of research we found a cool feature that is available in vRealize Network Insight v3.9, but it looks to have been available in earlier versions. This feature is the ability to search for traffic flows based on Rule-ID or Rule-Names. So how does this work? The first thing you have to assume is that vRNI is either in place within the environment, or you are able to get a fully functional evaluation copy. Assuming vRNI is in place, it has the ability to monitor all the traffic flows, courtesy of IPFIX data from the logical switches and from the distributed firewall. As a result it automagically can correlate the relevant data. So once you have setup vRNI, and left it to monitor traffic flows for some time you can then query the data set to help answer the question.

Firstly within vRNI you can create your search criteria based on Rule-ID, which NSX Manager shows you within the Network and Security Firewall Section, or the Rule-Name. The reason Rule-ID may be preferred is due to the easy of entering the number, vs a long text variable. See below:

Once you’ve clicked on the search button vRNI will show you all relevant data for that Rule-ID, based on the time criteria you selected:

Notice that the name of the Rule is being displayed, you could have easily searched on this too:

So now if you click on the rule you can drill into details of the appropriate flows:

Note the timeline is currently set 1 day, but if you change this to 30 days then you can get a clearer picture of all traffic flows. So hopefully this demonstrates how vRNI is invaluable for Day 2 Operations of NSX, and helps with the mitigating apprehension with respect to unknown firewall rules.

Bal Birdy

Leave a Reply

%d bloggers like this: