The importance of VMTools with IDFW

In this article we shall discuss the identity firewall and a few key points to be successful in its implementation. Read on or click the link in your alexa app.

I was recently involved in troubleshooting a seemingly strange issue with NSX-T 3.0 and IDFW on a VDI Horizon Desktop deployment, whereby IDFW for ICMP were not working but TCP traffic was.

Looking at the rules below everything should be working as expected, and rule 3052 is instantiated on the ESXi hosts but the not being enforced.

Image1: IDFW Rule Implementation

You can see in the get firewall ruleset that 3052 is clearly implemented into the data plane on the vnic of the VM.

Image 2: Ruleset validation

Yet User5, which is part of IT Support, can not ping the RDSH server.

Image 3: User validation

When I was initially asked to look into this my initial reaction was this is bug, but I remembered a key point. IDFW in NSX-T 3.0 has one key dependency, VM Tools 11.x, and this environment, though believed to have been upgraded had only been upgraded to a 10.x version as stipulated by vSphere.

So after upgrading VM Tools we retested and everything worked as expected. What we need to remember is to support UDP and ICMP traffic, in IDFW, there is a dependency on the v11 of VMTools.

As part of the troubleshooting and development of this environment there were a number of other issues, I shall do another blog article to explains a few of the gotchas the team ran into and how we resolved them.

Bal Birdy on LinkedinBal Birdy on Twitter
Bal Birdy
Bal is an Open Group Certified IT Architect, and VCDX #269, specializing in the network and security arena, with over 15 years experience in enterprise level network/system technologies. His goal has always been to maintain a holistic view of the architecture allowing him to understand how various technology streams may impact the networking/infrastructure space.
Bal has a proven record of delivering on enterprise network designs, leading data center and site migrations as a result of business mergers and acquisitions, and vendor migrations e.g. Cisco to Checkpoint/Juniper. As part of this he worked across several business sectors: Utilities, Banking, Retail and Government, and can base designs around sector specific standards e.g. PCI-DSS, DSD and ISM. He is proficient in several technology areas including Cisco, Juniper, F5, VMware, Citrix and Microsoft. These skills are supported by non-technical certifications: Prince2 Project Management Practitioner, ITILv3, TOGAF 9.1 Certified and Open Group Certified IT Architect – Open CA.
In addition to supporting the Livefire Team, Bal leads several innovation efforts within the VMware WRACE organization, including projects investigating the use of Virtual Reality/Augmented Reality, AI/ML and Interactive 360, to support customer and partner enablement.

BSc (Hons) Computer Science
VCDX-NV #269
Open Group Certificated Architect
Member of the Associated of Enterprise Architects

Leave a Reply