The importance of VMTools with IDFW

In this article we shall discuss the identity firewall and a few key points to be successful in its implementation. Read on or click the link in your alexa app.

I was recently involved in troubleshooting a seemingly strange issue with NSX-T 3.0 and IDFW on a VDI Horizon Desktop deployment, whereby IDFW for ICMP were not working but TCP traffic was.

Looking at the rules below everything should be working as expected, and rule 3052 is instantiated on the ESXi hosts but the not being enforced.

Image1: IDFW Rule Implementation

You can see in the get firewall ruleset that 3052 is clearly implemented into the data plane on the vnic of the VM.

Image 2: Ruleset validation

Yet User5, which is part of IT Support, can not ping the RDSH server.

Image 3: User validation

When I was initially asked to look into this my initial reaction was this is bug, but I remembered a key point. IDFW in NSX-T 3.0 has one key dependency, VM Tools 11.x, and this environment, though believed to have been upgraded had only been upgraded to a 10.x version as stipulated by vSphere.

So after upgrading VM Tools we retested and everything worked as expected. What we need to remember is to support UDP and ICMP traffic, in IDFW, there is a dependency on the v11 of VMTools.

As part of the troubleshooting and development of this environment there were a number of other issues, I shall do another blog article to explains a few of the gotchas the team ran into and how we resolved them.

Bal Birdy

Leave a Reply

%d bloggers like this: