List effective firewall rules for VMs with NSX-T

The distributed firewall enforces firewall rules on each vNic of each VM. To find which rules are effectively enforced on a VM the following commands can be used on the transport node (hypervisor) where the virtual machine is running.

For ESXi

To access the list of firewall rules we first need to find the name of the dvfilter used on the VM's network adapter. Use the following command to access the full list:

summarize-dvfilter

You can use the less pager (summarize-dvfilter | less) to be able to scroll through the output and search for what you need. (Use h for help in the less pager, for example to see how you can search through the output). The output in the image below shows the name of two network adapters for the Test-Web virtual machine.

summarize-dvfilter

To find the name of the filter driver for a specific VM with a single command use this command:

summarize-dvfilter | grep -i <your-vm-name> -A 3

This will do a non-case sensitive search (-i) for your virtual machine and will show the trailing three lines (-A 3) so that you will see all used network adapters for the virtual machine. The output in the image below shows the name of two network adapters for the Test-Web virtual machine. It is the same output from the previous image but because of the grep-filter only the relevant information is displayed.

summarize-dvfilter grep

The information you need from the output is the name of the filter driver that is on slot 2 of the vNic, this is always where the distributed firewall is placed.

With the following command you can access the effective firewall rules for the nic:

vsipioctl getrules -f <filter-name>

See the image below for an example based on the the Test-Web virtual machine:

vsipioctl output

For KVM

To access the list of firewall rules for a virtual machine we first need to find the ID of the VM's vNic. Use the following command to find it:

virsh dumpxml <vm-name> | grep interfaceid

Next use the ID in the following command:

ovs-appctl -t /var/run/vmware/nsx-agent/nsxa-ctl dfw/rules <ID>

 

Tags:
Follow us on LinkedIn

  

   

   

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer