So lets say you decided to get going using NSX Distributed Firewall, now what ?! When is a firewall rule receiving hits and what VM is communicating with what VM or physical host … and on what port ?! Will you ever get rid of the ANY-ANY-ALLOW rule at the end of the rule base ?! Ideally we would install a instance of VMware vRNI (Network Insight) and get insight in all the traffic flows in the datacenter. But you need deep pockets and you’ll still wouldn’t know when data traffic is “hitting” a certain firewall rule. So for the people and company’s with shallower pockets please note te following: VMware has been so generous throwing in a free license for vRealise LogInsight when you obtain(ed) a NSX license, so lets put it to use !
Please note the scaling of LogInsight:
After you got LogInsight going, you can enable logging for a certain firewall rules and giving it a Log-Tag so you can recognise the traffic in Loginsight.
Then check LogInsight using this TAG as a search query:
Oh YES! So what if you could do this for all traffic passing true you’re NSX environment ?! Maybe this can help you out to get started logging all traffic to VMware LogInsight:
The PowerNSX script using powershell will deploy Logging rules and Tags, which will show up in LogInsight. Doing this for ALL VLANs on your DVS will make ALL traffic traceable and countable. Now you know which VM is communication on which ports and how often. Awesome ! isn’t it ?
My script creates ALLOW rules for each VLAN on the DVS as shown in the screenrecording video:
SECTION VLAN – IP SEGMENT:
VLAN – VLAN
RCF1918 – VLAN
VLAN – RFC 1918
VLAN – PUBLIC IP RANGES
PUBLIC IP RANGES – VLAN
ANY – ANY
Then, finally TOTAL INSIGHT: