Searching Firewall rules with PowerNSX

There are times when an administrator will need to determine if a specific address or set of address are covered by a Firewall rule. This can occur when provisioning a new workload or troubleshooting connectivity. Example 8-AB below demonstrates finding a specific address in the destination parameter of Get-NsxFirewallRule.

Find Address used in a Distributed Firewall Rule

PS /> Get-NsxFirewallRule -Destination "" | select name name ---- Internet Access Default Rule NDP Default Rule DHCP Default Rule

The IP Address has been detected in the destination field of four rules. The Firewall Rule Internet Access is an IPSet that has three subnets defined from RFC1918. The returned rules based on the –Destination “” are found within explicitly defined IP Addresses, IP ranges, or VM objects.
It is also possible to use the parameter –source or –both alongside –destination to further control or scope this lookup. These parameters can take input from a string such as an IP address or subnet and even handle a Virtual Machine object or vNIC.

This is one of many feature enhancements in the upcoming v3 release of PowerNSX. The master development branch includes this feature along with a raft of new functionality if you cannot wait for the v3 release.

Visit the GitHub repo to get started.

Port Forwarding on VMware Fusion

VMware Fusion hosts my test beds for PowerNSX. This runs on my work laptop which is a 2015 MacBook Pro that has an i7, 16GB, and a 1TB SSD. I access the environment via SSH from my desktop iMac. These workloads run on my laptop so when I travel my test beds are not dependent on home infrastructure.

I run the following workloads on the MacBook Pro:
– vCenter Server Appliance
– NSX Manager
– ESXi
– Log Insight

These VMs are connected to Custom Networks. The network in question is and the checkbox Allow virtual machines on this network to connect to external networks (using NAT) is ticked. This results in the workloads being on a local network

I wanted to be able to access the Log Insight interface hosted on my laptop and as such I needed to port-forward to the Log Insight virtual machine. This requires editing on the Fusion network scope the workloads are attached to.

The network configuration files are stored their respective folders within the VMware Fusion preferences folder.

➜ ~ l /Library/Preferences/VMware\ Fusion/
total 48
drwxr-xr-x 16 root wheel 544B Jun 12 20:55 .
drwxr-xr-x 52 root wheel 1.7K Jun 14 15:58 ..
-rw-r--r-- 1 root wheel 1.2K May 23 10:33 .networking.XXXXXX
-rw-r--r-- 1 root wheel 25B May 18 15:01 config
-r--r--r-- 1 root wheel 31B Jun 12 20:55 lastLocationUsed
-rw-r--r-- 1 root wheel 553B Apr 2 16:43 license-fusion-80-e4-201505
-rw-r--r-- 1 root wheel 1.5K Jun 12 20:55 networking
-rw-r--r-- 1 root wheel 1.5K Jun 11 23:20 networking.bak.0
-rw-r--r-- 1 root wheel 0B Apr 7 08:26 promiscAuthorized
drwxr-xr-x@ 10 root wheel 340B Jun 12 20:55 thnuclnt
drwxr-xr-x 4 root wheel 136B May 3 21:53 vmnet1
drwxr-xr-x 7 root wheel 238B May 3 21:53 vmnet2
drwxr-xr-x 4 root wheel 136B May 3 21:53 vmnet3
drwxr-xr-x 7 root wheel 238B Jun 9 20:36 vmnet5
drwxr-xr-x 4 root wheel 136B May 28 20:11 vmnet6
drwxr-xr-x 7 root wheel 238B May 3 21:53 vmnet8

The network of interest in this case is vmnet5. Change into the vmnet5 directory.

There is a lot of interesting content within the nat.conf file. It includes which IP address will be used as the source IP for NAT, what inbound TCP connections can be made, and much more. The [incomingtcp] field is what is of interest.


➜ ~ cat /Library/Preferences/VMware\ Fusion/vmnet5/nat.conf
# VMware NAT configuration file


# NAT gateway address
ip =
netmask =

# VMnet device if not specified on command line
device = vmnet5

# Allow PORT/EPRT FTP commands (they need incoming TCP stream ...)
activeFTP = 1

# Allows the source to have any OUI. Turn this on if you change the OUI
# in the MAC address of your virtual machines.
allowAnyOUI = 1

# Controls if (TCP) connections should be reset when the adapter they are
# bound to goes down
resetConnectionOnLinkDown = 1

# Controls if (TCP) connection should be reset when guest packet's destination
# is NAT's IP address
resetConnectionOnDestLocalHost = 1

# Controls if enable nat ipv6
natIp6Enable = 0

# Controls if enable nat ipv6
natIp6Prefix = fd15:4ba5:5a2b:1005::/64


# Value of timeout in TCP TIME_WAIT state, in seconds
timeWaitTimeout = 30


# Timeout in seconds. Dynamically-created UDP mappings will purged if
# idle for this duration of time 0 = no timeout, default = 60; real
# value might be up to 100% longer
timeout = 30

# Timeout for NBNS queries.
nbnsTimeout = 2

# Number of retries for each NBNS query.
nbnsRetries = 3

# Timeout for NBDS queries.
nbdsTimeout = 3


# Use these with care - anyone can enter into your VM through these...
# The format and example are as follows:
# = <VM's IP address>:<VM's port number>
#8080 =


# UDP port forwarding example
#6000 =

Adding 9443 = within the [incomingtcp] section allows inbound access on TCP 9443 to the laptop to be forward to which is the Log Insight instance. With this configured one must restart network services.

sudo /Applications/VMware\ --stop
sudo /Applications/VMware\ --start

Now from another device, such as my iMac, I can access the Log Insight at https://dreamspike.local:9443.

VMware Fusion is a handy tool for home lab environments and especially environments on the run. Being a VMware employee I am privy to what is coming and I pretty much love this tool more and more with each release.

Wondering how I run VM’s with more memory than my actual device has? Check out these other Fusion blogs below!

Check this blog entry on how to run VCSA in Fusion
Check this blog entry on how to use memory swapping in Fusion.