Firewall validation with PowerNSX

PowerNSX – Central CLI Parsing

With the code of PowerNSX being put out online there are a lot of new ways of extracting, manipulating, and administrating your NSX deployment. This blog outlines a method of validating the DFW filter and MAC address on given VMs, rules that are applied to the selection of Virtual Machines, resolving their address-sets used in the rules.

Lets get started by reviewing a workflow in Central CLI.

Central CLI

NSX for vSphere brought into it Central CLI. Whilst this centralised the scraping of information it still had a rather cumbersome approach. It required the ID of a VM, Cluster, and the host before you get decipher which VM you wanted to see data on. It was a start but one with overhead.

First you find the cluster ID

melb-nsxm-01> show cluster all
No.  Cluster Name   Cluster Id               Datacenter Name   Firewall Status
1    Compute 1      domain-c76               Melbourne         Enabled
2    Management     domain-c61               Melbourne         Enabled
3    Compute 2      domain-c78               Melbourne         Enabled

Second is to find the hosts associated with a cluster

melb-nsxm-01> show cluster domain-c61
Datacenter: Melbourne
Cluster: Management
No. Host Name Host Id Installation Status
1 mgt-esxi3.corp.local host-37 Ready
2 mgt-esxi2.corp.local host-34 Ready
3 mgt-esxi4.corp.local host-40 Ready
4 mgt-esxi1.corp.local host-31 Ready

Then examine the host in question to ascertain the VM associated with it.

melb-nsxm-01> show host host-31
Datacenter: Melbourne
Cluster: Management
Host: mgt-esxi1.corp.local
No. VM Name VM Id Power Status
1 melb-ops-01a vm-167 on
2 TsLdr01-0 vm-620 on
3 DB01 vm-626 on

Lets have a closer look at DB01 with the vm-id of 626.

melb-nsxm-01> show vm vm-626
Datacenter: Melbourne
Cluster: Management
Host: mgt-esxi1.corp.local
VM: DB01
Virtual Nics List:
1.
Vnic Name DB01 - Network adapter 1
Vnic Id 5001cf4f-f1cb-1087-78d3-943458ac8741.000
Filters nic-5783877-eth0-vmware-sfw.2

Here we can validate a whole heap of information applied to the vNIC by using the Filter listed in the previous output. Below validates rules applied to the specific vNIC.

 

melb-nsxm-01> show dfw host host-31 filter nic-5783877-eth0-vmware-sfw.2 rules
ruleset domain-c61 {
/ # Filter rules
rule 1182 at 1 inout protocol tcp from addrset ip-securitygroup-78 to addrset ip-securitygroup-79 port 3306 accept;
rule 1183 at 2 inout protocol any from any to any drop with log;
rule 1168 at 3 inout protocol ipv6-icmp icmptype 136 from any to any accept;
rule 1168 at 4 inout protocol ipv6-icmp icmptype 135 from any to any accept;
rule 1167 at 5 inout protocol udp from any to any port 68 accept;
rule 1167 at 6 inout protocol udp from any to any port 67 accept;
rule 1166 at 7 inout protocol any from any to any accept;
}

ruleset domain-c61_L2 {
Filter rules
rule 1169 at 1 inout ethertype any from any to any accept;
}

It can also resolve address sets used in the above rules. This is part of IP Discovery and learning mechanisms in the backend of NSX. This resolves objects (like Security Group or Logical Switch memberships) to IP!

melb-nsxm-01> show dfw host host-31 filter nic-5783877-eth0-vmware-sfw.2 addrsets
addrset ip-securitygroup-78 {
ip 10.0.2.11,
ip 10.0.2.12,
ip fe80::250:56ff:fe81:3618,
ip fe80::250:56ff:fe81:5231,
}
addrset ip-securitygroup-79 {
ip 10.0.3.11,
ip fe80::250:56ff:fe81:3a07,
}

So that is Central CLI. It is good to dig around but it has some convoluded and repeated steps which can cause administrative overhead.

PowerNSX

PowerNSX extensions for PowerShell allow us to speed this process up. The handwork has been done by the author of PowerNSX (Nick Bradford). With a handful of commandlets plus some amazing RegEx it is possible to pull the required data out some of the CLI commands very easily.  By internally building PowerShell objects to represent Central CLI output, PowerNSX provides native functionality around filtering and iterating that make working with the Central CLI much easier than via the direct CLI

PowerCLI C:\> get-vm app01 | Get-NsxCliDfwFilter

Vnic Name : App01 - Network adapter 1
Filters : nic-5805072-eth0-vmware-sfw.2
Port Group Id : dvportgroup-617
Mac Address : 00:50:56:81:52:31
Vnic Id : 5001ca95-c3d2-4f46-590a-f1799fb14bba.000

So a quick output shows the vNic name, associated portgroup-id, MAC address, and vNIC ID. Lets have a look at rules. The command ft after the | will format table. This helps tidy the output into a table opposed to blobs that extern forever!

PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwRule | ft -wrap -autosize

RuleSet       InternalRule RuleID Position Direction Type   Service                Source                      Destination
-------       ------------ ------ -------- --------- ----   -------                ------                      -----------
domain-c61           False 1180   1        inout     Layer3 tcp                    addrset ip-securitygroup-77 addrset
                                                                                                               ip-ipset-40
domain-c61           False 1181   2        inout     Layer3 tcp                    addrset ip-ipset-41         addrset ip-securit
                                                                                                               ygroup-78
domain-c61           False 1182   3        inout     Layer3 tcp                    addrset ip-securitygroup-78 addrset ip-securit
                                                                                                               ygroup-79
domain-c61           False 1183   4        inout     Layer3 any                    any                         any
domain-c61           False 1168   5        inout     Layer3 ipv6-icmp icmptype 136 any                         any
domain-c61           False 1168   6        inout     Layer3 ipv6-icmp icmptype 135 any                         any
domain-c61           False 1167   7        inout     Layer3 udp                    any                         any
domain-c61           False 1167   8        inout     Layer3 udp                    any                         any
domain-c61           False 1166   9        inout     Layer3 any                    any                         any
domain-c61_L2        False 1169   1        inout     Layer2 any                    any                         any

Oh and remember because what is being emitted by PowerNSX CentraCLI cmdlets are objects and not just text we can manipulate the output lets clean this table up. I don’t need to know ruleset source at the moment, nor the internal rule or direction so I am going to use some filters on Format Table command. The columns I am interested in are RuleID, Type, Service, Source, Destination, Port.

PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwRule | ft RuleID,Type,Service,Source,Destination,Port -wrap -
autosize

RuleID Type   Service                Source                      Destination                 Port
------ ----   -------                ------                      -----------                 ----
1180   Layer3 tcp                    addrset ip-securitygroup-77 addrset ip-ipset-40         80
1181   Layer3 tcp                    addrset ip-ipset-41         addrset ip-securitygroup-78 80
1182   Layer3 tcp                    addrset ip-securitygroup-78 addrset ip-securitygroup-79 3306
1183   Layer3 any                    any                         any                         Any
1168   Layer3 ipv6-icmp icmptype 136 any                         any                         Any
1168   Layer3 ipv6-icmp icmptype 135 any                         any                         Any
1167   Layer3 udp                    any                         any                         68
1167   Layer3 udp                    any                         any                         67
1166   Layer3 any                    any                         any                         Any
1169   Layer2 any                    any                         any                         Any

So what do the address sets resolve to? Lets find out all applicable address sets to App01.

PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwAddrSet | ft -wrap -autosize

AddrSet             Type Address
-------             ---- -------
ip-ipset-40         ip   172.16.1.6
ip-ipset-41         ip   172.16.1.1
ip-securitygroup-77 ip   10.0.1.11
ip-securitygroup-77 ip   10.0.1.12
ip-securitygroup-77 ip   fe80::250:56ff:fe81:278
ip-securitygroup-77 ip   fe80::250:56ff:fe81:2ad2
ip-securitygroup-78 ip   10.0.2.11
ip-securitygroup-78 ip   10.0.2.12
ip-securitygroup-78 ip   fe80::250:56ff:fe81:3618
ip-securitygroup-78 ip   fe80::250:56ff:fe81:5231
ip-securitygroup-79 ip   10.0.3.11

We can see what each security-group actually resolves to nice and easily. I don’t need to know the filter name, what host it is on or what cluster it is. Heck, I don’t even need to find the VM ID! Super easy.

An offering

Wrapping this up into a complete script you can get here is my rule_validation.ps1 hosted here on BitBucket. It does the aforementioned. There is a user defined variable called $vmname which can be changed on execution. This allows you define a VM. NOTE: this is based on the -match RegEx which means if the name you search for is web it will return anything matching just web or including web.

PowerCLI C:\Users\Administrator\Desktop> .\rule-validation.ps1 -vmname db01
DB01 Firewall filter and VM IPs

Name IP Address
---- ----------
DB01 10.0.3.11



Resolving objects applied to DB01

Vnic Name     : DB01 - Network adapter 1
Filters       : nic-5783877-eth0-vmware-sfw.2
Port Group Id : dvportgroup-618
Mac Address   : 00:50:56:81:3a:07
Vnic Id       : 5001cf4f-f1cb-1087-78d3-943458ac8741.000




AddrSet             Type Address
-------             ---- -------
ip-securitygroup-78 ip   10.0.2.11
ip-securitygroup-78 ip   10.0.2.12
ip-securitygroup-78 ip   fe80::250:56ff:fe81:3618
ip-securitygroup-78 ip   fe80::250:56ff:fe81:5231
ip-securitygroup-79 ip   10.0.3.11
ip-securitygroup-79 ip   fe80::250:56ff:fe81:3a07


Output of all rules

RuleID Service                Source                      Destination                 Port
------ -------                ------                      -----------                 ----
1182   tcp                    addrset ip-securitygroup-78 addrset ip-securitygroup-79 3306
1183   any                    any                         any                         Any
1168   ipv6-icmp icmptype 136 any                         any                         Any
1168   ipv6-icmp icmptype 135 any                         any                         Any
1167   udp                    any                         any                         68
1167   udp                    any                         any                         67
1166   any                    any                         any                         Any
1169   any                    any                         any                         Any

Conclusion

This is an insight into how PowerNSX simplifies validation and operations of your platform. It is another tool in the administrators chest. It is super powerful and can be integrated into a number of other workflows that include PowerCLI.

4 thoughts on “Firewall validation with PowerNSX

    • pandom says:

      No worries. I hope that is useful.

      I need to add some error validation to it but it is minimum viable script for now!

  1. Josep maria Macip says:

    Hi:
    I’m trying to use your script but I get this error:
    get-vm : 2/28/2017 12:51:12 PM Get-VM [Invoke-NsxCli][ERROR] Unable
    to execute Centralized CLI query. invoke-nsxrestmethod : Exception occured
    calling invoke-restmethod. 406 : Not Acceptable : Response Body:
    .Exception.Message. Try re-running command with the -RawOutput parameter.
    At S:\NSX\scripts\rulevalidator.ps1:32 char:1
    + get-vm $vmactual | Get-NsxCliDfwRule | ft -wrap -autosize
    RuleID,service,Source, …
    + ~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-VM], VimException
    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomatio
    n.ViCore.Cmdlets.Commands.GetVM

Leave a Reply

Your email address will not be published. Required fields are marked *


*