Filtering based on Distributed Firewall RuleID
When you manage and operate a VMware NSX environment you should be logging to a log management system. If you’ve enabled logging on individual rules they appear a little different in the Log System vs the GUI.
You may notice that the use a RuleID. The syntax is rule – rule1025 for example.
My Pie chart shows the Top Rule Hit Count. The legend lists a number of rules here – 1012, 1016, 1017, 1018, 1023 and 1025 are the top rules for hit count. But what actually matches 1012? We could right-click on Log Insight pie chart section denoting rule 1016 and select Interactive analysis. This will show all the logs that involve the policy of rule 1016.
As with my Validating Distribute Firewall blog you can use the host CLI to pull up an individual rule, what it matches, and what it resolves via the vsipioctl commands.
Filtering by Rule ID
What happens when you have lots of rules? How do I find my Rule ID amongst all these policies which enforce on abstractions.
With Log Insight showing the hits based on rule ID you can quickly reduce the scope of all your rules just to those that have elements of rule
You can see here that I have selected the little Funnel icon in my Firewall pane. This allows me to filter objects, rules and policy on a number of variables. These variables can show an administrator where an object is reused in any part of the matching criteria. Filtering rule 1016 shows it allows anything to SG-WEB on HTTPS. I am allowing this and logging. It is applied to the SG-WEB.
If you have hundreds or rules or policys that enforce the virtual and physical workload addressing (IP sets) across your DC then this is very handy in seeing what rules associate to ruleID, let alone the other search options. Comments is great if you use details in your rules. Couple this with the ability to view Service Composers Resultant Set of Policy – security administrator has become easier.