Configure Identity-based firewall (IDFW) in VMware NSX

VMwareNSX

Identity based firewall allows you to make distributed firewall rules based off Active Directory users and groups. A few things need to be in place for this to work. You must have a cluster that is prepared for NSX. You must setup AD synchronization so that NSX can see the users and groups and you must have Guest Introspection and/or AD Event Log Scraper in place. Guest Introspection must be deployed on the clusters where IDFW VMs are running. When network events are created, a guest agent installed on the VM (VMware Tools full installation) forward the information through guest introspection on to the NSX manager. With Active Directory event log scraper, you must point the NSX manager to a AD domain controller. The NSX manager then pulls the events from the AD security event log and filter through the firewall rules accordingly. IDFW monitors where AD users log in, maps the login to a IP address, and that is used by the DFW to apply rules.

To configure the NSX manager to sync with Active Directory:

Navigate to Networking & Security > System > Users and Domains.

dfw08

Click the green + and enter in the needed info. Click Next.

dfw09

Enter in the IP or FQDN of your domain controller. Also, enter in credentials that has sufficient privileges to access the directory tree in active directory.

dfw10

Select either CIFS or WMI for the connection method to access the security event logs. You can use the same domain credentials as the LDAP option or you can de-select this box and use another account. Click Next.

dfw11

Review the settings and click Finish

dfw12

After some time, you’ll notice that the sync was successful with Active Directory

dfw13

We want to make sure that the NSX File Introspection Drivers are installed on our VMs. This is done using the complete install of VMware tools. I had to go back and install this on the VMs I am testing with.

dfw14

Now I went to create a new security group to include a user to do the IDFW test

dfw15

Now we see our security group

dfw16

To test, I’m going to make a DFW rule including the new security group that I just created.

dfw17

Now to test the rule I tried pinging Google’s DNS and the VMs default gateway….both were working before implementing the rule.

dfw18

That’s it! The IDFW worked.

3 thoughts on “Configure Identity-based firewall (IDFW) in VMware NSX

      1. Thanks for responding back. Well, I’ve almost done everything already, I did the following:
        1- deployed GI to the cluster, and the status of GI is healthy, and there’s a framework agent VM on each host.
        2- added a Windows Server 2008 R2 domain.
        3- added another W2KR12-R2 domain.
        4- made sure that NSX can successfully sync and pull event logs from both domains.
        4- created the security group with a Directory group.
        5- installed a full VMware tools package.
        6- created a firewall rule, and placed it in a “ID as a source” enabled FW section.
        7- when I click on the “source” in that firewall rule, it could successfully query the account that is currently logging into the VM.
        8- tried the VM with both domains.

        no use, the rule never applies. I use vSphere 6.7 latest, NSX 6.4.4, and a guest Win7 32-bit VM.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s