Identity based firewall allows you to make distributed firewall rules based off Active Directory users and groups. A few things need to be in place for this to work. You must have a cluster that is prepared for NSX. You must setup AD synchronization so that NSX can see the users and groups and you must have Guest Introspection and/or AD Event Log Scraper in place. Guest Introspection must be deployed on the clusters where IDFW VMs are running. When network events are created, a guest agent installed on the VM (VMware Tools full installation) forward the information through guest introspection on to the NSX manager. With Active Directory event log scraper, you must point the NSX manager to a AD domain controller. The NSX manager then pulls the events from the AD security event log and filter through the firewall rules accordingly. IDFW monitors where AD users log in, maps the login to a IP address, and that is used by the DFW to apply rules.
To configure the NSX manager to sync with Active Directory:
Navigate to Networking & Security > System > Users and Domains.
Click the green + and enter in the needed info. Click Next.
Enter in the IP or FQDN of your domain controller. Also, enter in credentials that has sufficient privileges to access the directory tree in active directory.
Select either CIFS or WMI for the connection method to access the security event logs. You can use the same domain credentials as the LDAP option or you can de-select this box and use another account. Click Next.
Review the settings and click Finish
After some time, you’ll notice that the sync was successful with Active Directory
We want to make sure that the NSX File Introspection Drivers are installed on our VMs. This is done using the complete install of VMware tools. I had to go back and install this on the VMs I am testing with.
Now I went to create a new security group to include a user to do the IDFW test
Now we see our security group
To test, I’m going to make a DFW rule including the new security group that I just created.
Now to test the rule I tried pinging Google’s DNS and the VMs default gateway….both were working before implementing the rule.
That’s it! The IDFW worked.