Monthly Archives: August 2017

What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.

Something like this:

10.10.100.0/24 >Site 1 ESG Internal (10.10.100.1) > Site 1 ESG Internet (10.10.10.1) > Internet DLR (10.10.10.254) > Internet DLR (20.20.20.254) > Site 2 ESG Internet (20.20.20.1) > Site 2 ESG Internal (20.20.200.1) > 20.20.200.0/24

Enable IPSec VPN Service

You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

Continue reading →

SSL VPN-Plus Overview

With SSL VPN-Plus, remote users can connect securely to private networks behind a NSX Edge gateway. Remote users can access servers and applications in the private networks.

Add SSL VPN-Plus Server Settings

1. In the SSL VPN-Plus tab, select Server Settings from the left panel. Continue reading →

Add a Security Tag

You can manually add a security tag and apply it to a virtual machine. This is especially useful when you are using a non-NETX solution in your environment and hence, cannot register the solution tags with NSX Manager.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Managers.

3. Click an NSX Manager in the Name column and then click the Manage tab.

4. Click the Security Tags tab.

Continue reading →

A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.

Procedure

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Service Composer.

3. Click the Security Policies tab.

Continue reading →

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Service Composer.

3. Click the Security Groups tab and then click the Add Security Group icon.

Continue reading →

Filtering firewall rules is reeeally straight forward!

Navigate to the DFW section of the Networking and Security Plugin then click of the filter buttons:

There are loads of options to filter with: Continue reading →

This post will focus on create firewall rules that utilise Active Directory Groups, I’ve already covered who you integrate NSX with AD here so let’s get straight into creating a Security Group:

1. Select the NSX Manager, then click Manage, followed by Grouping Objects.

2. Click on Security Groups.

3. Click the green + sign to Add a Security Group. What I am going to do is create a dynamic group membership based on the AD Group by selecting Entity, Belongs to and then clicking the “Select Entity” button: Continue reading →

Create Distributed Firewall Rule Sections

You can add a section to segregate firewall rules. For example, you may like to have the rules for sales and engineering departments in separate sections.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Firewall.

3. Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.

Continue reading →

Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. When flow monitoring is enabled, its output defines which machines are exchanging data and over which application. This data includes the number of sessions and packets transmitted per session. Session details include sources, destinations, applications, and ports being used. Session details can be used to create firewall allow or block rules.

You can view TCP and UDP connections to and from a selected vNIC. You can also exclude flows by specifying filters.

Flow Monitoring can thus be used as a forensic tool to detect rogue services and examine outbound sessions.

Configure Flow Monitoring

Flow collection must be enabled for you to view traffic information. You can filter the data being displayed by specifying exclusion criterion. For example, you may want to exclude a proxy server to avoid seeing duplicate flows. Or if you are running a Nessus scan on the virtual machines in your inventory, you may not want to exclude the scan flows from being collected.

Procedure

1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Select the Configuration tab.

Continue reading →

First I am going to need to know what Edge instance I will be changing, I will need to do a GET and retrieve all the DLR instances and find the ObjectID for a specific instance.

I can do this with a GET https://vcrooky/api/4.0/edges.

Once we have this we can query the current setting by doing the following:

Can see in the above screenshot that the DeclareDeadTime for Edge-19 is set to the value of 15.

I want to change this value to 6 (seconds).

I use the same request, this time using a PUT request and the XML:

PUT https://vcrooky/api/4.0/edges/edge-19/highavailability/config

The XML is:

<highAvailability>
<declareDeadTime>6</declareDeadTime>
</highAvailability>