Category Archives: VCAP

NSX – Create/edit/delete Security Tags

Add a Security Tag

You can manually add a security tag and apply it to a virtual machine. This is especially useful when you are using a non-NETX solution in your environment and hence, cannot register the solution tags with NSX Manager.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Managers.

3. Click an NSX Manager in the Name column and then click the Manage tab.

4. Click the Security Tags tab.

Continue reading

NSX – Configure Security Policies

A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.

Procedure

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Service Composer.

3. Click the Security Policies tab.

Continue reading

NSX – Create/configure Identity-based firewall (IDFW) for specific users/groups

This post will focus on create firewall rules that utilise Active Directory Groups, I’ve already covered who you integrate NSX with AD here so let’s get straight into creating a Security Group:

1. Select the NSX Manager, then click Manage, followed by Grouping Objects.

2. Click on Security Groups.

3. Click the green + sign to Add a Security Group. What I am going to do is create a dynamic group membership based on the AD Group by selecting Entity, Belongs to and then clicking the “Select Entity” button: Continue reading

NSX – Create/configure Firewall rule sections for specific departments

Create Distributed Firewall Rule Sections

You can add a section to segregate firewall rules. For example, you may like to have the rules for sales and engineering departments in separate sections.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Firewall.

3. Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.

Continue reading

NSX – Monitor and analyze virtual machine traffic with Flow Monitoring

Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. When flow monitoring is enabled, its output defines which machines are exchanging data and over which application. This data includes the number of sessions and packets transmitted per session. Session details include sources, destinations, applications, and ports being used. Session details can be used to create firewall allow or block rules.

You can view TCP and UDP connections to and from a selected vNIC. You can also exclude flows by specifying filters.

Flow Monitoring can thus be used as a forensic tool to detect rogue services and examine outbound sessions.

Configure Flow Monitoring

Flow collection must be enabled for you to view traffic information. You can filter the data being displayed by specifying exclusion criterion. For example, you may want to exclude a proxy server to avoid seeing duplicate flows. Or if you are running a Nessus scan on the virtual machines in your inventory, you may not want to exclude the scan flows from being collected.

Procedure

1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Select the Configuration tab.

Continue reading

NSX – Modify DLR declared dead time

First I am going to need to know what Edge instance I will be changing, I will need to do a GET and retrieve all the DLR instances and find the ObjectID for a specific instance.

I can do this with a GET https://vcrooky/api/4.0/edges.

Once we have this we can query the current setting by doing the following:

Can see in the above screenshot that the DeclareDeadTime for Edge-19 is set to the value of 15.

I want to change this value to 6 (seconds).

I use the same request, this time using a PUT request and the XML:

PUT https://vcrooky/api/4.0/edges/edge-19/highavailability/config

The XML is:

<highAvailability>
<declareDeadTime>6</declareDeadTime>
</highAvailability>

 

NSX – NSX controller syslog

If you configure a syslog server for NSX controllers, NSX Manager sends all audit logs and system events to the syslog server. Syslog data is useful for troubleshooting and reviewing data logged during installation and configuration. The only supported method on configuring the syslog server on the NSX controllers is through the NSX API. VMware recommends using UDP as the protocol for syslog.

To enable syslog on NSX Controller, use the following NSX API. It adds controller syslog exporter and configures a syslog exporter on the specified controller node.

To query the existing syslog server do the following:

Continue reading