NSX – Enable SSH after Edge is deployed

Very quick post being filed under every day is a school day!

I deployed an Edge Service Gateway without ticking (or more specifically unticking) the Enable SSH button. Along comes some routing issue and I would really like to SSH onto the Edge and do a show ip route but I could not figure out how to enable SSH after the Edge is deployed. Much digging later the only way I could see is to open Networking and Security then browse to NSX Edges, highlight the Edge you want to enable SSH on and click Actions:

Once here click “Change CLI Credentials”:

Type in a password (you can reuse the existing password you set) and tick “Enable SSH”.

Job done!

NSX – Configure IPSec VPN service to enable site to site communication

What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.

Something like this: >Site 1 ESG Internal ( > Site 1 ESG Internet ( > Internet DLR ( > Internet DLR ( > Site 2 ESG Internet ( > Site 2 ESG Internal ( >

Enable IPSec VPN Service

You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

Continue reading

NSX – Create/edit/delete Security Tags

Add a Security Tag

You can manually add a security tag and apply it to a virtual machine. This is especially useful when you are using a non-NETX solution in your environment and hence, cannot register the solution tags with NSX Manager.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Managers.

3. Click an NSX Manager in the Name column and then click the Manage tab.

4. Click the Security Tags tab.

Continue reading

NSX – Configure Security Policies

A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.


1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Service Composer.

3. Click the Security Policies tab.

Continue reading

NSX – Create/configure Identity-based firewall (IDFW) for specific users/groups

This post will focus on create firewall rules that utilise Active Directory Groups, I’ve already covered who you integrate NSX with AD here so let’s get straight into creating a Security Group:

1. Select the NSX Manager, then click Manage, followed by Grouping Objects.

2. Click on Security Groups.

3. Click the green + sign to Add a Security Group. What I am going to do is create a dynamic group membership based on the AD Group by selecting Entity, Belongs to and then clicking the “Select Entity” button: Continue reading

NSX – Create/configure Firewall rule sections for specific departments

Create Distributed Firewall Rule Sections

You can add a section to segregate firewall rules. For example, you may like to have the rules for sales and engineering departments in separate sections.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Firewall.

3. Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.

Continue reading

NSX – Monitor and analyze virtual machine traffic with Flow Monitoring

Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic to and from protected virtual machines. When flow monitoring is enabled, its output defines which machines are exchanging data and over which application. This data includes the number of sessions and packets transmitted per session. Session details include sources, destinations, applications, and ports being used. Session details can be used to create firewall allow or block rules.

You can view TCP and UDP connections to and from a selected vNIC. You can also exclude flows by specifying filters.

Flow Monitoring can thus be used as a forensic tool to detect rogue services and examine outbound sessions.

Configure Flow Monitoring

Flow collection must be enabled for you to view traffic information. You can filter the data being displayed by specifying exclusion criterion. For example, you may want to exclude a proxy server to avoid seeing duplicate flows. Or if you are running a Nessus scan on the virtual machines in your inventory, you may not want to exclude the scan flows from being collected.


1. Log in to the vSphere Web Client.

2. Select Networking & Security from the left navigation pane and then select Flow Monitoring.

3. Select the Configuration tab.

Continue reading