NSX – Enable SSH after Edge is deployed

Very quick post being filed under every day is a school day!

I deployed an Edge Service Gateway without ticking (or more specifically unticking) the Enable SSH button. Along comes some routing issue and I would really like to SSH onto the Edge and do a show ip route but I could not figure out how to enable SSH after the Edge is deployed. Much digging later the only way I could see is to open Networking and Security then browse to NSX Edges, highlight the Edge you want to enable SSH on and click Actions:

Once here click “Change CLI Credentials”:

Type in a password (you can reuse the existing password you set) and tick “Enable SSH”.

Job done!

NSX – Configure IPSec VPN service to enable site to site communication

What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.

Something like this: >Site 1 ESG Internal ( > Site 1 ESG Internet ( > Internet DLR ( > Internet DLR ( > Site 2 ESG Internet ( > Site 2 ESG Internal ( >

Enable IPSec VPN Service

You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Edges.

3. Double-click an NSX Edge.

4. Click the Manage tab and then click the VPN tab.

5. Click IPSec VPN.

Continue reading

NSX – Create/edit/delete Security Tags

Add a Security Tag

You can manually add a security tag and apply it to a virtual machine. This is especially useful when you are using a non-NETX solution in your environment and hence, cannot register the solution tags with NSX Manager.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click NSX Managers.

3. Click an NSX Manager in the Name column and then click the Manage tab.

4. Click the Security Tags tab.

Continue reading

NSX – Configure Security Policies

A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.

NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.

Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.


1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Service Composer.

3. Click the Security Policies tab.

Continue reading

NSX – Create/configure Identity-based firewall (IDFW) for specific users/groups

This post will focus on create firewall rules that utilise Active Directory Groups, I’ve already covered who you integrate NSX with AD here so let’s get straight into creating a Security Group:

1. Select the NSX Manager, then click Manage, followed by Grouping Objects.

2. Click on Security Groups.

3. Click the green + sign to Add a Security Group. What I am going to do is create a dynamic group membership based on the AD Group by selecting Entity, Belongs to and then clicking the “Select Entity” button: Continue reading

NSX – Create/configure Firewall rule sections for specific departments

Create Distributed Firewall Rule Sections

You can add a section to segregate firewall rules. For example, you may like to have the rules for sales and engineering departments in separate sections.

1. Log in to the vSphere Web Client.

2. Click Networking & Security and then click Firewall.

3. Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.

Continue reading