可以使用用户界面和 API 对网关防火墙进行故障排除。

可以使用 NSX Manager UI 和 API 检查以下内容:
  • 为给定网关启用了网关防火墙。
  • 检查给定网关防火墙策略的实现状态。UI 在“防火墙策略”标题右上角旁边显示实现状态。
  • 检查规则统计信息以查看是否有任何流量命中防火墙策略。
  • 为规则启用日志记录以对策略进行故障排除。

网关防火墙是在 NSX Edge 传输节点上实现的。下一步是,在 NSX Edge 节点命令提示符下使用 nsxcli 命令进行数据路径故障排除,如下所示。

获取启用了防火墙的网关的 UUID

EDGE-VM-A01> get logical-router
Logical Router
UUID                                   VRF    LR-ID  Name                              Type                        Ports
736a80e3-23f6-5a2d-81d6-bbefb2786666   0      0                                        TUNNEL                      4
8ccc0151-82bd-43d3-a2dd-6a31bf0cd29b   1      1      DR-DC-Tier-0-GW                   DISTRIBUTED_ROUTER_TIER0    5
5a914d04-305f-402e-9d59-e443482c0e15   2      1025   SR-DC-Tier-0-GW                   SERVICE_ROUTER_TIER0        7
495f69d7-c46e-4044-8b40-b053a86d157b   4      2050   SR-PROD-Tier-1                    SERVICE_ROUTER_TIER1        5

使用 UUID 获取所有网关接口

网关防火墙是为网关的每个上行链路接口实现的。确定上行链路接口,并从下面的输出中获取接口 ID。
dc02-nsx-edgevm-1> get logical-router 16f04a64-ef71-4c03-bb5c-253a61752222 interfaces
Wed Dec 16 2020 PST 17:24:13.134
Logical Router
UUID                                   VRF    LR-ID  Name                              Type
16f04a64-ef71-4c03-bb5c-253a61752222   5      2059   SR-PROD-ZONE-GW                   SERVICE_ROUTER_TIER1
Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable)
    Interface     : 748d1f17-34d0-555e-8984-3ef9f9367a6c
    Ifuid         : 274
    Mode          : cpu
    Port-type     : cpu

    Interface     : 1bd7ef7f-4f3e-517a-adf0-846d7dff4e24
    Ifuid         : 275
    Mode          : blackhole
    Port-type     : blackhole

    Interface     : 2403a3a4-1bc8-4c9f-bfb0-c16c0b37680f
    Ifuid         : 300
    Mode          : loopback
    Port-type     : loopback
    IP/Mask       : 127.0.0.1/8;::1/128(NA)

    Interface     : 16cea0ab-c977-4ceb-b00f-3772436ad972         <<<<<<<<<< INTERFACE ID
    Ifuid         : 289
    Name          : DC-02-Tier0-A-DC-02-PROD-Tier-1-t1_lrp
    Fwd-mode      : IPV4_ONLY
    Mode          : lif  
    Port-type     : uplink                                       <<<<<<<<<< Port-type Uplink Interface
    IP/Mask       : 100.64.96.1/31;fe80::50:56ff:fe56:4455/64(NA);fc9f:aea3:1afb:d800::2/64(NA)
    MAC           : 02:50:56:56:44:55
    VNI           : 69633
    Access-VLAN   : untagged
    LS port       : be42fb2e-b10b-499e-a6a9-221da47a4bcc
    Urpf-mode     : NONE
    DAD-mode      : LOOSE
    RA-mode       : SLAAC_DNS_TRHOUGH_RA(M=0, O=0)
    Admin         : up
    Op_state      : up
    MTU           : 1500
    arp_proxy     :

在网关接口上获取网关防火墙规则

使用接口 ID 获取在网关接口上编写的防火墙规则。
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 ruleset rules
Wed Dec 16 2020 PST 17:43:53.047
DNAT rule count: 0


SNAT rule count: 0


Firewall rule count: 6
    Rule ID   : 5137
    Rule      : inout protocol tcp from any to any port {22, 443} accept with log

    Rule ID   : 3113
    Rule      : inout protocol icmp from any to any accept with log

    Rule ID   : 3113
    Rule      : inout protocol ipv6-icmp from any to any accept with log

    Rule ID   : 5136
    Rule      : inout protocol any from any to any accept with log

    Rule ID   : 1002
    Rule      : inout protocol any from any to any accept

    Rule ID   : 1002
    Rule      : inout protocol any stateless from any to any accept

dc02-nsx-edgevm-2>

检查网关防火墙同步状态

网关防火墙在 Edge 节点之间同步流量状态以实现高可用性。可以使用以下输出查看网关防火墙同步配置。
dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config
Wed Dec 16 2020 PST 17:30:55.686
HA mode             : secondary-active
Firewall enabled    : true
Sync pending        : false
Bulk sync pending   : true		Last status: ok
Failover mode       : non-preemptive
Local VTEP IP       : 172.16.213.125
Peer VTEP IP        : 172.16.213.123
Local context       : 16f04a64-ef71-4c03-bb5c-253a61752222
Peer context        : 16f04a64-ef71-4c03-bb5c-253a61752222

dc02-nsx-edgevm-1>

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config
Wed Dec 16 2020 PST 17:47:43.683
HA mode             : primary-passive
Firewall enabled    : true
Sync pending        : false
Bulk sync pending   : true		Last status: ok
Failover mode       : non-preemptive
Local VTEP IP       : 172.16.213.123
Peer VTEP IP        : 172.16.213.125
Local context       : 16f04a64-ef71-4c03-bb5c-253a61752222
Peer context        : 16f04a64-ef71-4c03-bb5c-253a61752222

dc02-nsx-edgevm-2>

检查网关防火墙活动流量

可以使用以下命令查看网关防火墙活动流量。将在该网关的活动和备用 Edge 节点之间同步流量状态。下面的示例显示 edge-node-1 和 edge-node-2 的输出。
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection
Wed Dec 16 2020 PST 17:45:55.889
Connection count: 2
0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22  dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0
0x04000003300058f1: 10.166.130.107 -> 10.114.217.26  dir in protocol icmp  fn 5136:0

dc02-nsx-edgevm-2>

dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection
Wed Dec 16 2020 PST 17:47:09.980
Connection count: 2
0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22  dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0
0x04000003300058f1: 10.166.130.107 -> 10.114.217.26  dir in protocol icmp  fn 3113:0

dc02-nsx-edgevm-1>

检查网关防火墙日志

网关防火墙日志提供网关虚拟路由和转发 (VRF)、网关接口信息以及流量详细信息。可以在 /var/log 目录中名为 firewallpkt.log 的文件中找到网关防火墙日志。

用于调试网关防火墙的其他命令行选项

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 

  Possible alternatives:
    get firewall <uuid> addrset name <string>
    get firewall <uuid> addrset sets
    get firewall <uuid> attrset name <string>
    get firewall <uuid> attrset sets
    get firewall <uuid> connection
    get firewall <uuid> connection count
    get firewall <uuid> connection raw
    get firewall <uuid> connection state
    get firewall <uuid> ike policy [<rule-id>]
    get firewall <uuid> interface stats
    get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>]
    get firewall <uuid> ruleset [type <rule-type>] stats
    get firewall <uuid> sync config
    get firewall <uuid> sync stats
    get firewall <uuid> timeouts
    get firewall [logical-switch <uuid>] interfaces
    get firewall interfaces sync

dc02-nsx-edgevm-2>