After configuring the integration of VMware Aria Operations for Logs with NSX Identity Firewall(IDFW), add a predefined third-party identity provider such as GlobalProtect or ClearPass to the configuration. You can also add a custom identity provider.
Prerequisites
- Verify that you are logged in to the VMware Aria Operations for Logs web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://operations-for-logs-host, where operations-for-logs-host is the IP address or host name of the VMware Aria Operations for Logs virtual appliance.
- Verify that you have an IDFW integration configuration in VMware Aria Operations for Logs.
Procedure
Results
VMware Aria Operations for Logs parses the auth logs from your identity provider, extracts user ID-to-IP mapping information, and sends the data to NSX Manager. Based on this data, IDFW defines identity based firewall rules and applies the rules to users for access control.
Example: regex Parsing for GlobalProtect and ClearPass Logs
Consider the following log sample from a GlobalProtect provider:
Apr 8 14:35:19 PA-500-GW-1-EAT1 1,2021/04/08 14:35:19,009401010000,USERID,login,2049,2021/04/08 14:35:19,vsys1,10.20.30.40,vmware\john,UID-SJC31,0,1,10800,0,0,agent,,79021111,0x8000000000000000,0,0,0,0,,PA-500-GW-1-EAT1,1,,2021/04/08 14:35:28,1,0x80000000,vmware\john
The following table shows the mapping between the regex patterns and the values in the log sample, which VMware Aria Operations for Logs sends to NSX Manager.
Option regex Pattern Log Value Username \\(\w+)\, john
IP Address \,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\, 10.20.30.40
Domain \,(\w+)\\ vmware
Event Type USERID\,(\w+)\, login
Consider the following log sample from a ClearPass provider:
2021-08-19 13:47:46,797 10.10.100.10 Insight Logs 10000111 1 0 Auth.Username=smith,Auth.Service=SOF6 vrealize SSID EAP-TLS Service,Auth.NAS-IP-Address=10.02.20.02,Auth.Host-MAC-Address=111aaaaab10b,Auth.Protocol=RADIUS,Auth.Login-Status=9002,Auth.Enforcement-Profiles=[Deny Access Profile]
The following table shows the mapping between the regex patterns and the values in the log sample, which VMware Aria Operations for Logs sends to NSX Manager.
Option regex Pattern Log Value Username Username=(\w+) smith
IP Address Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 10.02.20.02
Domain SOF6\s+(\w+) vrealize
Event Type Auth.(\w+)-Status= Login