Checking IP Reputation Database

Login to the NSX Advanced Load Balancer CLI and use the show ipreputationdb <pdb_name> entries filter ip_addr <ip_addr> command to check if a given IP address is categorized as a bad IP address in the reputation database.

[admin:controller]: >show ipreputationdb System-IPReputation-Webroot-DB entries filter ip_addr 1.2.3.4

You can check the reputation of a given IP using the following command:

[admin:controller]: >show ipreputationdb System-IPReputation-Webroot-DB data filter ip_addr 1.2.3.4

You can also use the first command to check the IP reputation. The difference is that it queries all the Service Engines for the reputation status of the IP address, which might be helpful while debugging, but expensive when having a large Service Engine cluster.

The second (newer) command checks IP reputation status directly on the Controller.

The database can be checked using the following API endpoint:

/api/ipreputationdb/ipreputationdb-UUID/data?ip_addr=1.2.3.4

where the ipreputationdb-UUID can be obtained using:

/api/ipreputationdb/?name=System-IPReputation-Webroot-DB

Enable Logging of IP Reputation Events

NSX Advanced Load Balancer collects various alerts and events related to IP reputation service. You can enable logging for the specific virtual service to capture the blocked requests. To enable logging, use the following steps:

1. Select Network Security under Policies, and click Edit against the created Rule.

2. Enter the IP Reputation Type and action required.

3. Click Save Rule.

The log event shows the following information:

• Source IP Address.

• Destination IP Address.

• Matched rule.

Navigate to Operations > Events and filter the events using the required keywords (for example, albservice) to view the alert event for IP reputation database synchronization failure.

For more information on filtering with keywords, see the Events topic in the VMware NSX Advanced Load BalancerMonitoring and Operability Guide.