There are several components to look into when troubleshooting Identity Firewall.

Problem

Publishing or updating Identity firewall rules fail.

Cause

Identity Firewall (IDFW) allows user-based distributed firewall rules (DFW).

User-based distributed firewall rules are determined by membership in an Active Directory (AD) group membership. IDFW monitors where Active Directory users are logged into and maps the login to an IP Address, which is used by DFW to apply firewall rules. IDFW requires either Guest Introspection framework, and/or Active Directory event log scraping.

Solution

  1. Make sure that the Active Directory server full/delta sync is working on the NSX Manager.
    1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
    2. Navigate to Home > Networking & Security > System > Users and Domains.
    3. Click the Domains tab, and select your NSX Manager from the drop-down menu.
    4. Select your domain from the list. Verify that the Last Synchronization Status column displays SUCCESS and the Last Synchronization Time is current.
  2. If your firewall environment uses the event log scraping method of login detection, follow these steps to verify that you have configured an event log server for your domain:
    1. In the vSphere Web Client, log in to the vCenter linked to the NSX Manager.
    2. Navigate to Home > Networking & Security > System > Users and Domains.
    3. Click the Domains tab, and select your NSX Manager from the drop-down menu.
    4. Select your domain from the list. Here you can view and edit the detailed domain configuration.
    5. Select Event Log Servers from the domain details and verify that your Event Log Server is added.
    6. Select your Event Log Server, and verify that the Last Sync Status column displays SUCCESS and the Last Sync Time is current.
  3. If your firewall environment uses Guest Introspection, the framework must be deployed to the compute clusters where your IDFW protected VMs will reside. The Service Health Status on the UI should be green. Guest Introspection diagnostic and logs information is found in the Troubleshooting Guest Introspection.
  4. After verifying the correct configuration of your logon detection method, ensure that the NSX Manager is receiving logon events;
    1. Log in an Active Directory user.
    2. Run the following command to query for login events. Verify your user is returned in the results. GET https://<nsxmgr-ip>/1.0/identity/userIpMapping.
      Example output:
      <UserIpMappings>
          <UserIpMapping>
              <ip>50.1.111.192</ip>
              <userName>user1_group20</userName>
              <displayName>user1_group20</displayName>
              <domainName>cd.ad1.db.com</domainName>
              <startTime class="sql-timestamp">2017-05-11 22:30:51.0</startTime>
              <startType>EVENTLOG</startType>
              <lastSeenTime class="sql-timestamp">2017-05-11 22:30:52.0</lastSeenTime>
              <lastSeenType>EVENTLOG</lastSeenType>
          </UserIpMapping>
      </UserIpMappings>
  5. Verify that your security group is used in a firewall rule, or has an assigned security policy. Security group processing in IDFW will not take place unless one of these conditions is true.
  6. After verifying that IDFW is detecting logons correctly, verify that the ESXi host where your desktop VM resides is receiving the correct configuration. These steps will use the NSX Manager central CLI. To check the desktop VM IP address populated in the ip-securitygroup list:
    1. See CLI Commands for DFW to retrieve the filter name applied on the desktop VM.
    2. Run the show dfw host hostID filter filterID rules command to view the locate DFW rules items.
    3. Run the show dfw host hostID filter filterID addrsets command to view the IP address populated in the ip-securitygroup list. Verify that your IP is displayed in the list.

Solution

Note: When troubleshooting Identity IDFW with VMware Technical Support, this data is helpful:
  • If using event log scraping Active Directory scale data:
    • # of Domains for a single NSX Manager

      # of Forests

      # of Users / Forest

      # of Users / Domain

      # of Active Directory groups per Domain

      # of Users / Active Directory Group

      # of Active Directory / User

      # of Domain Controllers

      # of Active Directory Log Servers

  • User login scale data:
    • Average # of users per min

  • Deployment Details using IDFW with VDI:
    • # of VDI desktops / VC

      # of hosts / VC

      # VDI desktops / host

  • If using Guest Introspection:
    • Version of VMTools (Guest Introspection Drivers)

      Version of Windows Guest OS