Troubleshooting Gateway Firewall

Use the user interface and API to troubleshoot gateway firewall.

Use NSX Manager UI and API to check the following:

Gateway Firewall is enabled for the given Gateway.
Check the realization state for a given gateway firewall policy. The UI shows the realization status next to the top right side of the FW Policy header.
Check rule stats to see any traffic is hitting the FW policy.
Enable logging for the rule for troubleshooting the policy.

Gateway firewall is implemented on NSX Edge transport node. As a next step, use datapath troubleshooting as below using nsxcli commands on the NSX Edge node command prompt.

Get UUID of the Gateway on which Firewall is enabled

EDGE-VM-A01> get logical-router
Logical Router
UUID                                   VRF    LR-ID  Name                              Type                        Ports
736a80e3-23f6-5a2d-81d6-bbefb2786666   0      0                                        TUNNEL                      4
8ccc0151-82bd-43d3-a2dd-6a31bf0cd29b   1      1      DR-DC-Tier-0-GW                   DISTRIBUTED_ROUTER_TIER0    5
5a914d04-305f-402e-9d59-e443482c0e15   2      1025   SR-DC-Tier-0-GW                   SERVICE_ROUTER_TIER0        7
495f69d7-c46e-4044-8b40-b053a86d157b   4      2050   SR-PROD-Tier-1                    SERVICE_ROUTER_TIER1        5

Get all Gateway interfaces using UUID

Gateway firewall is implemented per Uplink interface of a Gateway. Identify the uplink interface and get the interface ID from the output below.

dc02-nsx-edgevm-1> get logical-router 16f04a64-ef71-4c03-bb5c-253a61752222 interfaces
Wed Dec 16 2020 PST 17:24:13.134
Logical Router
UUID                                   VRF    LR-ID  Name                              Type
16f04a64-ef71-4c03-bb5c-253a61752222   5      2059   SR-PROD-ZONE-GW                   SERVICE_ROUTER_TIER1
Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable)
    Interface     : 748d1f17-34d0-555e-8984-3ef9f9367a6c
    Ifuid         : 274
    Mode          : cpu
    Port-type     : cpu

    Interface     : 1bd7ef7f-4f3e-517a-adf0-846d7dff4e24
    Ifuid         : 275
    Mode          : blackhole
    Port-type     : blackhole

    Interface     : 2403a3a4-1bc8-4c9f-bfb0-c16c0b37680f
    Ifuid         : 300
    Mode          : loopback
    Port-type     : loopback
    IP/Mask       : 127.0.0.1/8;::1/128(NA)

    Interface     : 16cea0ab-c977-4ceb-b00f-3772436ad972         <<<<<<<<<< INTERFACE ID
    Ifuid         : 289
    Name          : DC-02-Tier0-A-DC-02-PROD-Tier-1-t1_lrp
    Fwd-mode      : IPV4_ONLY
    Mode          : lif  
    Port-type     : uplink                                       <<<<<<<<<< Port-type Uplink Interface
    IP/Mask       : 100.64.96.1/31;fe80::50:56ff:fe56:4455/64(NA);fc9f:aea3:1afb:d800::2/64(NA)
    MAC           : 02:50:56:56:44:55
    VNI           : 69633
    Access-VLAN   : untagged
    LS port       : be42fb2e-b10b-499e-a6a9-221da47a4bcc
    Urpf-mode     : NONE
    DAD-mode      : LOOSE
    RA-mode       : SLAAC_DNS_TRHOUGH_RA(M=0, O=0)
    Admin         : up
    Op_state      : up
    MTU           : 1500
    arp_proxy     :

Get Gateway Firewall Rules on a GW Interface

Use Interface ID to get firewall rules programmed on a gateway interface.

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 ruleset rules
Wed Dec 16 2020 PST 17:43:53.047
DNAT rule count: 0


SNAT rule count: 0


Firewall rule count: 6
    Rule ID   : 5137
    Rule      : inout protocol tcp from any to any port {22, 443} accept with log

    Rule ID   : 3113
    Rule      : inout protocol icmp from any to any accept with log

    Rule ID   : 3113
    Rule      : inout protocol ipv6-icmp from any to any accept with log

    Rule ID   : 5136
    Rule      : inout protocol any from any to any accept with log

    Rule ID   : 1002
    Rule      : inout protocol any from any to any accept

    Rule ID   : 1002
    Rule      : inout protocol any stateless from any to any accept

dc02-nsx-edgevm-2>

Check Gateway Firewall Sync status

Gateway Firewall sync flow status between Edge Nodes for high availability. Gateway firewall sync config can be seen using the output below.

dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config
Wed Dec 16 2020 PST 17:30:55.686
HA mode             : secondary-active
Firewall enabled    : true
Sync pending        : false
Bulk sync pending   : true		Last status: ok
Failover mode       : non-preemptive
Local VTEP IP       : 172.16.213.125
Peer VTEP IP        : 172.16.213.123
Local context       : 16f04a64-ef71-4c03-bb5c-253a61752222
Peer context        : 16f04a64-ef71-4c03-bb5c-253a61752222

dc02-nsx-edgevm-1>

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config
Wed Dec 16 2020 PST 17:47:43.683
HA mode             : primary-passive
Firewall enabled    : true
Sync pending        : false
Bulk sync pending   : true		Last status: ok
Failover mode       : non-preemptive
Local VTEP IP       : 172.16.213.123
Peer VTEP IP        : 172.16.213.125
Local context       : 16f04a64-ef71-4c03-bb5c-253a61752222
Peer context        : 16f04a64-ef71-4c03-bb5c-253a61752222

dc02-nsx-edgevm-2>

Check Gateway Firewall Active Flows

Gateway firewall active flows can be seen using the command below. The flow states are synced between active and standby edge nodes for that gateway. The example below shows output from both edge-node-1 and edge-node-2.

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection
Wed Dec 16 2020 PST 17:45:55.889
Connection count: 2
0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22  dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0
0x04000003300058f1: 10.166.130.107 -> 10.114.217.26  dir in protocol icmp  fn 5136:0

dc02-nsx-edgevm-2>

dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection
Wed Dec 16 2020 PST 17:47:09.980
Connection count: 2
0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22  dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0
0x04000003300058f1: 10.166.130.107 -> 10.114.217.26  dir in protocol icmp  fn 3113:0

dc02-nsx-edgevm-1>

Check Gateway Firewall Logs

Gateway firewall logs provide the gateway VRF and GW Interface information, along with flow details. Gateway firewall logs can be accessed on the edge, or can be sent to Syslog Server. Firewall logs provide the logical router VRF, firewall interface ID, FW rule ID & flow details.

dc02-nsx-edgevm-1> get log-file syslog | find datapathd.firewallpkt

<181>1 2020-08-04T21:18:25.633996+00:00 dc02-nsx-edgevm-1 NSX 26581 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd.firewallpkt" 
level="INFO"] <8 16cea0abc9774ceb:b00f3772436ad972> INET reason-match PASS 3061 OUT 48 TCP 10.114.217.26/33646->10.114.208.136/22 S

<181>1 2020-08-04T21:18:41.182424+00:00 dc02-nsx-edgevm-1 NSX 26581 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd.firewallpkt"
 level="INFO"] <2 460b362ce1254ebd:98498057bc3b18df> INET TERM PASS 3053 IN TCP 10.166.56.254/60291->10.114.217.26/22
dc02-nsx-edgevm-1>

Other Command Line Options for debugging Gateway Firewall

dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 

  Possible alternatives:
    get firewall <uuid> addrset name <string>
    get firewall <uuid> addrset sets
    get firewall <uuid> attrset name <string>
    get firewall <uuid> attrset sets
    get firewall <uuid> connection
    get firewall <uuid> connection count
    get firewall <uuid> connection raw
    get firewall <uuid> connection state
    get firewall <uuid> ike policy [<rule-id>]
    get firewall <uuid> interface stats
    get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>]
    get firewall <uuid> ruleset [type <rule-type>] stats
    get firewall <uuid> sync config
    get firewall <uuid> sync stats
    get firewall <uuid> timeouts
    get firewall [logical-switch <uuid>] interfaces
    get firewall interfaces sync

dc02-nsx-edgevm-2>