Use the user interface and API to troubleshoot gateway firewall.
Use
NSX Manager UI and API to check the following:
- Gateway Firewall is enabled for the given Gateway.
- Check the realization state for a given gateway firewall policy. The UI shows the realization status next to the top right side of the FW Policy header.
- Check rule stats to see any traffic is hitting the FW policy.
- Enable logging for the rule for troubleshooting the policy.
Gateway firewall is implemented on NSX Edge transport node. As a next step, use datapath troubleshooting as below using nsxcli commands on the NSX Edge node command prompt.
Get UUID of the Gateway on which Firewall is enabled
EDGE-VM-A01> get logical-router Logical Router UUID VRF LR-ID Name Type Ports 736a80e3-23f6-5a2d-81d6-bbefb2786666 0 0 TUNNEL 4 8ccc0151-82bd-43d3-a2dd-6a31bf0cd29b 1 1 DR-DC-Tier-0-GW DISTRIBUTED_ROUTER_TIER0 5 5a914d04-305f-402e-9d59-e443482c0e15 2 1025 SR-DC-Tier-0-GW SERVICE_ROUTER_TIER0 7 495f69d7-c46e-4044-8b40-b053a86d157b 4 2050 SR-PROD-Tier-1 SERVICE_ROUTER_TIER1 5
Get all Gateway interfaces using UUID
Gateway firewall is implemented per Uplink interface of a Gateway. Identify the uplink interface and get the interface ID from the output below.
dc02-nsx-edgevm-1> get logical-router 16f04a64-ef71-4c03-bb5c-253a61752222 interfaces Wed Dec 16 2020 PST 17:24:13.134 Logical Router UUID VRF LR-ID Name Type 16f04a64-ef71-4c03-bb5c-253a61752222 5 2059 SR-PROD-ZONE-GW SERVICE_ROUTER_TIER1 Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable) Interface : 748d1f17-34d0-555e-8984-3ef9f9367a6c Ifuid : 274 Mode : cpu Port-type : cpu Interface : 1bd7ef7f-4f3e-517a-adf0-846d7dff4e24 Ifuid : 275 Mode : blackhole Port-type : blackhole Interface : 2403a3a4-1bc8-4c9f-bfb0-c16c0b37680f Ifuid : 300 Mode : loopback Port-type : loopback IP/Mask : 127.0.0.1/8;::1/128(NA) Interface : 16cea0ab-c977-4ceb-b00f-3772436ad972 <<<<<<<<<< INTERFACE ID Ifuid : 289 Name : DC-02-Tier0-A-DC-02-PROD-Tier-1-t1_lrp Fwd-mode : IPV4_ONLY Mode : lif Port-type : uplink <<<<<<<<<< Port-type Uplink Interface IP/Mask : 100.64.96.1/31;fe80::50:56ff:fe56:4455/64(NA);fc9f:aea3:1afb:d800::2/64(NA) MAC : 02:50:56:56:44:55 VNI : 69633 Access-VLAN : untagged LS port : be42fb2e-b10b-499e-a6a9-221da47a4bcc Urpf-mode : NONE DAD-mode : LOOSE RA-mode : SLAAC_DNS_TRHOUGH_RA(M=0, O=0) Admin : up Op_state : up MTU : 1500 arp_proxy :
Get Gateway Firewall Rules on a GW Interface
Use Interface ID to get firewall rules programmed on a gateway interface.
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 ruleset rules Wed Dec 16 2020 PST 17:43:53.047 DNAT rule count: 0 SNAT rule count: 0 Firewall rule count: 6 Rule ID : 5137 Rule : inout protocol tcp from any to any port {22, 443} accept with log Rule ID : 3113 Rule : inout protocol icmp from any to any accept with log Rule ID : 3113 Rule : inout protocol ipv6-icmp from any to any accept with log Rule ID : 5136 Rule : inout protocol any from any to any accept with log Rule ID : 1002 Rule : inout protocol any from any to any accept Rule ID : 1002 Rule : inout protocol any stateless from any to any accept dc02-nsx-edgevm-2>
Check Gateway Firewall Sync status
Gateway Firewall sync flow status between Edge Nodes for high availability. Gateway firewall sync config can be seen using the output below.
dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config Wed Dec 16 2020 PST 17:30:55.686 HA mode : secondary-active Firewall enabled : true Sync pending : false Bulk sync pending : true Last status: ok Failover mode : non-preemptive Local VTEP IP : 172.16.213.125 Peer VTEP IP : 172.16.213.123 Local context : 16f04a64-ef71-4c03-bb5c-253a61752222 Peer context : 16f04a64-ef71-4c03-bb5c-253a61752222 dc02-nsx-edgevm-1> dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config Wed Dec 16 2020 PST 17:47:43.683 HA mode : primary-passive Firewall enabled : true Sync pending : false Bulk sync pending : true Last status: ok Failover mode : non-preemptive Local VTEP IP : 172.16.213.123 Peer VTEP IP : 172.16.213.125 Local context : 16f04a64-ef71-4c03-bb5c-253a61752222 Peer context : 16f04a64-ef71-4c03-bb5c-253a61752222 dc02-nsx-edgevm-2>
Check Gateway Firewall Active Flows
Gateway firewall active flows can be seen using the command below. The flow states are synced between active and standby edge nodes for that gateway. The example below shows output from both edge-node-1 and edge-node-2.
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection Wed Dec 16 2020 PST 17:45:55.889 Connection count: 2 0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22 dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0 0x04000003300058f1: 10.166.130.107 -> 10.114.217.26 dir in protocol icmp fn 5136:0 dc02-nsx-edgevm-2> dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection Wed Dec 16 2020 PST 17:47:09.980 Connection count: 2 0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22 dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0 0x04000003300058f1: 10.166.130.107 -> 10.114.217.26 dir in protocol icmp fn 3113:0 dc02-nsx-edgevm-1>
Check Gateway Firewall Logs
Gateway firewall logs provide the gateway virtual routing and forwarding (VRF), and gateway interface information, along with flow details. Gateway firewall logs can be found in the file named firewallpkt.log in the /var/log directory.
Other Command Line Options for debugging Gateway Firewall
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 Possible alternatives: get firewall <uuid> addrset name <string> get firewall <uuid> addrset sets get firewall <uuid> attrset name <string> get firewall <uuid> attrset sets get firewall <uuid> connection get firewall <uuid> connection count get firewall <uuid> connection raw get firewall <uuid> connection state get firewall <uuid> ike policy [<rule-id>] get firewall <uuid> interface stats get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>] get firewall <uuid> ruleset [type <rule-type>] stats get firewall <uuid> sync config get firewall <uuid> sync stats get firewall <uuid> timeouts get firewall [logical-switch <uuid>] interfaces get firewall interfaces sync dc02-nsx-edgevm-2>