After configuring the integration of vRealize Log Insight with NSX Identity Firewall(IDFW), add a predefined third-party identity provider such as GlobalProtect or ClearPass to the configuration. You can also add a custom identity provider.

Prerequisites

  • Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
  • Verify that you have an IDFW integration configuration in vRealize Log Insight.

Procedure

  1. Navigate to the Administration tab.
  2. Under Integration, click NSX Identity Firewall.
  3. Under Provider, click New Provider.
  4. Enter the following information:
    Option Description
    Name A unique name for your identity provider.
    Type

    The identity provider type. You can select a predefined provider such as GlobalProtect or ClearPass, or a custom provider.

    If you select a predefined provider, the regex patterns for Username, IP Address, Domain, and Event Type are populated based on the provider. You can modify these values.

    If you select a custom provider, you must enter the regex patterns for Username, IP Address, and Domain.

    Username The regex pattern to identify the user name in the logs from your provider.
    IP Address The regex pattern to identify the IP address in the logs from your provider.
    Domain The regex pattern to identify the domain in the logs from your provider.
    Event Type

    The regex pattern to identify the event type in the logs from your provider.

    The event type for custom providers is Login and is not mandatory. If you want another value, enter a regex pattern to identify the event type.

    Source

    One or more source IP addresses or FQDNs. You can separate multiple entries by using commas.

    vRealize Log Insight parses the logs only from the sources that you enter for your provider, for optimal performance and security.
    • To ensure optimal performace, vRealize Log Insight applies the regex patterns only to the logs from the selected sources.
    • To ensure security, vRealize Log Insight sends only valid data from known sources to NSX Manager.
    Note:
    • For custom providers that are sending logs through syslog, the regex patterns for the fields are applied to the message, and not the syslog headers.
    • regex patterns are case sensitive.
    • For regex field definitions, you must use Java-based regex.
    • Forwarding logs from a vRealize Log Insight instance can change the source, which is used for provider configuration. Instead, send logs directly from the identity provider to vRealize Log Insight.
    • Ensure that a provider source is unique within the scope of an NSX IDFW integration configuration.
    • Predefined providers are configured for certain versions of the identity providers, which are available in the vRealize Log Insight user interface. The pre-populated regex pattern might not be accurate for other versions.
  5. Click Save.

Results

vRealize Log Insight parses the auth logs from your identity provider, extracts user ID-to-IP mapping information, and sends the data to NSX Manager. Based on this data, IDFW defines identity based firewall rules and applies the rules to users for access control.

Example: regex Parsing for GlobalProtect and ClearPass Logs

  • Consider the following log sample from a GlobalProtect provider:

    Apr 8 14:35:19 PA-500-GW-1-EAT1 1,2021/04/08 14:35:19,009401010000,USERID,login,2049,2021/04/08 14:35:19,vsys1,10.20.30.40,vmware\john,UID-SJC31,0,1,10800,0,0,agent,,79021111,0x8000000000000000,0,0,0,0,,PA-500-GW-1-EAT1,1,,2021/04/08 14:35:28,1,0x80000000,vmware\john

    The following table shows the mapping between the regex patterns and the values in the log sample, which vRealize Log Insight sends to NSX Manager.

    Option regex Pattern Log Value
    Username \\(\w+)\, john
    IP Address \,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\, 10.20.30.40
    Domain \,(\w+)\\ vmware
    Event Type USERID\,(\w+)\, login
  • Consider the following log sample from a ClearPass provider:

    2021-08-19 13:47:46,797 10.10.100.10 Insight Logs 10000111 1 0 Auth.Username=smith,Auth.Service=SOF6 vrealize SSID EAP-TLS Service,Auth.NAS-IP-Address=10.02.20.02,Auth.Host-MAC-Address=111aaaaab10b,Auth.Protocol=RADIUS,Auth.Login-Status=9002,Auth.Enforcement-Profiles=[Deny Access Profile]

    The following table shows the mapping between the regex patterns and the values in the log sample, which vRealize Log Insight sends to NSX Manager.

    Option regex Pattern Log Value
    Username Username=(\w+) smith
    IP Address Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 10.02.20.02
    Domain SOF6\s+(\w+) vrealize
    Event Type Auth.(\w+)-Status= Login