After configuring the integration of vRealize Log Insight with NSX Identity Firewall(IDFW), add a predefined third-party identity provider such as GlobalProtect or ClearPass to the configuration. You can also add a custom identity provider.
Prerequisites
- Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
- Verify that you have an IDFW integration configuration in vRealize Log Insight.
Procedure
Results
vRealize Log Insight parses the auth logs from your identity provider, extracts user ID-to-IP mapping information, and sends the data to NSX Manager. Based on this data, IDFW defines identity based firewall rules and applies the rules to users for access control.
Example: regex Parsing for GlobalProtect and ClearPass Logs
Consider the following log sample from a GlobalProtect provider:
Apr 8 14:35:19 PA-500-GW-1-EAT1 1,2021/04/08 14:35:19,009401010000,USERID,login,2049,2021/04/08 14:35:19,vsys1,10.20.30.40,vmware\john,UID-SJC31,0,1,10800,0,0,agent,,79021111,0x8000000000000000,0,0,0,0,,PA-500-GW-1-EAT1,1,,2021/04/08 14:35:28,1,0x80000000,vmware\john
The following table shows the mapping between the regex patterns and the values in the log sample, which vRealize Log Insight sends to NSX Manager.
Option regex Pattern Log Value Username \\(\w+)\, john
IP Address \,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\, 10.20.30.40
Domain \,(\w+)\\ vmware
Event Type USERID\,(\w+)\, login
Consider the following log sample from a ClearPass provider:
2021-08-19 13:47:46,797 10.10.100.10 Insight Logs 10000111 1 0 Auth.Username=smith,Auth.Service=SOF6 vrealize SSID EAP-TLS Service,Auth.NAS-IP-Address=10.02.20.02,Auth.Host-MAC-Address=111aaaaab10b,Auth.Protocol=RADIUS,Auth.Login-Status=9002,Auth.Enforcement-Profiles=[Deny Access Profile]
The following table shows the mapping between the regex patterns and the values in the log sample, which vRealize Log Insight sends to NSX Manager.
Option regex Pattern Log Value Username Username=(\w+) smith
IP Address Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 10.02.20.02
Domain SOF6\s+(\w+) vrealize
Event Type Auth.(\w+)-Status= Login