Per risolvere i problemi relativi al firewall con un host KVM, è possibile esaminare le regole del firewall applicabili all'host.

Ottenere l'elenco di VIF nell'host KVM

localhost.localdomain> get firewall vifs 
***sample output***
                            Firewall VIFs                             
----------------------------------------------------------------------VIF count: 3
 1   239140cf-6c6c-464f-96eb-dfb13203171e
 2   eb277d27-0d28-4fb0-82ce-f59d86ea5bee
 3   afb2aa98-85ee-4bb4-8318-d699fa84c7f0

Individuare le regole del firewall applicabili a un VIF specifico

Specificare il VIF in base a UUID (in questo esempio: 239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e ruleset rules 
***sample output***
                            Firewall Rules                            
----------------------------------------------------------------------
VIF UUID : 239140cf-6c6c-464f-96eb-dfb13203171e
 Ruleset UUID : 7c5838e5-ab75-427d-b4dd-9452e5607805
 Rule count : 5345
 rule 3073 inout protocol any from any to any profile fbb4b84f-f6c1-40c5-a509-f7c6f81fe7d9 accept with log tag dns;
 rule 3072 inout protocol any from any to any profile 6bc09f62-a188-4e36-9708-291af7237039 accept with log tag youtube.com;
 rule 3072 inout protocol any from any to any profile 27b9a15b-8071-4d09-a7e8-71eecfca0779 accept with log tag youtube.com;
 rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 5000 accept with log tag portlist1;
 rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 4992/0xfff8 accept with log tag portlist1;
 rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 4864/0xff80 accept with log tag portlist1;

Ottenere l'elenco dei set di indirizzi utilizzati in un VIF specifico

Specificare il VIF in base a UUID (in questo esempio: 239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e addrsets 
***sample output***
                        Firewall Address Sets                         
----------------------------------------------------------------------
Address set count : 11
  UUID : 09f6da50-bcf2-4347-91a7-df00dca003a6
  Address count : 7
    mac 00:50:56:81:9b:2e
    mac 00:0c:29:03:4d:0d
    mac 00:0c:29:03:4d:03
    ip 10.172.177.231
    ip 10.172.177.111
    ip 192.168.1.11
    ip 192.168.2.11

Ottenere l'elenco di APPID e FQDN utilizzati in un VIF specifico

Per controllare i profili FQDN nell'hypervisor, eseguire il comando localhost.localdomain> get firewall <vif-id> profile.

Cercare l'URL configurato nell'interfaccia utente del criterio.

Specificare il VIF in base a UUID (in questo esempio: 239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e profile 
***sample output***
                          Firewall Profiles                           
----------------------------------------------------------------------
Profiles count : 9
  UUID : 87de2b6b-bdf5-49b6-bae2-824f455a21a4
  Attribute count : 2
    FQDN : www\.youtube\.com
    FQDN : .*\.microsoft\.com

  UUID : 68dc8321-5cb5-4cd4-b1d1-14961d71c05e
  Attribute count : 1
    APP_ID : APP_SSL

Ottenere l'elenco di APPID e FQDN utilizzati in un VIF specifico

Specificare il VIF in base a UUID (in questo esempio: 239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e profile 
***sample output***
                          Firewall Profiles                           
----------------------------------------------------------------------
Profiles count : 9
  UUID : 87de2b6b-bdf5-49b6-bae2-824f455a21a4
  Attribute count : 2
    FQDN : www\.youtube\.com
    FQDN : .*\.microsoft\.com

  UUID : 68dc8321-5cb5-4cd4-b1d1-14961d71c05e
  Attribute count : 1
    APP_ID : APP_SSL

Scoprire l'FQDN nel VIF specifico

localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e fqdn 
                        Firewall Profile FQDN                         
----------------------------------------------------------------------
Profiles count  : 3
  Profile UUID  : 87de2b6b-bdf5-49b6-bae2-824f455a21a4
  FQDN count    : 2
    FQDN UUID   : 37efd4dd-961c-4756-afdd-ec04f44b6c10
    Value       : www\.youtube\.com
    IP set      : 172.217.6.46

Controllare le connessioni tramite il modulo Conntrack di Linux.

In questo esempio, vengono cercati flussi tra due indirizzi IP specifici.

ovs-appctl dpctl/dump-conntrack -m | grep 192.168.1.15 | grep 192.168.1.16
icmp,orig=(src=192.168.1.15,dst=192.168.1.16,id=7972,type=8,code=0),
reply=(src=192.168.1.16,dst=192.168.1.15,id=7972,type=0,code=0),
id=2901517888,zone=61437,status=SEEN_REPLY|CONFIRMED,mark=2083,labels=0x1f

Controllare i ruoli e i profili FQDN negli host KVM

Le regole del firewall possono essere create per filtrare domini specifici con FQDN/URL. Per controllare i profili FQDN nell'hypervisor, eseguire il comando localhost.localdomain> get firewall <vif-id> profile. Cercare l'URL configurato nell'interfaccia utente del criterio.

Output nsxcli di esempio per il profilo di contesto pubblicato con voci APP_ID e FQDN:
localhost.localdomain> get firewall 989bdcf6-c6fc-47cd-86a3-367e552dba32 profile 
 Firewall Profiles 
----------------------------------------------------------------------
Profiles count : 3
 UUID : b34b868e-f113-4463-84a6-14736e50168e
 Attribute count : 1
 APP_ID : APP_HTTP
UUID : c4689750-d5e1-41f5-ba2c-0bfc846ed494
 Attribute count : 1
 FQDN : www\.youtube\.com
UUID : 77a599db-b2d3-4510-bbff-fa2bb31aceae
 Attribute count : 1
 APP_ID : APP_DNS
localhost.localdomain> get firewall 989bdcf6-c6fc-47cd-86a3-367e552dba32 fqdn
Firewall Profile FQDN 
----------------------------------------------------------------------
Profiles count : 1
Profile UUID : c4689750-d5e1-41f5-ba2c-0bfc846ed494
FQDN count : 1
FQDN UUID : 1c9d612c-c398-409e-b6f0-f1ec49b778fe
Value : www\.youtube\.com
IP set : 172.217.6.46, 172.217.164.110, 172.217.5.110, 216.58.194.206, 172.217.6.78, 172.217.0.46, 216.58.195.78, 216.58.194.174