ESX ホストで、次の手順を実行して、NSX 分散ファイアウォール (DFW) のデータ パスの問題をトラブルシューティングします。

ESXi ホスト上の仮想マシンのリストと、関連付けられたフィルタ名の取得

この ESXi ホストにあるすべての仮想マシンを一覧表示します。「name」フィールドの値をメモし、以降のコマンドでこの名前を使用して、特定の仮想マシンに関連する出力を取得します。
[root@esxcomp-2a:~] summarize-dvfilter | grep -A 3 vmm
world 1371516 vmm0:PROD-MRS-DB-01 vcUuid:'50 20 92 e1 11 b7 10 d3-56 c5 e0 da 46 87 b5 d2'
 port 67108881 PROD-MRS-DB-01.eth0
  vNic slot 2
   name: nic-1371516-eth0-vmware-sfw.2
--
world 1622816 vmm0:DEV-MRS-DB-01 vcUuid:'50 2d f3 a3 96 a4 f4 94-6e 55 84 85 c1 bd 05 2c'
 port 67108883 DEV-MRS-DB-01.eth0
  vNic slot 2
   name: nic-1622816-eth0-vmware-sfw.2
--
world 7014985 vmm0:PROD-MRS-APP-01 vcUuid:'50 20 9b 5f cd b7 43 de-ab bb 8d 0e f5 bb ca 99'
 port 67108895 PROD-MRS-APP-01.eth0
  vNic slot 2
   name: nic-7014985-eth0-vmware-sfw.2
--
world 7022287 vmm0:PROD-MRS-APP-02 vcUuid:'50 20 4a 44 17 fb 21 cf-fb 62 1e a3 d0 3c 7d cf'
 port 67108896 PROD-MRS-APP-02.eth0
  vNic slot 2
   name: nic-7022287-eth0-vmware-sfw.2
[root@esxcomp-2a:~]

仮想マシンに適用されているファイアウォール ルールの取得

上記の出力から仮想マシンに関連付けられたフィルタ名を使用して、その仮想マシンの vNIC に適用されているすべてのファイアウォール ルールを取得します。
[root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2
ruleset mainrs {
  # generation number: 0
  # realization time : 2020-12-16T23:41:30
  # PRE_FILTER rules
  rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow';
  rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default';
  rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
  rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test';
  rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
  rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
  rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
  # FILTER (APP Category) rules
  rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept;
  rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept;
  rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept;
  rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept;
  rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept;
  rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept;
  rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept;
  rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept;
  rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule';
}

ruleset mainrs_L2 {
  # generation number: 0
  # realization time : 2020-12-16T23:41:30
  # FILTER rules
  rule 1 at 1 inout ethertype any stateless from any to any accept;
}

[root@esxcomp-2a:~]

仮想マシン vNIC ごとのファイアウォール ルール別の統計情報の取得

上記のコマンドに「-s」を付けて使用し、仮想マシンのファイアウォール ルールに関連付けられたファイアウォールの統計情報を取得します。
  [root@esxcomp-2a:~] vsipioctl getrules -f nic-7014985-eth0-vmware-sfw.2 -s
ruleset mainrs {
  # PRE_FILTER rules
rule  5134 at 1, 68 evals, 68 hits, 68 sessions, in 1120 out 1120 pkts, in 113952 out 114184 bytes
rule  5133 at 2, 24 evals, 24 hits, 24 sessions, in 16 out 8 pkts, in 896 out 768 bytes
rule  5132 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5132 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5132 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5130 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5130 at 7, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
  # FILTER (APP Category) rules
rule  5102 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5126 at 2, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5127 at 3, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5128 at 4, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5129 at 5, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5103 at 6, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5135 at 7, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5135 at 8, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5124 at 9, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5123 at 10, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule  5125 at 11, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
rule     2 at 12, 92 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
}

ruleset mainrs_L2 {
  # FILTER rules
rule     1 at 1, 0 evals, 0 hits, 0 sessions, in 0 out 0 pkts, in 0 out 0 bytes
}

[root@esxcomp-2a:~]

仮想マシンのファイアウォール ルールで使用されている addrset/groups の取得

ファイアウォール ルールでは、送信元または宛先で groups/addrset が使用されています。この出力には、グループ構成に基づいて、ルールで使用されているすべての addrset が取得されます。

[root@esxcomp-2a:~] vsipioctl getaddrset -f nic-1371516-eth0-vmware-sfw.2
addrset is shared for this filter
global addrset
addrset 98abd76f-351b-4a4a-857f-1d91416b0798 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 {
ip 10.1.0.0,
ip 10.2.0.2,
ip 10.114.217.26,
ip 172.16.202.2,
ip 172.16.202.22,
ip 192.168.202.2,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
mac 00:50:56:a0:0e:25,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:2d:c0,
mac 00:50:56:a0:8d:90,
}
addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d {
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 {
ip 172.16.202.2,
ip 172.16.202.22,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:8d:90,
}
addrset rdst5128 {
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset rdst5130 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 100.100.100.100,
}
addrset rsrc5102 {
ip 1.1.1.1,
ip 1.1.1.2,
}
addrset rsrc5127 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset rsrc5128 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
local addrset
No address sets.
[root@esxcomp-2a:~]

仮想マシンごとのアクティブなファイアウォール フローの取得

NSX DFW は vNIC ごとにアクティブなフローを保持します。この出力には、該当の vNIC のアクティブなフローすべてが取得されます。
[root@esxcomp-2a:~] vsipioctl getflows -f nic-7014985-eth0-vmware-sfw.2
Count retrieved from kernel active=6, inactive=0, drop=0
ecbd448200000001 Active ipv6-icmp 86dd IN 5134   0 0  2001::172:16:202:22 -> 2001::172:16:202:2 128 0 1039376 1039376 9994 9994 tmo 9
ecbd4482000000b9 Active tcp 0800 OUT 5134*   0 0 (est) 172.16.202.2:Unknown(39914) -> 172.16.202.22:ssh(22) 305 EST:EST  rtt 21020 retrans 0/0 4409 3725 23 25 tmo 43195
ecbd4482000000ba Active ipv6-icmp 86dd OUT 5134*   0 0  fe80::250:56ff:fea0:8d90 -> 2001::172:16:202:22 135 0 64 72 1 1
ecbd4482000000bb Active igmp 0800 IN 5133*   0 0 (D) 0.0.0.0 -> 224.0.0.1 36 0 1 0 tmo 51
ecbd4482000000bc Active ipv6-icmp 86dd IN 5133*   0 0 (D) fe80::ffff:ffff:ffff:ffff -> ff02::1 130 0 76 0 1 0 tmo 11
ecbd4482000000bd Active ipv6-icmp 86dd OUT 5133*   0 0 (D) fe80::250:56ff:fea0:8d90 -> ff02::16 143 0 0 96 0 1 tmo 11
[root@esxcomp-2a:~]

仮想マシンごとのアクティブで完全なファイアウォール構成の取得

この出力には、vNIC ごとの完全なファイアウォール構成(使用されているルール、アドレス セットとプロファイル)が取得されます。
[root@esxcomp-2a:~] vsipioctl getfwconfig -f nic-7014985-eth0-vmware-sfw.2
ruleset mainrs {
  # generation number: 0
  # realization time : 2020-12-16T23:41:30
  # PRE_FILTER rules
  rule 5134 at 1 inout protocol any from addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 to addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 accept with log tag 'ipv6-app-allow';
  rule 5133 at 2 inout protocol any from any to any accept with log tag 'ipv6-app-deny-default';
  rule 5132 at 3 inout inet protocol icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
  rule 5132 at 4 inout inet protocol tcp strict from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 port 22 accept with log tag 'icmp-test';
  rule 5132 at 5 inout inet protocol ipv6-icmp from any to addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 accept with log tag 'icmp-test';
  rule 5130 at 6 inout inet protocol icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
  rule 5130 at 7 inout inet protocol ipv6-icmp from any to addrset rdst5130 accept with log tag 'icmp-test-gb-default';
  # FILTER (APP Category) rules
  rule 5102 at 1 inout protocol any from addrset rsrc5102 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5126 at 2 in protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5127 at 3 out protocol any from addrset rsrc5127 to addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d accept;
  rule 5128 at 4 out protocol any from addrset rsrc5128 to addrset rdst5128 accept;
  rule 5129 at 5 in protocol any from addrset rsrc5128 to addrset 98abd76f-351b-4a4a-857f-1d91416b0798 accept;
  rule 5103 at 6 in protocol any from addrset rsrc5128 to addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 accept;
  rule 5135 at 7 inout protocol any from any to any with attribute profile acf76e7d-400b-438b-966f-8d5c10bebbda accept;
  rule 5135 at 8 inout protocol any from any to any with attribute profile 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 accept;
  rule 5124 at 9 inout protocol any from any to any with attribute profile 8774c654-0f9e-43ad-a803-4aa720e590cf accept;
  rule 5123 at 10 inout protocol any from any to any with attribute profile 13e599b5-dd2d-420f-8473-9d45f0d324ac accept;
  rule 5125 at 11 inout protocol any from any to any with attribute profile e4be8d7e-e4ab-4466-8f2e-998445ead95d accept;
  rule 2 at 12 inout protocol any from any to any drop with log tag 'icmp-default-rule';
}

ruleset mainrs_L2 {
  # generation number: 0
  # realization time : 2020-12-16T23:41:30
  # FILTER rules
  rule 1 at 1 inout ethertype any stateless from any to any accept;
}

addrset is shared for this filter
global addrset
addrset 98abd76f-351b-4a4a-857f-1d91416b0798 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset 9b14a216-4318-4bb1-94b0-56dfedec6f24 {
ip 10.1.0.0,
ip 10.2.0.2,
ip 10.114.217.26,
ip 172.16.202.2,
ip 172.16.202.22,
ip 192.168.202.2,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
ip fe80::250:56ff:fea0:26dc,
ip fe80::250:56ff:fea0:8d90,
mac 00:50:56:a0:0e:25,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:2d:c0,
mac 00:50:56:a0:8d:90,
}
addrset b1ed4d3d-ab4c-4bab-999b-a50642cad495 {
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset d19f38e1-c13e-4fbb-9d6b-b6971f251e2d {
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset d8e7adac-af3b-4f22-9785-0cc30f0e81b1 {
ip 172.16.202.2,
ip 172.16.202.22,
ip 2001::172:16:202:2,
ip 2001::172:16:202:22,
ip fe80::250:56ff:fea0:26dc,
ip fe80::250:56ff:fea0:8d90,
mac 00:50:56:a0:26:dc,
mac 00:50:56:a0:8d:90,
}
addrset rdst5128 {
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
addrset rdst5130 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 100.100.100.100,
}
addrset rsrc5102 {
ip 1.1.1.1,
ip 1.1.1.2,
}
addrset rsrc5127 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
}
addrset rsrc5128 {
ip 1.1.1.1,
ip 1.1.1.2,
ip 3.3.3.3,
ip 4.4.4.4,
ip 7.7.7.7,
ip 8.8.8.8,
}
local addrset
No address sets.
containers are shared for this filter
global containers
container 13e599b5-dd2d-420f-8473-9d45f0d324ac {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : login\.microsoft\.com(3940c0d7-cbfc-abbb-35b4-786fc4199684),
}
container 8774c654-0f9e-43ad-a803-4aa720e590cf {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : outlook\.office365\.com(6e465c1d-7d81-9672-00e1-76ddfc280b8b),
}

container 88dc6bf0-808e-49f6-a692-dd0e5cee6ab3 {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
APP_ID : APP_360ANTIV,
}

container acf76e7d-400b-438b-966f-8d5c10bebbda {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
APP_ID : APP_ACTIVDIR,
}

container e4be8d7e-e4ab-4466-8f2e-998445ead95d {
# generation number: 21208
# realization time : 2020-12-16T23:41:30
FQDN : play\.google\.com(c44ef0fc-a922-eb1b-f155-4f0625271198),
}
local containers
No containers.
[root@esxcomp-2a:~]

ファイアウォールのトラブルシューティングに役立つその他の出力

上記のコマンド オプションに加えて、NSX は他のオプションを使用して ESX で NSX ファイアウォールのデータパスをデバッグできます。ヘルプ メニューは、次のように使用します。
[root@esxcomp-2a:~] vsipioctl -h
Usage: help <cmd> <options>
  below is a list of available cmd:
    getfilters      : get list of filters
    getfwconfig     : get rules, addrsets and containers of a filter
    getrules        : get rules of a filter
    getaddrsets     : get addrsets of a filter
    getcontainers   : get containers of a filter
    getspoofguard   : get spoofguard setting of a filter
    getflows        : get flows of a filter
    getconncount    : get active connection count
    getconnections  : get active connections
    getsisvmstats   : get service insertion service VM stats
    getsisvctable   : dump service insertion service table
    getsinshtable   : display service insertion nsh table
    getsiproxytable : display service insertion proxy table
    getsifailedspis : get service insertion failed spi table
    getsiflowprogtable : get service insertion flow programming table
    getsislotid     : get service insertion slot id
    getsilbenablestatus: get service insertion load balance enable status
    getmeminfo      : get meminfo data
    initvsiplogging : init vsip logger
    getfqdnentries  : get fqdn entries
    getdnsconfigprofile : get dns config profile for a filter
    getfilterstat   : get statistics of a filter
    gettimeout      : get connection timeout setting of a filter
    getfloodstat    : get flood protection status
    getsidcache     : get sid cache of a filter
    help            : this help message
  run `vsipioctl <cmd> -h' to find out available options of a cmd.
[root@esxcomp-2a:~]

ファイアウォールのトラブルシューティング用 NSX CLI

ESXi で、「nsxcli」と入力して、ESX cli の代替オプションとして nsxcli オプションを使用することができます。「get firewall」コマンド ツリーを使用して、上記のような出力を取得できます。
[root@esxcomp-2a:~] nsxcli
esxcomp-2a.dg.vsphere.local>
esxcomp-2a.dg.vsphere.local> get firewall
% Command not found: get firewall

  Possible alternatives:
    get firewall <vifuuid> addrsets
    get firewall <vifuuid> profile
    get firewall <vifuuid> ruleset rules
    get firewall exclusion
    get firewall ipfix-containers
    get firewall ipfix-filters
    get firewall ipfix-profiles
    get firewall ipfix-stats
    get firewall packetlog
    get firewall packetlog last <lines>
    get firewall rule-stats
    get firewall rule-stats total
    get firewall status
    get firewall thresholds
    get firewall vifs

esxcomp-2a.dg.vsphere.local> get firewall packetlog last 10
Wed Dec 16 2020 UTC 23:53:55.693
2020-12-16T23:53:23.878Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow
2020-12-16T23:53:23.878Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc ipv6-app-allow
2020-12-16T23:53:29.234Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:29.234Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->2001::172:16:202:22 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:30.234Z fd2e9266 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:30.234Z 5f46e9b1 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:26dc->fe80::250:56ff:fea0:8d90 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:35.239Z fd2e9266 INET6 TERM 5134 OUT ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:35.241Z 5f46e9b1 INET6 TERM 5134 IN ICMP 135 0 fe80::250:56ff:fea0:8d90->fe80::250:56ff:fea0:26dc 1/1 72/64 ipv6-app-allow
2020-12-16T23:53:51.876Z fd2e9266 INET6 match PASS 5134 OUT 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow
2020-12-16T23:53:51.876Z 5f46e9b1 INET6 match PASS 5134 IN 72 ICMP fe80::250:56ff:fea0:8d90->2001::172:16:202:22 ipv6-app-allow

esxcomp-2a.dg.vsphere.local> get firewall exclusion
Wed Dec 16 2020 UTC 23:53:57.731
                          Firewall Exclusion
----------------------------------------------------------------------

Exclusion count: 7
   00894e3c-8948-4b6b-a4cd-acd3a2c21205
   15f077e9-4492-4391-9f63-a99b6c978003
   2936443e-128c-4b6d-9fcf-3b2fad778b08
   3602f84a-8333-44f3-a3c2-e04fbf5e848f
   8149b7ec-553d-48e1-af04-1ee2f5ae266e
   d615679c-092e-4bfe-8c17-803fe8b3315d
   da619e9d-48a0-4c82-a831-bf580d3bec05

esxcomp-2a.dg.vsphere.local> get firewall thresholds
Wed Dec 16 2020 UTC 23:53:59.905
                                Firewall Threshold Monitors
-------------------------------------------------------------------------------------------

 #      Name      Raised  Threshold  CurrValue  CurrSize   MaxSize  PeakEver  EverTime(ago)
 1    dfw-cpu     False       60         0         --        --        0        --:--:--
 2   vsip-attr    False       60         3        4 MB     128 MB      3       4d 23:35:06
 3   vsip-flow    False       60         0        0 MB     312 MB      0        --:--:--
 4  vsip-fprules  False       60         0        0 MB     128 MB      0        --:--:--
 5   vsip-fqdn    False       60         0        0 MB     128 MB      0        --:--:--
 6  vsip-module   False       60         15      153 MB    1024 MB     15      4d 23:35:06
 7   vsip-rules   False       60         0        0 MB     512 MB      0        --:--:--
 8    vsip-si     False       60         0        0 MB     128 MB      0        --:--:--
 9   vsip-state   False       60         0        0 MB     384 MB      0        --:--:--

esxcomp-2a.dg.vsphere.local>

DFW L2 ルールに表示される不明な MAC アドレス

レイヤー 2 ファイアウォール ルールの送信元と宛先に別々の MAC セットを構成し、ホストで getrules コマンドを実行すると、宛先の MAC セットが 01:00:00:00:00:00/01:00:00:00:00:00 と表示されます。次はその例です。
[root@host1:~] vsipioctl getrules -f nic-1000052822-eth1-vmware-sfw.2
ruleset mainrs {
  # generation number: 0
  # realization time : 2018-07-26T12:42:28
  rule 1039 at 1 inout protocol tcp from any to any port 1521 accept as oracle;
  # internal # rule 1039 at 2 inout protocol tcp from any to any port 1521 accept;
  rule 1039 at 3 inout protocol icmp from any to any accept;
  rule 2 at 4 inout protocol any from any to any accept with log;
}

ruleset mainrs_L2 {
  # generation number: 0
  # realization time : 2018-07-26T12:42:28
  rule 1040 at 1 inout ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
  # internal # rule 1040 at 2 in ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
  # internal # rule 1040 at 3 out ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to mac 01:00:00:00:00:00/01:00:00:00:00:00 accept;
  rule 1 at 4 inout ethertype any stateless from any to any accept;
}

ブロードキャスト パケットの送信を処理するため、アドレス 01:00:00:00:00:00/01:00:00:00:00:00 の内部送信ルールが作成されます。これは仕様で、問題ではありません。ファイアウォール ルールは構成どおり機能します。