利用使用者介面和 API 對閘道防火牆進行疑難排解。
使用
NSX Manager UI 和 API 檢查下列事項:
- 指定的閘道已啟用閘道防火牆。
- 查看指定閘道防火牆原則的實現狀態。UI 會在「防火牆原則」標頭右上方的旁邊顯示實現狀態。
- 查看規則統計資料,以確認是否有任何流量叫用了防火牆原則。
- 啟用規則的記錄,以對原則進行疑難排解。
閘道防火牆會在 NSX Edge 傳輸節點上實作。在下一個步驟中,請在 NSX Edge 節點命令提示字元上使用 nsxcli 命令,進行如下的資料路徑疑難排解。
取得已啟用防火牆之閘道的 UUID
EDGE-VM-A01> get logical-router Logical Router UUID VRF LR-ID Name Type Ports 736a80e3-23f6-5a2d-81d6-bbefb2786666 0 0 TUNNEL 4 8ccc0151-82bd-43d3-a2dd-6a31bf0cd29b 1 1 DR-DC-Tier-0-GW DISTRIBUTED_ROUTER_TIER0 5 5a914d04-305f-402e-9d59-e443482c0e15 2 1025 SR-DC-Tier-0-GW SERVICE_ROUTER_TIER0 7 495f69d7-c46e-4044-8b40-b053a86d157b 4 2050 SR-PROD-Tier-1 SERVICE_ROUTER_TIER1 5
使用 UUID 取得所有閘道介面
閘道防火牆會根據閘道的上行介面實作。請識別上行介面,並從以下輸出中取得介面識別碼。
dc02-nsx-edgevm-1> get logical-router 16f04a64-ef71-4c03-bb5c-253a61752222 interfaces Wed Dec 16 2020 PST 17:24:13.134 Logical Router UUID VRF LR-ID Name Type 16f04a64-ef71-4c03-bb5c-253a61752222 5 2059 SR-PROD-ZONE-GW SERVICE_ROUTER_TIER1 Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable) Interface : 748d1f17-34d0-555e-8984-3ef9f9367a6c Ifuid : 274 Mode : cpu Port-type : cpu Interface : 1bd7ef7f-4f3e-517a-adf0-846d7dff4e24 Ifuid : 275 Mode : blackhole Port-type : blackhole Interface : 2403a3a4-1bc8-4c9f-bfb0-c16c0b37680f Ifuid : 300 Mode : loopback Port-type : loopback IP/Mask : 127.0.0.1/8;::1/128(NA) Interface : 16cea0ab-c977-4ceb-b00f-3772436ad972 <<<<<<<<<< INTERFACE ID Ifuid : 289 Name : DC-02-Tier0-A-DC-02-PROD-Tier-1-t1_lrp Fwd-mode : IPV4_ONLY Mode : lif Port-type : uplink <<<<<<<<<< Port-type Uplink Interface IP/Mask : 100.64.96.1/31;fe80::50:56ff:fe56:4455/64(NA);fc9f:aea3:1afb:d800::2/64(NA) MAC : 02:50:56:56:44:55 VNI : 69633 Access-VLAN : untagged LS port : be42fb2e-b10b-499e-a6a9-221da47a4bcc Urpf-mode : NONE DAD-mode : LOOSE RA-mode : SLAAC_DNS_TRHOUGH_RA(M=0, O=0) Admin : up Op_state : up MTU : 1500 arp_proxy :
取得 GW 介面上的閘道防火牆規則
使用介面識別碼取得在閘道介面上設定的防火牆規則。
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 ruleset rules Wed Dec 16 2020 PST 17:43:53.047 DNAT rule count: 0 SNAT rule count: 0 Firewall rule count: 6 Rule ID : 5137 Rule : inout protocol tcp from any to any port {22, 443} accept with log Rule ID : 3113 Rule : inout protocol icmp from any to any accept with log Rule ID : 3113 Rule : inout protocol ipv6-icmp from any to any accept with log Rule ID : 5136 Rule : inout protocol any from any to any accept with log Rule ID : 1002 Rule : inout protocol any from any to any accept Rule ID : 1002 Rule : inout protocol any stateless from any to any accept dc02-nsx-edgevm-2>
檢查閘道防火牆同步狀態
閘道防火牆會同步 Edge 節點之間的流量狀態,以實現高可用性。閘道防火牆同步組態可使用以下輸出來顯示。
dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config Wed Dec 16 2020 PST 17:30:55.686 HA mode : secondary-active Firewall enabled : true Sync pending : false Bulk sync pending : true Last status: ok Failover mode : non-preemptive Local VTEP IP : 172.16.213.125 Peer VTEP IP : 172.16.213.123 Local context : 16f04a64-ef71-4c03-bb5c-253a61752222 Peer context : 16f04a64-ef71-4c03-bb5c-253a61752222 dc02-nsx-edgevm-1> dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 sync config Wed Dec 16 2020 PST 17:47:43.683 HA mode : primary-passive Firewall enabled : true Sync pending : false Bulk sync pending : true Last status: ok Failover mode : non-preemptive Local VTEP IP : 172.16.213.123 Peer VTEP IP : 172.16.213.125 Local context : 16f04a64-ef71-4c03-bb5c-253a61752222 Peer context : 16f04a64-ef71-4c03-bb5c-253a61752222 dc02-nsx-edgevm-2>
檢查閘道防火牆的作用中流量
閘道防火牆的作用中流量可使用以下命令來顯示。流量狀態會在該閘道的作用中和待命 Edge 節點之間進行同步。以下範例顯示 Edge 節點 1 和 Edge 節點 2 的輸出。
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection Wed Dec 16 2020 PST 17:45:55.889 Connection count: 2 0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22 dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0 0x04000003300058f1: 10.166.130.107 -> 10.114.217.26 dir in protocol icmp fn 5136:0 dc02-nsx-edgevm-2> dc02-nsx-edgevm-1> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 connection Wed Dec 16 2020 PST 17:47:09.980 Connection count: 2 0x0000000330000598: 10.166.130.107:57113 -> 10.114.217.26:22 dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5137:0 0x04000003300058f1: 10.166.130.107 -> 10.114.217.26 dir in protocol icmp fn 3113:0 dc02-nsx-edgevm-1>
檢查閘道防火牆記錄
閘道防火牆記錄會提供閘道 VRF 和 GW 介面資訊,以及流量詳細資料。閘道防火牆記錄可從 Edge 存取,也可傳送至 Syslog 伺服器。防火牆記錄會提供邏輯路由器 VRF、防火牆介面識別碼、防火牆規則識別碼,以及流量詳細資料。
dc02-nsx-edgevm-1> get log-file syslog | find datapathd.firewallpkt <181>1 2020-08-04T21:18:25.633996+00:00 dc02-nsx-edgevm-1 NSX 26581 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd.firewallpkt" level="INFO"] <8 16cea0abc9774ceb:b00f3772436ad972> INET reason-match PASS 3061 OUT 48 TCP 10.114.217.26/33646->10.114.208.136/22 S <181>1 2020-08-04T21:18:41.182424+00:00 dc02-nsx-edgevm-1 NSX 26581 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd.firewallpkt" level="INFO"] <2 460b362ce1254ebd:98498057bc3b18df> INET TERM PASS 3053 IN TCP 10.166.56.254/60291->10.114.217.26/22 dc02-nsx-edgevm-1>
用來偵錯閘道防火牆的其他命令列選項
dc02-nsx-edgevm-2> get firewall 16cea0ab-c977-4ceb-b00f-3772436ad972 Possible alternatives: get firewall <uuid> addrset name <string> get firewall <uuid> addrset sets get firewall <uuid> attrset name <string> get firewall <uuid> attrset sets get firewall <uuid> connection get firewall <uuid> connection count get firewall <uuid> connection raw get firewall <uuid> connection state get firewall <uuid> ike policy [<rule-id>] get firewall <uuid> interface stats get firewall <uuid> ruleset [type <rule-type>] rules [<ruleset-detail>] get firewall <uuid> ruleset [type <rule-type>] stats get firewall <uuid> sync config get firewall <uuid> sync stats get firewall <uuid> timeouts get firewall [logical-switch <uuid>] interfaces get firewall interfaces sync dc02-nsx-edgevm-2>