Wednesday, July 30, 2014

NSX Distributed Firewall and Log Insight

Working with NSX Distributed Firewall I needed a way to help me audit the impact of a proposed firewall rule on specific systems. In the physical firewall world I would normally create a rule for the traffic and allow it, but log the allow. As I dug into Syslog for the distributed firewall I discovered that firewall log messages are sent to the same Syslog collector as other ESXi messages, firewall messages can't be directed to a security specific syslog server.

I honestly hadn't spent much time with Log Insight, but I knew we had the lab servers pointed to a Log Insight box so I began to dig around with it. I was honestly impressed with how intuitive and easy to use LogInsight is. The field extraction functionally of Interactive Analytics let's you quickly slice and dice massive amounts of log data exactly as you would like to see it, and I didn't have to learn another query language. Everything "Just Works" and I was able to isolate firewall logs down to specific systems and rule ID's quickly.

Since there doesn't appear to be an official NSX Content Pack for Log Insight yet I wrote a quick community content pack for Distributed Firewall. It can be downloaded from the VMTN Community Forums here.

The pack extracts the Rule ID, Pass / Drop, Rule ID, Source IP, Source Port, Destination IP, and Destination Port fields. It includes a dashboard with a few charts, and some queries to get you started in interactive analytics to slice and dice the syslog data.

Instructions on importing the content pack are here, once it is imported you can select the Distributed Firewall dashboard by clicking on the dashboard menu at the top left.

The built in queries included on the dashboard are :

  • Count of drop events over time grouped by Rule ID
  • Count of drops grouped by Source IP
  • Count of drops grouped by Destination Port, Destination IP
  • Count of Allow-Log events over time grouped by Rule ID
  • Count of Allow-Log events grouped by Source IP
  • Count of Allow-Log events grouped by Destination IP, Destination Port

For my use case of analyzing the impact of a rule on the environment I would start with the "Count of Allow-Log events grouped by Rule ID" query. Then select the rule ID I'd like to analyze, and add a filter for a specific source IP if I needed to narrow it down further.

Once I have my lab rebuilt I'll add a short video demo.

Saturday, July 26, 2014

Homelab Build : Dell dcs6005 / 6105 FreeNAS and ESXi Lab

As I prepare to change jobs one of the things I will miss about my current employer is the LAB (capitalized because a lab this awesome deserves it). Nexus 7k, 6k, 5k, two UCS fabric, UCS blades, and UCS C460s all backed by a VNX plus whatever storage they are beta testing for EMC.

I'll probably never be able to replicate the level of lab I had access to outside of VCE or Cisco, but I need some type of home lab to continue my work with VCAC, LogInsight, NSX and to continue preparing for my VCDX defense. Two 16GB MAC minis with a synology would make a nice, quiet, cool, power efficient homelab with high wife acceptance. Unfortunately I need more RAM than that, and the cost can get quite high.

I looked into Intel NUCs and white boxes, but the best value for me turned out to be older Dell "cloud systems" boxes that are wholesaled on eBay. These boxes are a 2U chassis designed to house four individual servers allowing shared web-hosting companies to drive server density. They don't have the intelligence, IO flexibility and blade removal capability of a real blade chassis and are simply designed to provide cheap density.

There are two main flavors of these boxes, the C6100 which is Intel powered and the dsc6005 / C6105 that is powered by the AMD 6 Core Opteron 2419 EE. The Intel powered option has gone up in price, but there are currently a flood of the AMD powered boxes selling on Ebay for good prices. For $479 I got a chassis with three dual socket servers with each server having two Six-Core Opterons and 32GB of RAM. There are 12 3.5in drive bays on the front, and each server is wired to four drive bays.

Dive into the detailed build out after the break.