How to provide NSX firewall logging to individual tenants
Settings up firewall logging for VMware NSX isn’t to complicated, especially when using vRealize Log Insight. Seeing as Log Insight has a management pack available for NSX, which you can download directly from the market place.
Most organisations are using some form of firewall logging. And if not, then they should have one pretty soon with all laws and standards taking effect. In one way or another they all demand you being able to provide insight into your data traffic.
But what if your NSX infrastructure is host to multiple tenants? If you are providing a managed environment then it might be enough to just log all the data in one place. Since you can provide insight for your tenant if needed. But if it is a self service platform, then the tenant probably wants to be able and view the logged data himself.
In the latter you would need some way to sort the data between tenants. As I don’t think it would be acceptable for tenants to have access to each others loggings. And that is what this article will describe. A method to have firewall logging from NSX to be offered to tenants without having access to logging they may not see.
The idea behind this method is that only logging applying to the specific tenant is being forwarded to their own Log Insight appliance. In this method I want that logging for TenantA is being forwarded to a second appliance. In this case the second logging server is on the same subnet, but this could easily be a server located anywhere else.
To show this method I extended my lab environment with two vRealize Log Insight appliances. And with two virtual machines that would act as my “web servers”, one virtual machine for each tenant. If you want to know more on how to deploy vRealize Log Insight, or how extend it with management packs / agents. Then please have a look at our other articles on Log Insight.
The Log Insight appliance called “vRLI01” is configured to have access to vCenter and the NSX management pack is installed. This appliance will be the primary log server. The second appliance (vRLI02) has no additional configurations.
For each webserver I created a NSX security group that will only include that particular virtual machine.
Each security group will be used in a NSX security policy, one for each tenant. And the policy will hold one firewall rule with logging enabled.
Even though I described the virtual machines as web servers the actual test was done based on ICMP.
Distinction between tenants
Now that we got the basics setup, let us see what our firewall logging shows us. Performing a ICMP request to both virtual machines we see these entries appear in the primary log server.
As you can see both requests are visible. Apart from the ip address there is not really a way to match the event to a tenant. And in a multi tenant infrastructure it would even be possible to have overlapping private ip’s. So how can we make a distinction as to what tenant a logging belongs?
When creating the firewall rule we configured it to log. But what we did not configure was the tag. By simply filling in a tag like the screenshot below.
The event will hold a extra field as shown here, allowing us to make a distinction between tenants.
Seperating the events
Now that we see what events belongs to which tenant, we can take the next step. And that would be to send the events for TenantA to be send to it’s own Log Insight appliance. With Log Insight we can accomplish this by configuring “Event Forwarding” on the administration page.
The screenshot above is an example on how you can configure a forwarding event. There are several configuration options available, but the most interesting fields are:
- Tags: Adds an extra field to the event, allowing you to see where the event was forwarded from
- Filter(1): The tenant tag we added in the firewall rule isn’t a “selectable” field so we have to filter on text. Entering the filtered text using *TenantA* will result in what you see in the screenshot. From what I found is that leaving the * away it does not work.
- Filter(2): Is not strictly needed, but I wanted to make sure that only NSX firewall logging would be forwarded. By adding a “appname” filter that matches “dfwpktlogs” allows you to do this.
The image below shows a forwarded event on the second Log Insight appliance. And as you can see both the Tag and the tenant name are present in the event.
You can have several of these forwarders, so it is possible to create one for each tenant.
Hopefully with this article I showed a helpfull method that can be used in a multi tenant situation.