VMware NSX-T

Details

  • Support: Level 5 / Automation

  • Version: 3.1+

  • NSX-T offers up a virtualized Data Center environment. That means it will virtualize one or more routers and switches to interconnect virtual and physical nodes/systems.

  • NSX-T provides security for North-South traffic at each virtualized router using Gateway Policies and Rules.

  • NSX-T provides security for East-West traffic using Policy and Rules called Distributed Firewall. These are sets of rules that are applied at each virtualized switch port.

The latest device pack normalizes globally defined objects and policies. This includes the following:

Tier-0 Routers Tier-1 Locale Services Service Groups Distributed Firewall Policies (DFW)

Tier-0 Forwarding Tables

 Tier-1 Interfaces Context Profiles Gateway Firewall Policies (GFW)
Tier-0 Locale Services Segments Context Profiles App IDs Security Policy Rules
Tier-0 Interfaces Segment Ports Context Profiles URL Category NAT rules
Tier-1 Routers Network Groups Context Profiles Domain Names Schedulers
Tier-1 Forwarding Tables Network Group Conditions Group Scope  

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

To add a VMware NSX-T device, complete the following steps.

Step 1: Configure the Device

VMware NSX-T installs with a default user type - auditor - this is the User Role Assignment that you'll want to use for retrievals in SIP. This role has read-only permissions assigned.

The audit user is tied to permission profile "auditor." This initial audit account or manually created account tied to the "auditor" permission profile will allow for successful retrievals.

You cannot create additional local users, so if you want to use a different user account other than audit you will need to do so using LDAP and then assign the "auditor" role to that user.

To use a Principal Identity User for an authentication method, you need to generate the certificate in PEM format.

  1. Open the NSX-T GUI, navigate to System > Settings > Users and Roles and click Add > Principal Identity with Role.

  2. Fill out the form to create the Identity.

  3. Copy the contents of the Certificate PEM, including the BEGIN CERTIFICATE and END CERTIFICATE lines.

  4. Click Save.

If a principal identity user is created, it is only allowed a single role. It cannot be used for authentication and automation.

If using automation, you'll need to create a user role that has full "Enterprise Admin" rights or set up a customer role that has full access rights.

Step 2: Add the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click VMware > NSX-T.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.

Credentials

Select an Authentication Method type to use.

  • Username/Password
    • In the User Name box, type the auditor role user name that was created during device configuration.
    • In the Password and Re-enter Password boxes, type the auditor role password that was created during device configuration.
  • Certificate
    • Paste the Certificate PEM that was generated during device configuration.

  1. Monitoring section.

Log Monitoring

Select the Enable Log Monitoring check box to use for Rule Usage Analysis.

Select a Track Usage Via type.

  • Hit Counters
    • Count Retrieval Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.
  • Syslog
    • Log Update Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.

Change Monitoring

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

  • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the data collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

  1. Retrieval section.

    Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection.

  • Set the Scheduled Retrieval Time to fit your requirements.
  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Automation section.

Select the Allow Automation Overwrite check box to allow automation to overwrite objects owned by a Principal Identity User (PIU).

  • Enter the credentials of the PIU.

  1. Advanced section.

    • Select the Use Batch Config Retrieval check box if you are manually sending configurations for this device via your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
    • Select the Enable Retrieval of Group Conditional Members check box to enable retrieval of Group Member Virtual Machines and Segments that are defined by dynamic criteria statements for NSX-T Inventory Groups.
    • Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.

  1. Enforcement section.

Select an Enforcement Option from the list:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.

  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.