After setting up URL Filtering in the NSX-T ICM class, I thought it would be fun to filter my IoT network and see what the devices are up too.
So, I started by enabling the URL Analysis service under North South Security in the Security tab of the NSX Manager.
Then I proceed setting up the firewall rule, as we had done in class.
Under North South Security, in the Security tab, select Gateway Firewall. Then, select Gateway Specific Rules. Change the Gateway dropdown to the T1 gateway, per the requirements in the Layer 7 Context Profile doc.
With the T1-GW-01 gateway selected, create the new Policy and Rule. In my case I called these URL Inspection Policy
and URL Inspection Rule
.
With the Rule set to Any
for the Sources and Destinations, set the Services to DNS
and DNS-UDP
, set the Context Profiles to DNS
and Applied To T1-GW-01
. This will allow filtering of all dns requests passing the T1 gateway.
However, I had missed the note regarding a medium sized edge node or higher is required for Layer 7 rules. Which is why I am sharing this post. Since, during my investigation of public knowledge, I found little regarding the error messages presented. So, I wanted to share my observations.
Seeing the ui message I started hunting in the logs to see what is generating the Internal Error when applying the Context Profile to the rule. As I had found out over troubleshooting with out the context Profile set to DNS, the rule would publish successfully. Further more I found it was any Context Profile which would seem to generate this error. Which was pointing to a L7 issue rather then a specific DNS rule problem.
- Log Messages and Error Codes - https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-406AF9C3-E8F7-447A-8E3D-92AFB9D5E973.html
Following the edge syslog, show’s the following, No Service Cores Configured
> get log-file syslog -follow
UI notes: Internal error(1401) occurred on transport node <UUID>.
Edge syslog notes: [ERROR] No Service Cores Configured.. Cannot configure L7 Rule
In researching the above edge log error message, No Service Cores configured, I came to learn Service Cores are only part of medium-sized edge node (or higher) edge deployments
Seeing version note 0.0.0 on both of my edge nodes got me thinking. If the service is reaching out to the internet for its definitions let me check DNS on the nodes. Yup, my configured DNS server the edges were leveraging was not responding. Its now been 0 day’s since it was DNS.
Since fixing the edge’s DNS resolution, it was able to retrieve the latest URL Data
Now to start investigating what the filters find.