[ troubleshooting nsx-t ]

URL Filtering in NSX-T

After setting up URL Filtering in the NSX-T ICM class, I thought it would be fun to filter my IoT network and see what the devices are up too.

NSX-T URL Analysis

So, I started by enabling the URL Analysis service under North South Security in the Security tab of the NSX Manager.

NSX-T URL Analysis Settings

Then I proceed setting up the firewall rule, as we had done in class.

Under North South Security, in the Security tab, select Gateway Firewall. Then, select Gateway Specific Rules. Change the Gateway dropdown to the T1 gateway, per the requirements in the Layer 7 Context Profile doc.

With the T1-GW-01 gateway selected, create the new Policy and Rule. In my case I called these URL Inspection Policy and URL Inspection Rule. With the Rule set to Any for the Sources and Destinations, set the Services to DNS and DNS-UDP, set the Context Profiles to DNS and Applied To T1-GW-01. This will allow filtering of all dns requests passing the T1 gateway.

NSX-T URL Analysis T1 Gateway Firewall Rule

However, I had missed the note regarding a medium sized edge node or higher is required for Layer 7 rules. Which is why I am sharing this post. Since, during my investigation of public knowledge, I found little regarding the error messages presented. So, I wanted to share my observations.

Seeing the ui message I started hunting in the logs to see what is generating the Internal Error when applying the Context Profile to the rule. As I had found out over troubleshooting with out the context Profile set to DNS, the rule would publish successfully. Further more I found it was any Context Profile which would seem to generate this error. Which was pointing to a L7 issue rather then a specific DNS rule problem.

Following the edge syslog, show’s the following, No Service Cores Configured

> get log-file syslog -follow

UI notes: Internal error(1401) occurred on transport node <UUID>.

Edge syslog notes: [ERROR] No Service Cores Configured.. Cannot configure L7 Rule

In researching the above edge log error message, No Service Cores configured, I came to learn Service Cores are only part of medium-sized edge node (or higher) edge deployments

Seeing version note 0.0.0 on both of my edge nodes got me thinking. If the service is reaching out to the internet for its definitions let me check DNS on the nodes. Yup, my configured DNS server the edges were leveraging was not responding. Its now been 0 day’s since it was DNS.

image alt <>

Since fixing the edge’s DNS resolution, it was able to retrieve the latest URL Data

NSX-T URL Analysis Settings URL Data Version

Now to start investigating what the filters find.

DISCLAIMER This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime. disclamer c/o http://kaloferov.com/