NSX-T 3.0 URL Analysis

URL Analysis Dashboard in NSX-T

VMware recently introduced URL Analysis capabilities on the NSX L7 Edge Firewall.

“The Layer 7 Edge Firewall is now further enhanced in NSX-T 3.0 with the implementation of URL Analysis for URL Classification and Reputation. The Edge Firewall detects access from outside the datacenter for granular detection and categorization of in-bound and outbound URLs.”

URL analysis allows administrators to gain insight into the type of websites accessed within the organization, and understand the reputation and risk of the accessed websites.

This blog will take you through the step by step procedure to enable URL Analysis in your NSX-T 3.0 environment – take note this feature requires the NSX Data Center Enterprise Plus license. Unlike previous features, URL Analysis is license enforced and will not work if you do not have a minimum of the Enterprise Plus license.

Let’s get started with enabling URL Analysis

This blog takes into consideration you have already deployed the required Edge Appliances and configured segments, T1’s and T0’s as needed to meet the demo topology below

NSX-T has 80+ pre-defined categories and domains can belong to multiple categories. Score are then computed from 0 – 100 into 5 categories. The distribution is shown as a percentage of each risk level and the total number of flows/Risk level. NOTE: URL analysis is available on gateway firewall.

NSX-T Demo Topology taken from the NSX-T Dashboard

Step 1 – Ensure that DNS is configured on an edge node. See Create an NSX Edge Transport Node in the NSX-T Data Center Installation Guide. ***When deploying the Edge Appliance, you need to make sure you have followed the deployment guide correctly and enabled DNS***

It is important to know that your management interface(s) of the Edge nodes(s) used by your NSX-T T1 distributed router as their Services Router (SR) must have access to the Internet to download the database. DNS is required on Edge Nodes to resolve the cloud server domain name hosting the URL Database. If the management interface(s) do not have Internet access or can not resolve DNS, this functionality will not work.

Step 2 – Enable URL Analysis

NSX-T Security Overview Dashboard

On the NSX-T Manager dashboard click on Security at the top and you will see the dashboard above. At the moment we have not enabled URL Analysis and there for have no data available here yet. Lets click on Get started with URL Analysis >> Hit GET Started on the Pop Up shown below

Pop-up Highlighting high-level steps to follow

Next we will need to select the Edge Cluster where we are going to enabled the N/S URL Analysis functionality – in my lab I will enable it on the cluster named: edge-cluster-url-analysis

URL Analysis Settings Dashboard

Toggle enable on the right hand side for the cluster you will be using in your setup and then click YES on the pop shown below.

URL Analysis is now enabled on my edge cluster

Now that we have enabled it on the Cluster(s) and shown below, we have an optional task to create a context profile, with a URL Category attribute. For the sake of the blog we will go ahead and perform this task.

Step 3 – (Optional) Create a context profile, with a URL Category attribute

Click on Set under Profiles for the cluster you have selected to enable this one, it will open the screen shown below.

Creating a Context Profile

Click on the top left – ADD CONTEXT PROFILE and provide a name for the Context Profile, you could add description.

Once you have configured the Name, click on Set and the window below opens. Go ahead and click on ADD ATTRIBUTE

Now select URL Category

This takes you to the next dashboard showing a list of attributes which is our categories, just click on the names to add them to your list.

I added all the available options to my profile, click ADD when done.

Next Hit Apply

Now hit Save and then followed by APPLY on the bottom right.

Once you applied the context profile, the system will contact the URL Database server on the Internet and perform the Database Download. You should see a URL Data Version and Last Synced date and time.

Step 4 – In this last step we need to configure a Layer 7 gateway firewall rule for DNS traffic, so that URL Analysis can analyze domain information. ***NOTE*** This is a Gateway firewall rule and not a distributed firewall rule. Navigate to Gateway Firewall on the left hand side menu.

Now we will create a L7 DNS firewall rule under the all shared rules, click on ADD Policy and you will see a new Policy Section added.

Lets rename the default name to something useful, I renamed mine L7DNS-Policy. Click on the Name “New Policy” and you will be able to edit it there.

Now click on those three blue dots next to the Policy Name and select ADD RULE

Adding a new rule

Go ahead and name new rule added, I named mine L7DNSRule and then leave the source and destination as any.

Now Click move the cursor over the services field in this new rule and click on the pencil so that we can edit the services, here we will search for dns and add DNS and DNS-UDP and click apply. This configured L4 DNS inspection

Next move the cursor over the Profiles where is says “none” and click the pencil to edit this field.

Here we will select DNS, this is where we enable the L7 DNS Inspection capabilities – Click Apply

Type DNS in the box at the top and then select DNS

The last step is to apply this L7 DNS Policy to the T1 where are end system segments are connected too – You can only apply this to a T1. Again hover the cursor over the applied to field and click the pencil and select the T1 you will use – I am using T1-URL-Analysis here. Then click Apply.

Select the correct T1

Once you hit Apply you will see the Policy defined and now we just need to Publish this policy so that the NSX Manager push the policy as needed – So go ahead and click Publish in the top right.

You can click the refresh button on the bottom left hand side and watch until the policy status is green and says

L7 DNS Policy successfully applied to the T1

Final Step – Now that all the configuration work is done, we can go back to the URL Analysis and see if we seeing our URL’s being classified, you might the “URL Analysis in Progress. Please check back.” screen. Generate some DNS requests in your environment and return to the dashboard – I have a virtual Windows Desktop connect to one of the segments and I just opened a browser and open various web sites to create some traffic.

After a short while access the Security Overview dashboard and you should see data populated on the URL ANALYSIS SUMMARY – N-S TRAFFIC

Security Overview Dashboard

For a detailed view, click on the URL Analysis tab on the right hand side and you will see the output below. Note all the Reputation scores, categories and others details.

Congratulations, you now have a working NSX-T 3.0 URL Analysis environment

Deploying the NSX-T Cloud Service Manager (CSM)

NSX Cloud enables you to manage and secure your public cloud inventory using NSX-T Data Center. The Cloud Service Manager (CSM) provides a single pane of glass management endpoint for your public cloud inventory.

Delivering consistent networking and security for your applications running natively in public clouds with NSX Cloud. No more infrastructure silos to drive up complexity and operational expense — instead, enjoy intrinsic security policies globally and precise control across virtual networks, regions, and clouds. NSX Cloud currently supports Microsoft Azure and Amazon AWS, including Azure Government and AWS GovCloud (US) regions. For full details NSX Cloud

This blog focuses on deploying the NSX-T CSM appliance and connecting it to my on premise NSX-T Manager, following the base setup we will go ahead and connect the CSM to my AWS account.

There is no specific appliance binary for the NSX-T CSM, it uses the same NSX-T Manager software package. So we will just reuse the NSX-T Manager appliance OVA which you have downloaded from VMware download page when you deployed your NSX-T Managers.

You will need an additional IP address which will be the management IP for this new appliance. Since this appliance will need to access the Internet, the IP address either needs direct Internet access or we would need the proxy details for your environment.

You are going to need your admin credentials for your on premise NSX-T Manager when we register the CSM with the on premise NSX-T Manager.

Let’s Get Started

Step 1 – Login to your vCenter and navigate to the cluster where we will deploy the NSX-T Manager OVA – I am using NSX-T 3.0

Step 2 – Provide a Virtual Machine Name for this deployment, I am just using NSX-CSM

Step 3 – Select the vCenter Cluster or host where you are planning to deploy the NSX-CSM appliance – I will deploy mine in my management cluster

Step 4 – Review the details below and click Next

Step 5 – This is now where we decide to deploy this as a traditional NSX-T Manager or CSM. By Selecting ExtraSmall you will see the side note that this configuration is only supported for the NSX-T Cloud-Services-Manager and the resources required for this deployment. If you accidentally go ahead with the default selection of Medium, you would need to restart from Step 1

Step 6 – Next we select the storage where the appliance would be deployed too. In my case I have a vSAN datastore in my management cluster and I will deploy it there.

Step 7 – Select the correct portgroup to which the CSM will be attached too – in my lab I will use Management_DXB – this is the same port group where my on premise NSX-T Manager is connected too.

Step 8 – In the step we will configure the Management Interfaces and password details.

Please follow the password complexity rule as below:
– minimum of 12 characters in length
– >=1 uppercase character
– >=1 lowercase character
– >=1 numeric character
– >=1 special character
– >=5 unique characters

You must configure the System Root User Password and the CLI “admin” User Password. The others are optional and I just left them blank

Take Note NSX-T default password expiry time is 90 days, this can be changed via the CLI.

Now we need to configure the hostname and an important step is to select the role for this appliance – since we are deploying this as a CSM, I select nsx-cloud-service-manager from the drop menu

Make sure to select nsx-cloud-service-manager
Populate the correct IP address details

Finally before deploy the CSM, make sure to use the correct DNS and NTP server for your environment

Step 8 – After populating all the needed details we are now ready to deploy NSX-T CSM appliance. Once the deployment has completed, go ahead and power it up

Final step reviewing all the details before we hit Finish

Quick Tip: How to get the NSX-T Manager’s Thumbprint

For various reasons you might face a requirement that needs the NSX-T Manager’s thumbprint… This could be when you deploy a standalone NSX-T Edge or the NSX-T Cloud Services Manager (CSM). My use case for deploying the NSX-T CSM.

person showing thumb

Step 1: Open a SSH session to the NSX-T manager with the admin credentials

Step 2: On the NSX-T Manager terminal run the following command: get certificate api thumbprint

Now you can copy the output to where ever you needed it.

Upgrading NSX-T Federation environment to NSX-T 3.0.1

VMware recently announced the availability of NSX-T 3.0.1 on 23 June 2020. This post shows the steps I followed to upgrade my lab environment from my NSX-T 3.0 to NSX-T 3.0.1.

NSX-T Data Center 3.0.1 is a maintenance release which includes new features and bug fixes – I am upgrading my lab to stay on the latest release as I use this setup for demo’s but also to fix one or two bugs.

As with any upgrade always check the compatibility and system requirements information, see the NSX-T Data Center Installation Guide.

You are going to need to download the upgrade bundle from the download page. This requires an active support contract.

NSX 3.0.1 Upgrade Bundle

Let’s Get Started with the upgrade

My NSX Lab Layout

My lab is hosted in a nested ESXi environment with two simulated sites (DC-01 and DC-02). Each site has their own local vCenter and local NSX-T Manager and all management components are hosted outside in a management cluster where my Global NSX-T Manager is also deployed. Both DC-01 and DC-02 Local NSX-T Managers are registered with the Global Manager shown below.

System Overview from the NSX-T Global Manager

Since this is only a lab environment, I am only using a single NSX-T Manager appliance for each of the NSX Managers (Local and Global) *At the time of release of Federation in NSX-T 3.0, only one Global Manager virtual appliance is supported.

I am going to use the built-in NSX-T upgrade coordinator under the system tab for the upgrade process. The upgrade coordinator runs in the NSX Manager. It is a self-contained web application that orchestrates the upgrade process of hosts, NSX Edge cluster, NSX Controller cluster, and Management plane.

The upgrade coordinator will be upgraded first followed by the Global Manager management plane will be updated followed by the Local Managers.

Let me start by upgrading the upgrade coordinator by clicking the blue UPGRADE notice on the Global Manager. Next I will need to upload the upgrade bundle package file so browse to where you have saved the package image and hit upload.

Once you hit upload, the NSX-T Manager starts uploading the image and you will see the upload progress meter as shown below – depending on your setup and bandwidth available between the NSX Manager and where the file is copied from, this could take a few minutes – Its a 8.6GB image.

NSX-T Manager uploading image

Once the upload is completed, NSX-T Manager will start extracting the upgrade bundle and perform a compatibility matrix check – this can take some time too, 10-20min.

So now that all the checks have been done, we are ready to start the upgrade process on the coordinator. Let’s hit the upgrade button.

Read and accept the EULA terms, hit continue

Confirm if you are sure and want to continue… Hit Yes, Continue

At this point it seems that nothing is happening but the upgrade coordinator is being upgraded and it should take a couple of minutes.

What is Virtualization??

Virtualization is the process of creating a software-based, or virtual, representation of something, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses while boosting efficiency and agility for all size businesses – Sourced from VMware

We will explore all forms of virtualization over time and hopefully post some useful content for you to use in your everyday tasks.