In this post, I’m going to walk you through step by step, how to create a Pinboard(aka Dashboard) in vRealize Network Insight(vRNI) to provide a summary of recent security related changes in your environment.
Customers initially invest in vRNI is to assist with micro-segmentation planning along with NSX. Check out this great blog over at VMGuru for a walkthrough of that use case
An additional use case I like to enable customers on is related to operationalizing NSX. In particular security related auditing, the pinboard we’ll walk through displays the following information;
- Firewall Rule changes
- Firewall Rule membership changes
- Security Group membership changes
- Security Tag changes
Having this information at your fingertips is very handy, here are two examples
Troubleshooting. Imagine you get a call, VM1 is no longer able to access VM2. It was working yesterday! You can quickly utilize this pinboard to identity any recent NSX firewall changes that may have caused this issue. e.g. Somebody removed a Security Tag from VM1.
Auditing. Your security team asks you for a report detailing NSX firewall changes over the last 30 days
Obtaining this information manually from several sources could be time consuming and possibly problematic.
My goal with this post, is to show you how to create the pinboard so you can utilize as is and/or add your own search criteria. Note Security changes in this blog post pertain to VMware NSX Data Center for vSphere v6.4.4, utilizing vRealize Network Insight v4.0.0.
To setup this pinboard, I’m assuming you already have vRNI deployed, and NSX Manager added as a datasource
Be aware that vRNI supports several other data sources that could also be used(Amazon Web Services,Checkpoint & Palo Alto to name a few), see complete list in the official product documentation
Sample of completed pinboard
- Login to vRNI UI
- In the Search your Datacenter section at the top, type “Firewall rule membership change in last 30 days” followed by Enter. Note, I’m using 30 days in this example. Can change this to match your particular requirements
- This will display all firewall rule membership changes over the last 30 days. Click Push pin over near the top right, then Create New Pinboard
- Enter a Pinboard Name, Description(optional) then click Create and Pin
- Now we have the pinboard created, let’s run some additional searches and add them
- In the Search your Datacenter section at the top, type “Firewall rule change in last 30 days” followed by Enter.
- Click Push pin over near the top right, however as we already created a pinboard(Security Changes in this example) we can now hover over it and click Pin
- Repeat steps 6-8 for the following searches
- security group membership change in last 30 days
- security tag change in last 30 days
Modifying the Pinboard
- Now that we have created the pinboard, and added some searches lets take a look!
- Click the pinboard icon in the UI, and select it
- If you want to change the layout, click the 3 vertical buttons near the top right of the pinboard and select Edit
- If you now hover over a particular widget, you can drag and drop to re-order or edit the description. Click Save or Cancel when done
Reviewing the Pinboard
- Now let’s review what is detailed in the dashboard.
- In my example under Firewall rule membership change in last 30 days, I can see 44 results, the last being 9 days ago. If you hover over the right hand side of the widget a scroll bar will appear to review them all
- Clicking the magnifying glass icon next to one of the entries, will reveal additional information. In this example a VM named fin-db-01a.corp.local was added to firewall rule IDFW-Allow
- Spend some time exploring the pinboard, to get familiar with the information being presented
- A new feature in vRNI 4.0.0, is the ability to set a pinboard as your homepage.
- Click the 3 vertical buttons near the top right of the pinboard and select Set as Homepage. The pinboard will now be the first thing you see upon login to vRNI
- You can also share the pinboard with other vRNI users.
- Click the 3 vertical buttons near the top right of the pinboard and select Share
- In the drop down under Invite new users select existing vRNI user, click the drop down to the right to specify permission then click Add, followed by Save. Here email@example.com will be granted view only access to the pinboard
As you have seen, the search functionality in vRNI is very intuitive. Searches begin to auto suggest and complete as you type. Think of it as ‘googling’ your data center! Get familiar with the various searches available to you and add ones of interest to your shiny new pinboard.
Hopefully you now have a good understanding of pinboards in vRNI and get use out of this in your own environment. If you have any comments contact me via Twitter @VM_Dave. Thanks for reading!
8 thoughts on “Creating a Security Audit Dashboard with vRealize Network Insight”
Hello Dave, Thank you for your sharing, I follow you guide and want to query what rule was change for 10 days but I got noting. I wrote query like this “Firewall rule change in last 30 days”. But I wrote query like “Firewall rule membership change in last 30 days” was work, is there any suggestion?
My vRNI is 5.1 , nsx is 2.5.1. ^_^
Hi Ethan, thanks for reading my blog! For NSX-T try this instead “NSX Firewall rule change in last 10 day”
Hello Dave, you suggestion is work , thank you so much…..
LikeLiked by 1 person
In our company, we use AutoNSX- that can do everything mentioned here with no scripts, programming, and so on. Also, AutoNSX has integration to vRNI so once we run discovery from vrni, AutoNSX enables rules directly to NSX based on vRNI grouping and firewall rules recommendation. So far we do micro-segmentation with 5 steps and the DevOps team is able to segment a single application within 5 minutes. Moreover, AutoNSX has it’s own flow and packet collector so if targeting an organization didn’t install vRNI AutoNSX still able to do rule creation. With this approach, we keep governance under control and not depending on scripts or expensive tools. Check it https://digitout.net/services/autonsx/
Thanks for reading my blog and leaving your comment Dmitri. I have not seen this tool before, will check it out!
I was doing some research for my project where the DevOps has to segment applications in fast delivery sprints but keeping governance, and this tool comes as a handy option that we utilize and today. They also have an interesting road map of new features coming in Q4 2020 and Q1 2021.