Creating a Security Audit Dashboard with vRealize Network Insight

Introduction

In this post, I’m going to walk you through step by step, how to create a Pinboard(aka Dashboard) in vRealize Network Insight(vRNI) to provide a summary of recent security related changes in your environment.

Customers initially invest in vRNI is to assist with micro-segmentation planning along with NSX.   Check out this great blog over at VMGuru for a walkthrough of that use case

An additional use case I like to enable customers on is related to operationalizing NSX.  In particular security related auditing, the pinboard we’ll walk through displays the following information;

  • Firewall Rule changes
  • Firewall Rule membership changes
  • Security Group membership changes
  • Security Tag changes

Having this information at your fingertips is very handy, here are two examples

Troubleshooting.  Imagine you get a call, VM1 is no longer able to access VM2.  It was working yesterday! You can quickly utilize this pinboard to identity any recent NSX firewall changes that may have caused this issue. e.g. Somebody removed a Security Tag from VM1.

Auditing. Your security team asks you for a report detailing NSX firewall changes over the last 30 days

Obtaining this information manually from several sources could be time consuming and possibly problematic.

My goal with this post, is to show you how to create the pinboard so you can utilize as is and/or add your own search criteria.  Note Security changes in this blog post  pertain to VMware NSX Data Center for vSphere v6.4.4, utilizing vRealize Network Insight v4.0.0.

To setup this pinboard, I’m assuming you already have vRNI deployed, and NSX Manager added as a datasource

Be aware that vRNI supports several other data sources that could also be used(Amazon Web Services,Checkpoint & Palo Alto to name a few), see complete list in the official product documentation

Sample of completed pinboard

vrni-1.png

Getting started

  1. Login to vRNI UI
  2. In the Search your Datacenter section at the top, type “Firewall rule membership change in last 30 days” followed by Enter.  Note, I’m using 30 days in this example.  Can change this to match your particular requirements

    vrni-2

  3. This will display all firewall rule membership changes over the last 30 days.  Click Push pin over near the top right, then Create New Pinboard

    vrni-3

  4. Enter a Pinboard Name, Description(optional) then click Create and Pin

    vrni-4

  5. Now we have the pinboard created, let’s run some additional searches and add them
  6. In the Search your Datacenter section at the top, type “Firewall rule change in last 30 days” followed by Enter.

    vrni-5

  7. Click Push pin over near the top right, however as we already created a pinboard(Security Changes in this example) we can now hover over it and click Pin

    vrni-6.png

  8. Repeat steps 6-8 for the following searches
    1. security group membership change in last 30 days
    2. security tag change in last 30 days

Modifying the Pinboard

  1. Now that we have created the pinboard, and added some searches lets take a look!
  2. Click the pinboard icon in the UI, and select it

    vrni-8

  3. If you want to change the layout, click the 3 vertical buttons near the top right of the pinboard and select Edit

    vrni-9.png

  4. If you now hover over a particular widget, you can drag and drop to re-order or edit the description.  Click Save or Cancel when done

Reviewing the Pinboard

  1. Now let’s review what is detailed in the dashboard.
  2. In my example under Firewall rule membership change in last 30 days, I can see 44 results, the last being 9 days ago.  If you hover over the right hand side of the widget a scroll bar will appear to review them all

    vrni-10.png

  3. Clicking the magnifying glass icon next to one of the entries, will reveal additional information. In this example a VM named fin-db-01a.corp.local was added to firewall rule IDFW-Allow

    vrni-11

  4. Spend some time exploring the pinboard, to get familiar with the information being presented

Sharing Options

  1. A new feature in vRNI 4.0.0, is the ability to set a pinboard as your homepage.
  2. Click the 3 vertical buttons near the top right of the pinboard and select Set as Homepage.  The pinboard will now be the first thing you see upon login to vRNI

    vrni-12
  3. You can also share the pinboard with other vRNI users.
  4. Click the 3 vertical buttons near the top right of the pinboard and select Share

    vrni-13

  5. In the drop down under Invite new users select existing vRNI user, click the drop down to the right to specify permission then click Add, followed by Save.  Here vm_dave@corp.local will be granted view only access to the pinboard

    vrni-14

As you have seen, the search functionality in vRNI is very intuitive. Searches begin to auto suggest and complete as you type.  Think of it as ‘googling’ your data center!  Get familiar with the various searches available to you and add ones of interest to your shiny new pinboard.

Hopefully you now have a good understanding of pinboards in vRNI and get use out of this in your own environment.  If you have any comments contact me via Twitter @VM_Dave. Thanks for reading!

 

 

 

 

 

 

 

 

 

 

 

 

8 thoughts on “Creating a Security Audit Dashboard with vRealize Network Insight

  1. Pingback: vToolbelt - April 2019 - Cybersylum

  2. Hello Dave, Thank you for your sharing, I follow you guide and want to query what rule was change for 10 days but I got noting. I wrote query like this “Firewall rule change in last 30 days”. But I wrote query like “Firewall rule membership change in last 30 days” was work, is there any suggestion?

    Like

    Reply

  4. In our company, we use AutoNSX- that can do everything mentioned here with no scripts, programming, and so on. Also, AutoNSX has integration to vRNI so once we run discovery from vrni, AutoNSX enables rules directly to NSX based on vRNI grouping and firewall rules recommendation. So far we do micro-segmentation with 5 steps and the DevOps team is able to segment a single application within 5 minutes. Moreover, AutoNSX has it’s own flow and packet collector so if targeting an organization didn’t install vRNI AutoNSX still able to do rule creation. With this approach, we keep governance under control and not depending on scripts or expensive tools. Check it https://digitout.net/services/autonsx/

    Like

    Reply

      1. I was doing some research for my project where the DevOps has to segment applications in fast delivery sprints but keeping governance, and this tool comes as a handy option that we utilize and today. They also have an interesting road map of new features coming in Q4 2020 and Q1 2021.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s