NSX-T features some usability improvements when it comes to saving firewall configurations, or drafts.
In this post I’m going to walk through how you can leverage this feature. An example use case is a business that has a change control policy mandating administrators can only publish Distributed Firewall updates outside of core business hours. Also, where you might need to facilitate peer review. i.e. Having a team mate review proposed changes and publish them.
Rather than wait until the change window opens to start making your updates, you can make your changes, save the configuration during normal working hours and then load the saved configuration and publish later during the maintenance window.
In my lab I’ve Integrated NSX-T v2.5.1 with VMware Identity Manager (vIDM) v3.3.1 to facilitate role based access control with Active Directory users. For an overview of how to configure this, take a look at this blog post Remote User Authentication and RBAC with NSX-T
TIP: Make sure to bookmark.note the URL to bypass login with vIDM. This can come in handy if there is a communication issue between NSX & vIDM preventing login. You can still login as the local admin account. https://<nsx-fqdn>/login.jsp?local=true
In this example, I will login to NSX as two different users. Both from the corp.local AD domain and granted the Security Engineer role.
Creating a Saved Configuration
- With vIDM integration configured, when I connect to the NSX UI I’m redirected to the vIDM login page. I’ll make sure the correct domain is set, and login as Cara Dune (cdune)
- I create a new policy, in this a simple rule that will allow RDP access to a RSDH server
- Rather than clicking Publish, which immediately publishes the changes to the data plane, Select Actions in the top tight, and select Save within the Configurations section
- Give the Saved Configuration a name, a description and comment if desired and click Save. If you toggle the lock option, entering a comment is mandatory.
- Now that I’ve saved the configuration, I can revisit and publish the rules later
Publishing a Saved Configuration
OK, so my change/maintenance window is open I’m ready to publish the changes.
I’m going to login to NSX as a different user, Greef Karga(gkarga) who also has the Security Engineer role assigned, so they can review and publish the changes made by user Cara Dune earlier. They also happen to be working the evening shift this week and assigned with implementing changes.
- Greef Karga logins to the NSX UI
- Reviewing the Distributed Firewall policy, can see that the RDP Policy saved earlier is not present. As expected
- Now select Actions in the top tight, and select View within the Configurations section
- Default Period is Last 30 Days, can change this to Last 3 months, 1 week or 1 day. In this example can see 16 Auto saved configurations, 2 saved by others and 0 saved by me
- I click on 2 Saved by others to filter the view, I can then click on hover over the latest saved configuration to view the name and date saved
- Clicking on the Name: RDP Update Change#1138, I’m presented with details about the draft. Such as the name, name of the user who created the draft etc. Within the Draft Changes section I can expand the chevron to see details the rules that will be applied
- If everything looks good, can click Load. Review the message and click Load again
- Observe the message above the Distributed Firewall policy
- At this stage, if the peer review has noticed any issues the policy can be updated before publishing. Click Publish, and the changes will be published to the data plane. Change complete!