How to confirm that Panorama receives notifications from NSX-T manager

12212

Created On 10/05/20 09:36 AM - Last Modified 10/08/20 23:57 PM

VMware NSX

Plugins

9.0

9.1

9.2

PAN-OS

Panorama

VM-Series

Objective

To manage centralized policy in the NSX-T environment, Panorama can attach the dynamic address group (DAG) as a source or destination address in security policy and push it to the firewalls. The firewalls can then dynamically get the virtual machines' IP addresses included in each security group to enforce traffic originating from or destined to the virtual machines in the specified group.

Updates on the NSX-T environment are first shared with Panorama via the plugin and then pushed to firewalls. The updates are structured in the form of IP to Tag mapping and can be leveraged using DAGs.

Panorama uses two ways to update DAGs

Pulling the information from the NSX-T manager.

After manual synch of dynamic address groups.

> request plugins vmware_nsx nsx_t sync nsxt-mgr <name of the service manager>

After auto-sync-interval expire. By default, it is disabled and can be set using

> request plugins vmware_nsx nsx_t auto-sync-interval dag <1-72h 0 disable>

Via Notifications from the NSX-T manager:

In this KB article, we will explain how to confirm that Panorama receives notifications from the NSX-T manager post a change in the NSX-T environment

Environment

Panorama with Vmware NSX-T
PAN-OS 9.0 and above.

Procedure

The NSX-T environment is dynamic; Objects are continually changing. To ensure that Panorama keeps track of all changes and promptly, the NSX-T manager notifies Panorama via API-Calls each time there is a change in the security groups . By default, Panorama process those notifications every 30s. You can change this value from the CLI

> request plugins vmware_nsx nsx_t dau-interval interval   <value> <1-65535>

There are 3 ways to confirm that Panorama receives notifications from the NSX-T manager

Via the cli command >show plugins vmware_nsx nsx_t nsxt-notifications all time-window 50

admin@Panorama> show plugins vmware_nsx nsx_t nsxt-notifications all time-window 50

ALL notifications received in the last 50 day(s)

Time Received Notification Type Notification
-----------------------------------------------------------------------------------------------------------------------------------------
11:03AM Oct 05 2020 group.change_notification [{'operation': 'UPDATE', 'uri': '/policy/api/v1/infra/domains/default/groups/Tenant-1-App-Group'}]
-------------------------------------------------------------------------------------------------------------------------------------------
Total number of notifications: 1
---------------------------------------------------------------------------------------------------------------------------------------

From plugin logs

> less mp-log plugin_vmware_nsx_nsxt-dau.log
2020-10-05 11:03:57.408 +0200 INFO: [DAEMON-NSXT-DAU] Processing NSXT updates. Update type:update.
2020-10-05 11:03:57.437 +0200 DEBUG: [DAEMON-NSXT-DAU] [NSXT-MGR: NSXB-T-NGFW-MGR] No NSX-V service definitions present
2020-10-05 11:03:57.438 +0200 DEBUG: [DAEMON-NSXT-DAU] [NSXT-MGR: NSXB-T-NGFW-MGR] No notify groups present in configuration.
2020-10-05 11:03:57.440 +0200 DEBUG: [DAEMON-NSXT-DAU] Processed updates from request queue.
2020-10-05 11:03:57.469 +0200 DEBUG: [DAEMON-NSXT-DAU] [NSXT-MGR: NSXB-T-NGFW-MGR] No NSX-V service definitions present
2020-10-05 11:03:57.470 +0200 DEBUG: [DAEMON-NSXT-DAU] [NSXT-MGR: NSXB-T-NGFW-MGR] No notify groups present in configuration.
2020-10-05 11:03:57.475 +0200 INFO: [DAEMON-NSXT-DAU] DG info list:[{'sdef-id': u'166', 'nsxt-mgr-id': u'168', 'name': 'NSX-T-Tenant-1-DG-EW', 'id': '67'}]
2020-10-05 11:03:57.476 +0200 DEBUG: [DAEMON-NSXT-DAU] Updating DAU cache with tag info for dg:NSX-T-Tenant-1-DG-EW
2020-10-05 11:03:57.478 +0200 DEBUG: [DAEMON-NSXT-DAU] DAU cache:{'NSX-T-Tenant-1-DG-EW': {u'FW-Zone-1_Tenant-1-App-Group': [u'10.4.3.102', u'10.1.2.11'], u'FW-Zone-1_Tenant-1-Web-Group': [u'10.4.2.102', u'10.1.
1.12', u'10.1.1.11'], u'FW-Zone-1_Tenant-1-DB-Group': [u'10.1.3.10', u'10.4.4.102']}}
2020-10-05 11:03:57.478 +0200 DEBUG: [DAEMON-NSXT-DAU] Updated dau cache.
2020-10-05 11:03:57.479 +0200 DEBUG: [DAEMON-NSXT-DAU] DG:NSX-T-Tenant-1-DG-EW Total-tags:3 Tags:[u'FW-Zone-1_Tenant-1-App-Group', u'FW-Zone-1_Tenant-1-Web-Group', u'FW-Zone-1_Tenant-1-DB-Group']
2020-10-05 11:03:57.479 +0200 DEBUG: [DAEMON-NSXT-DAU] DG:NSX-T-Tenant-1-DG-EW Tag:FW-Zone-1_Tenant-1-App-Group No-of-ips:2 IPs:[u'10.4.3.102', u'10.1.2.11']
2020-10-05 11:03:57.479 +0200 DEBUG: [DAEMON-NSXT-DAU] DG:NSX-T-Tenant-1-DG-EW Tag:FW-Zone-1_Tenant-1-Web-Group No-of-ips:3 IPs:[u'10.4.2.102', u'10.1.1.12', u'10.1.1.11']
2020-10-05 11:03:57.479 +0200 DEBUG: [DAEMON-NSXT-DAU] DG:NSX-T-Tenant-1-DG-EW Tag:FW-Zone-1_Tenant-1-DB-Group No-of-ips:2 IPs:[u'10.1.3.10', u'10.4.4.102']
2020-10-05 11:03:57.480 +0200 DEBUG: [DAEMON-NSXT-DAU] Created DAU message list.
2020-10-05 11:03:57.480 +0200 DEBUG: [DAEMON-NSXT-DAU] Sending DAU message to configd.

From the management plan pcaps. Confirm if during the time of the notification, the NSX-T manager is opening a TCP connection with Panorama on port 443

> tcpdump filter "host <IP of the NSXT-manager> and port 443"
>> view-pcap no-dns-lookup yes no-port-lookup yes mgmt-pcap mgmt.pcap
11:03:53.677207 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [S], seq 4191806842, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:03:53.677253 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [S.], seq 910360160, ack 4191806843, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:03:53.677481 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [.], ack 1, win 229, length 0
11:03:53.680734 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [P.], seq 1:205, ack 1, win 229, length 204
11:03:53.680761 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [.], ack 205, win 123, length 0
11:03:53.684786 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [.], seq 1:1461, ack 205, win 123, length 1460
11:03:53.684809 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [P.], seq 1461:1598, ack 205, win 123, length 137
11:03:53.685026 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [.], ack 1461, win 251, length 0
11:03:53.685039 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [.], ack 1598, win 274, length 0
11:03:53.694665 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [P.], seq 205:280, ack 1598, win 274, length 75
11:03:53.705269 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [P.], seq 280:286, ack 1598, win 274, length 6
11:03:53.705340 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [.], ack 286, win 123, length 0
11:03:53.706125 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [P.], seq 286:355, ack 1598, win 274, length 69
11:03:53.706302 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [P.], seq 1598:1673, ack 355, win 123, length 75
11:03:53.708366 IP <IP of the NSX-T manager>.50250 > <IP of the Panorama>.443: Flags [P.], seq 355:1240, ack 1673, win 274, length 885
11:03:53.749836 IP <IP of the Panorama>.443 > <IP of the NSX-T manager>.50250: Flags [.], ack 1240, win 137, length 0

How to confirm that Panorama receives notifications from NSX-T manager

Objective

Environment

Procedure

Other users also viewed: