After attending VMware EMPOWER earlier this year, I won a voucher for a free exam (thanks EMPOWER team!). I chose the NSX-T 3.1 Data Center Security exam because of personal interest and exciting security features NSX offers. While preparing for the exam I gathered a list of study materials I wanted to share with you all.

The voucher expired on the 31st of August, but got it in mid-July during my PTO. So, work to do πŸ˜„. With the voucher at hand, I booked the NSX-T 3.1 Data Center Security exam (5V0-41.21) and passed it! Passing the exam unlocks its skill badge.

Looking at the image below, it sums up the wide range of security features quite well and gives a good overview what the exam covers. Let’s check out the details.

Timeline</p>
<p>Description automatically generated with medium confidence

Exam details

As far as I know, this is the first release of a NSX exam dedicated to security. Passing the exam, unfortunately does not count towards the VCP-SEC professional level certification, although both the VCP-SEC and NSX Security exams share similarities.

The actual exam consists of 70 questions which need to be answered in 130 min. and has a passing score of 300 out of 500 points. Non-native English speakers are not given extra time. From my experience the given time was adequate to answer the questions and thoroughly review the marked ones.

Exam preparations

Before taking the exam, VMware recommends to attend the NSX-T 3.0 ICM or NSX-T 3.1 Intrinsic Security course. I did not attend one of the and cannot comment on that. About the experience part, I think you can go for this exam if you have a good (vSphere and NSX-T) networking knowledge and functional knowledge of security related products. When being new to NSX-T, I would recommend to take the 5-day NSX 3.0 ICM training.

The exam guide itself states that the minimally qualified candidate (MQC) should have 1 years experience working in IT and should have hands-on experience with NSX-T and basic knowledge of KVM and vSphere.

Exam sections

A VMware exam guide is standardized to seven sections nowadays. According to the guide, this exam test on 4 of them. The MQC should have sufficient knowledge contained in the exam sections below. The exam guide does a good job providing a list of objectives to be tested against.

  • Section 1 – Architecture and Technologies
  • Section 2 – Products and Solutions
  • Section 3 – Planning and Designing
    • Not tested on this objective
  • Section 4 – Installing, Configuring, and Setup 
  • Section 5 – Performance-tuning, Optimization, and Upgrades
    • Not tested on this objective
  • Section 6 – Troubleshooting and Repairing 
  • Section 7 – Administrative and Operational Tasks
    • Not tested on this objective

In the upcoming sections you can expect an overview of the materials I used for every on of the objectives in the exam guide. During my study I took notes in OneNote for every of the objectives. The info below is based on that.

Generic readings

NSX-T Security Reference Guide

This one helped me the most. It’s a very well written guide, that covers a lot of objectives in the exam guide.

VMware Glossary

I found this useful and detailed list of terms just recently and is a good source of information for objectives in this exam.

Section 1 – Architecture and Technologies

Objective 1.1: Describe information management security

What Is Information Security Management and Operations?

Objective 1.2: Describe firewalls and their function

Firewall (Wikipedia)

What is a Perimeter Firewall?

Objective 1.3: Describe IDS/IPS

VMware NSX Distributed IDS/IPS

Objective 1.4 – Describe Zero-Trust Security

What is Zero Trust Security?

Objective 1.5 – Describe AAA and CIA

AAA explained

Confidentiality, Integrity, and Availability (CIA) triad

What is CIA Triad of information Security?

Section 2 – VMware Products and Solutions

Objective 2.1 – Describe VMware Security portfolio

VMware Security portfolio overview

Carbon Black

NSX Service-defined Firewall (overview)

NSX Service-defined Firewall (Datasheet PDF)

Objective 2.3 – Describe NSX Distributed Firewall

NSX Data Center (overview)

NSX Data Center (Datasheet PDF)

NSX Security Reference Guide – 4.3 Distributed Firewall

Objective 2.3 – Describe NSX Distributed IDS/IPS

NSX Distributed IDS/IPS (overview)

NSX Distributed IDS/IPS (Solution Overview PDF)

NSX Security Reference Guide – 8 Intrusion Detection and Prevention

Objective 2.4 – Describe NSX Intelligence

NSX Intelligence (overview)

NSX Intelligence (Solution Brief PDF)

NSX Data Center (Datasheet PDF)

Easily Operationalize Micro-segmentation with NSX Intelligence (White Paper PDF)

NSX Security Reference Guide – 10.2 NSX Intelligence

NSX Intelligence versus vRealize Network Insight (vRNI)

Objective 2.5 – Describe NSX Edge Security (Gateway Firewall and URL Analysis)

NSX Security Reference Guide – 4.2 Gateway Firewall

NSX Data Center Documentation – URL Analysis Workflow

NSX Ninja – Configure NSX-T URL Analysis

Objective 2.6 – Describe NSX Segmentation

What is network segmentation?

Objective 2.7 – Describe North-South insertion

North-South Service Insertion

Objective 2.8 – Describe East-West insertion

East West Service Insertion and Service Chaining

Section 4 – Installing, Configuring, and Setup

Objective 4.1 – Manage users and roles (LDAP, RBAC, Active Directory, etc.)

Access NSX Manager through an Active Directory can be via LDAP and / or vIDM

NSX Data Center Documentation – Integration with LDAP

NSX Data Center Documentation – Role-Based Access Control (RBAC)

NSX Data Center Documentation – Integration with VMware Identity Manager/Workspace ONE Access

NSX Data Center Documentation – Configuring Both vIDM and LDAP or Transitioning from vIDM to LDAP

Objective 4.2 – Configure and manage distributed firewall policies and rules

HOL-2126-01-NET: NSX-T Getting Started

Module 5: DFW and Tools (15 min)

HOL-2126-02-NET -NSX-T – Advanced Security

Module 3: DFW and Tools (15 min)

Objective 4.3 – Configure manage time based firewalls rules

NSX Data Center Documentation – Time-Based Firewall Policy

HOL-2126-02-NET -NSX-T – Advanced Security

Module 3: DFW and Tools (15 min)

Objective 4.4 – Configure identity firewalls rules

NSX Data Center Documentation – Identity Firewall

HOL-2126-02-NET -NSX-T – Advanced Security

Module 6: Identity Based firewall (30 min)

Objective 4.5 – Configure gateway firewalls rules

NSX Data Center Documentation – Gateway Firewall

Objective 4.6 – Configure and manage distributed IDS/IPS (signatures, profiles, rules)

NSX Data Center Documentation – Distributed IDS/IPS Rules

HOL-2126-02-NET -NSX-T – Advanced Security

Module 5: Distributed IDS (45 min)

Objective 4.7 – Configure and manage URL analysis

NSX Data Center Documentation – Context Profiles

HOL-2126-02-NET -NSX-T – Advanced Security

Module 4: NSX-T Context Aware firewall and URL Analysis (30 min)

Objective 4.8 – Install and configure Guest Introspection agent components in VMTools

NSX Security Reference Guide – 7.3 NSX Endpoint Protection – Guest Introspection

Objective 4.9 – Deploy NSX Intelligence appliance

NSX Intelligence Documentation – NSX Intelligence System Requirements

How to deploy NSX Intelligence appliances

NSX Manager System > Configuration > Appliances

  • Deploy appliance
  • Appliance size
    • NSX Intelligence Small VM appliance size is suitable for lab and proof-of-concept deployments, or small-scale production environments
    • NSX Intelligence Large VM appliance size is suitable for a production environment

Objective 4.10 – Visualize traffic flows and create security recommendations using NSX Intelligence

VMware YouTube Demo: Distributed Analytics with VMware NSX Intelligence

Tech Field Day YouTube Demo: VMware NSX Intelligence: Policy Creation & Microsegmentation Made Easy

Objective 4.11 – Create and manage security groups

HOL-2126-02-NET -NSX-T – Advanced Security

Module 2: Security Grouping and Policy Concepts (45 min)

Objective 4.12 – Enable logging on hosts and Edge transport nodes

NSX Data Center Documentation – Configure Remote Logging

Section 6 – Troubleshooting and Repairing

Objective 6.1 – Validate guest introspection is operational

NSX Data Center Documentation – Verify Health Status of Service Instance

  • The following parameters must be realized in NSX-T Data Center for the health status to change to Up
    • Guest virtual machines must be available on the host
    • Guest virtual machines must be powered on
    • Endpoint protection rules must be applied to the guest virtual machines
    • Guest virtual machines must be configured with the supported version of VMtools and file introspection drivers

NSX Data Center Documentation – View Service Deployment Status

View service deployment details on the Monitoring Dashboard.

View the system-wide status of EPP policy.

  • Home > Monitoring – Dashboards
    • Monitoring – System
    • To view the deployment status across clusters in the system, navigate to the Endpoint Protection widget

Objective 6.2 – Validate North-South and East-West network introspection is operational

Check the status of the Partner Service in the Service Deployment section

  • System > Configuration > Service Deployments

Objective 6.3 – Verify the operation of Distributed Firewall

NSX Data Center Documentation – Check Rule Realization Status

NSX Data Center Documentation – Monitor and Troubleshoot Firewall on NSX Manager

NSX Data Center Documentation – Troubleshooting Distributed Firewall on ESX Hosts

NSX Data Center Documentation – Troubleshooting Distributed Firewall on KVM Hosts

NSX Data Center Documentation – Distributed Firewall Packet Logs

Objective 6.4 – Verify the operation of Gateway Firewall rules

NSX Data Center Documentation – Troubleshooting Gateway Firewall

  • Gateway Firewall is enabled for the given Gateway.
  • Check the realization state for a given gateway firewall policy. The UI shows the realization status next to the top right side of the FW Policy header.
    • Success
    • Error
    • In Progress
    • Unknown
  • Check rule stats to see any traffic is hitting the FW policy.
  • Enable logging for the rule for troubleshooting the policy.
  • On the edge nodes
    1. Get logical router …
    2. Get firewall <logical router id> ruleset rules
    3. Get firewall <logical router id> sync config
    4. get log-file syslog | find datapathd.firewallpkt

Objective 6.5 – Verify the operation of IDS/IPS

NSX Data Center Documentation – Verify Distributed IDS Status on Host

Objective 6.6 – Verify the operation of URL analysis

NSX Data Center Documentation – URL Analysis Workflow

Objective 6.7 – Identify and review log files and events related to firewalls, IDS/IPS, URL Analysi

NSX Data Center Documentation – Log Messages and Error Codes

NSX Data Center Documentation – Firewall Audit Log Messages

  • On NSX-T appliances syslog messages are in /var/log/syslog
  • On KVM hosts, syslog messages are in /var/log/vmware/nsx-syslog
  • Esx-cli
    • get log-file <auth.log | controller | controller-error | http.log | kern.log | manager.log | node-mgmt.log | policy.log | syslog> [follow]

Objective 6.8 – Verify logging is enabled on hosts and Edge transport nodes

NSX Data Center Documentation – Configure Remote Logging

Examples of successful logging in /var/log/syslog

  • get logging-servers
  • clear logging-servers
  • esxcli system syslog config get
  • KVM
    • /etc/rsyslog.d/00-vmware-remote-logging.conf

Troubleshooting syslog

  • Verify the remote log server’s IP address.
  • Verify that the levelparameter is configured correctly.
  • Verify that the facilityparameter is configured correctly.
  • If the protocol is TLS, set the protocol to UDP to see if there is a certificate mismatch.
  • If the protocol is TLS, verify that port 6514 is open on both ends.
  • Remove the message ID filter and see if logs are received by the server.
  • Restart the rsyslogservice with the command
    • restart service rsyslogd

To conclude

Hopefully my extensive list of study links and notes in this exam guide helps you preparing for the exam. All the best with your exam.

Cheers, DaniΓ«l


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *