Identity Based Firewalling and perquisites needed for NSX 6.2.3 and prior to NSX 6.2.3

Last week I needed to implement Identity based Firewalling for one of my customers. There are plenty of good blogs on how to do this like here, here, here and I even created a video about it myself here.

For some reason I could not get it to work...

This is the reason why.

Prior to NSX 6.2.3. when you add an Active Directory Domain as an identity source there was a specific option where you needed to specify an account with the proper privileges to read the "Security Event Log". This was a mandatory option, and for some reason VMware changed this in NSX 6.2.3 to optional.

NSX 6.2.0
Security Event Log Access - v6.2.0.png

NSX 6.2.3
Security Event Log Access - v6.2.3v1.png

Prior to 6.2.3 you are usually using the account with domain administrator rights anyway but in a production environment this is usually different because of security reasons.

In my case I chose to turn this option off because it was hard to get an account with these specific rights with access to the Security Event Logs. I was under the impression that this was only needed to get Identity Based Firewalling working on VM's without VM Tools Installed or on Physical Machines. Well this is partly true... After asking around and opening a case at VMware GSS they provided me this link.

I obviously did a lot of searching on Google but somehow I did not found this.

You either need to have: 1) VMTools + Guest Introspection enabled / installed AND / OR 2) Have the "Security Event Log Access" option enabled with a correct account that has the correct rights

Prior to NSX 6.2.3 the "Security Event Log Access" option was enabled by default so option 1 was not needed anyway. And now by making this feature optional this kind of threw me off my game. But the good thing is that I got to learn something new.