DFW rules with "Applied To" set to a "Security Group" are not published to hosts
Article ID: 301220
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
Symptoms:
DFW rules with the "Applied To" field set to Security Group are not pushed to ESXi hosts in some vSphere clusters.
DFW rules with the "Applied To" field set to Security Group are not pushed to ESXi hosts in some vSphere clusters.
Environment
VMware NSX for vSphere 6.2.x
Cause
The NSX Manager must determine which vSphere clusters the DFW rules are applied to. It performs this calculation based on the inventory updates from vCenter and the entity specified in the "Applied To" field.
When the "Applied To" field is a Security Group, the span is globalroot-0 which includes all the clusters. For performance optimization, the NSX Manager caches this information.
Due to a change introduced in NSX for vSphere 6.2.3, if a new cluster is added to the environment, the NSX managers cache is not updated to include the new cluster.
Because of this rules which have an "Applied To" field of Security Group are not pushed to all vSphere clusters for the following scenarios:
When the "Applied To" field is a Security Group, the span is globalroot-0 which includes all the clusters. For performance optimization, the NSX Manager caches this information.
Due to a change introduced in NSX for vSphere 6.2.3, if a new cluster is added to the environment, the NSX managers cache is not updated to include the new cluster.
Because of this rules which have an "Applied To" field of Security Group are not pushed to all vSphere clusters for the following scenarios:
- DFW rule modification
- New DFW rule creation
- DFW section modification
Resolution
The cache issue is resolved in VMware NSX for vSphere 6.2.5 and later releases
Upgrading to NSX 6.2.5 and later releases only fix the cache issue for new or modified DFW section/rules. The workaround needs to be applied to fix impacted DFW section/rules from previous release. To identify impacted DFW section/rules please contact VMware support.
To fix the rules / sections affected by this issue, the following steps are required:
Upgrading to NSX 6.2.5 and later releases only fix the cache issue for new or modified DFW section/rules. The workaround needs to be applied to fix impacted DFW section/rules from previous release. To identify impacted DFW section/rules please contact VMware support.
To fix the rules / sections affected by this issue, the following steps are required:
- Clear the cluster cache by restarting the NSX Manager service.
- Update all DFW sections (click edit, don't make any change, click save then publish) to force the recalculation of the cluster list for all rules in the DFW section which have an "Applied To" field of Security Group using the new cache which include all vSphere clusters in the environment.
Note: New vSphere clusters that are subsequently added will experience the same issue until this workaround is applied or upgrade to VMware NSX for vSphere 6.2.5 or later releases.
Feedback
Yes
No
Powered by
