Behavior of Layer7 Reject and Drop rules in DFW
search cancel

Behavior of Layer7 Reject and Drop rules in DFW

book

Article ID: 306203

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

This article provides information on the behavior of Layer7 Reject and Drop rules in Distributed Firewall in NSX-T.

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 2.x

Resolution

For a Layer7 rule, Both the DROP and REJECT actions generate response packets (RST for TCP). 
This behavior is different as compared to the Layer4 Drop rules (where response packets are not generated).

For layer7 inspection, VMware leaks few initial packets of a connection until protocol detection. Therefore, the response packets are generated on both DROP and REJECT cases to cleanup the states created on the client and server.