Note: Security group membership changes constantly. For example, a virtual machine tagged with the AntiVirus.virusFound tag is moved into the Quarantine security group. When the virus is cleaned and this tag is removed from the virtual machine, it again moves out of the Quarantine security group.
For more information, see the VMware NSX Data Center for vSphere Administration Guide.
FirewallConfigurationSyncService
in stake-traces with entries similar to:INFO | jvm 2 | 2015/05/27 07:43:41 | "http-nio-127.0.0.1-7441-exec-1" daemon prio=10 tid=0x000000000190a800 nid=0x17a4 runnable [0x00007f7e11ec8000]
INFO | jvm 2 | 2015/05/27 07:43:41 | at org.hibernate.event.def.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:58)
INFO | jvm 2 | 2015/05/27 07:43:41 | at org.hibernate.impl.SessionImpl.autoFlushIfRequired(SessionImpl.java:1175)
INFO | jvm 2 | 2015/05/27 07:43:41 | at com.vmware.vshield.vsm.policy.service.impl.PolicyQueryServiceImpl$AjcClosure33.run(PolicyQueryServiceImpl.java:1)
INFO | jvm 2 | 2015/05/27 07:43:41 | at com.vmware.vshield.blueprint.firewall.provider.FirewallActionTranslationService.getLayer3FirewallRuleDtos(FirewallActionTranslationService.java:94)
com.vmware.vshield.blueprint.firewall.provider.FirewallConfigurationSyncService.forceSync(FirewallConfigurationSyncService.java:787)
INFO | jvm 2 | 2015/05/27 07:43:41 | - locked <0x00000006938fcab8> (a com.vmware.vshield.blueprint.firewall.provider.FirewallConfigurationSyncService)
FirewallConfigurationSyncService.forceSync()
indicates that the Service Composer’s force sync operation is in progress.
FirewallActionTranslationService.getLayer3FirewallRuleDtos()
indicates that the translation of Policy to Firewall rules is in progress.
DefaultAutoFlushEvenListener.onAutoFlush()
indicates that an hibernate auto flush is currently in progress. This is known to consume long time on setups with large numbers of Policies.FirewallConfigurationSyncService
in stake-traces as seen similar to:INFO | jvm 1 | 2015/05/25 17:39:18 | java.lang.Thread.State: BLOCKED (on object monitor)
INFO | jvm 1 | 2015/05/25 17:39:18 | at com.vmware.vshield.blueprint.firewall.provider.FirewallConfigurationSyncService.forceSync(FirewallConfigurationSyncService.java:787)
INFO | jvm 1 | 2015/05/25 17:39:18 | - waiting to lock <0x0000000693877b68> (a com.vmware.vshield.blueprint.firewall.provider.FirewallConfigurationSyncService)
FirewallConfigurationSyncService
.FirewallConfigurationSyncService
and this operation will have to wait until the previous operation finishes.GET https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config
GET https://NSX_Manager_IP/api/4.0/firewall/globalroot-0/config/layer3sections/1003
PUT https://NSX_Manager_IP/api/4.0/firewall/config/layer3sections/1003
<sources>
tag during re-posting of the configuration.<source>
<name>gavjdw00286</name>
<value>vm-##</value>
<type>VirtualMachine</type>
<isValid>true</isValid>
vNic
is invalid in AppliedTo
column, remove <appliedto>
for invalid vNic
during re-posting of the configuration:<appliedTo>
<name>gavypa002891 - Network adapter 1</name>
<value>5039218c-####-####-####7b52173c3f3e.000</value>
<type>Vnic</type>
<isValid>true</isValid>
</appliedTo>