DFW populates the custom Protocol Number in the Destination Port field.
search cancel

DFW populates the custom Protocol Number in the Destination Port field.

book

Article ID: 307727

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:

After configuring a Firewall rule on an NSX Edge or a DFW rule using a custom Layer 3 protocol number, the protocol number appears as the Destination Port number in the FW rule.

Example:

[SIP: X, DIP: Y, SPort: Any, DPort: Any, Protocol: L3_Other(89)]

The Output of "show ipset" command:

  • AutoGeneratedRule : [SIP: X, DIP: Y, SPort: Any, DPort: Any, Protocol: L3_Other(89)]
  • ManuallyConfigured: [SIP: X, DIP: Y, SPort: Any, DPort: 89, Protocol: L3_Other(89)]. Here DPort is the same value as the protocol.


Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

Resolution

To work around this issue:

  1. Create a new DFW rule.
    For example:
    a. Source: Any
    b. Destination: Any
    c. Service: Any
    d. Action: Accept
    e. Applied to: Edge-X/All-Edges
     
  2. Use GET REST API call to get the rule syntax:

    Method: GET
    URL: https://NSX-IP/api/4.0/firewall/globaroot-0/config/layer3sections/1004/rules/1130 ( assume the rule id as '1130')
    Output :

    id="1130" disabled="false" logged="true">
    <name>Allow OSPF on transit</name>
    <action>allow</action>
    <source>
    <name>Edge Transit Net Global</name>
    <value>ipset-20</value>
    <type>IPSet</type>
    <isValid>true</isValid>

    <destination>
    <name>Edge Transit Net Global</name>
    <value>ipset-20</value>
    <type>IPSet</type>
    <isValid>true</isValid>
    </destination>
    <services>
    <service>
    <protocol>89</protocol>
    <isValid>true</isValid>
    </service>
    </services>
    <direction>inout</direction>
    <packetType>any</packetType>
    </rule>
  3. To force the rule 1130 to have DPORT Any, change Method to PUT instead of GET.
  4. Copy the value in front of ETAG from the OUTPUT Headers.
  5. Add new header in the PUT API call, the header name is "IF-MATCH" and paste the ETAG value in front of the newly created header.
  6. Run the API call without <destinationport> field to reset to the default "any".

    For example:

    Method: PUT.
    URL:https://nsx-ip/api/4.0/firewall/globaroot-0/config/layer3sections/1004/rules/1130
    Body:
    <rule id="1130" disabled="false" logged="true">
    <name>Allow OSPF on transit</name>
    <action>allow</action>
    <appliedToList>
    <appliedTo>
    <name>leo-mt-infra-stage-lb-01</name>
    <value>edge-9</value>
    <type>Edge</type>
    <isValid>true</isValid>
    <appliedTo>
    <appliedTo>
    <name>leo-mt-infra-prod-lb-01</name>
    <value>edge-5</value>
    <type>Edge</type>
    <isValid>true</isValid>
    </appliedTo>
    </appliedToList>
    <sources excluded="false">
    <source>
    <name>Edge Transit Net Global</name>
    <value>ipset-20</value>
    <type>IPSet</type>
    <isValid>true</isValid>

    </sources>
    <destinations excluded="false">
    <destination>
    <name>Edge Transit Net Global</name>
    <value>ipset-20</value>
    <type>IPSet</type>
    <isValid>true</isValid>
    </destinations>
    <service>

    <protocol>89</protocol>//No Destination Port tag will force the DPORT to Any even if the protocol is changed
    <isValid>true</isValid>
    </service>
    </services>
    <direction>inout</direction>
    <packetType>any</packetType>
    </rule>
     
  7. Ensure that rule xxxx reflects as a "Pre-Rule" on top of the "internal" rules.