[VMC on AWS] Unable to change Custom T1 default firewall policy
search cancel

[VMC on AWS] Unable to change Custom T1 default firewall policy

book

Article ID: 317512

calendar_today

Updated On:

Products

VMware NSX VMware Cloud on AWS

Issue/Introduction

To provide the reason why the Gateway Firewall Policy for additional Tier-1 Gateways cannot be changed.

Symptoms:
Unable to change the Gateway Firewall Policy for additional Tier-1 Gateways. 
When attempting to change from "Allow" to "Drop" or "Reject", a similar error message is seen:
User is not authorized to perform this operation on the application. Please contact the system administrator to get access.
image.png

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

The cloudadmin account and role does not have the privileges to update the Action for the default policy.

Resolution

This issue is resolved in SDDC versions 1.19 and newer. 
 


Workaround:
If the SDDC version is previous to 1.19, a new Gateway Firewall Policy can be created with either Drop or Reject as the Action.
A policy would need to be implemented for each additional T1 if there are multiple T1s. 

image.png



Additional Information

Impact/Risks:
Changes to the default policy within customer Tier-1 Gateway Firewall rules cannot be made.