[VMC on AWS] Unable to change Custom T1 default firewall policy
book
Article ID: 317512
calendar_today
Updated On:
Products
VMware NSXVMware Cloud on AWS
Issue/Introduction
To provide the reason why the Gateway Firewall Policy for additional Tier-1 Gateways cannot be changed.
Symptoms: Unable to change the Gateway Firewall Policy for additional Tier-1 Gateways. When attempting to change from "Allow" to "Drop" or "Reject", a similar error message is seen: User is not authorized to perform this operation on the application. Please contact the system administrator to get access.
Environment
VMware NSX-T Data Center VMware NSX-T Data Center 3.x
Cause
The cloudadmin account and role does not have the privileges to update the Action for the default policy.
Resolution
This issue is resolved in SDDC versions 1.19 and newer.
Workaround:
If the SDDC version is previous to 1.19, a new Gateway Firewall Policy can be created with either Drop or Reject as the Action.
A policy would need to be implemented for each additional T1 if there are multiple T1s.
Additional Information
Impact/Risks: Changes to the default policy within customer Tier-1 Gateway Firewall rules cannot be made.