Search APIs were not case sensitive before NSX-T 3.2, causing incorrect information or errors to be displayed in the UI for objects with the same name with different casing
search cancel

Search APIs were not case sensitive before NSX-T 3.2, causing incorrect information or errors to be displayed in the UI for objects with the same name with different casing

book

Article ID: 319142

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • You recently added a new Gateway firewall policy.
  • In the NSX-T manager web interface, under Security > North South Security > Gateway Firewall > Gateway Specific Rules, when you try to select the impacted gateway(s) from the drop down list, an alert pops up: General error has occurred.
  • You will see this on 2 Gateways, that is if you try to select either of those 2 gateway from the drop down list, the alerts will be generated and the working blue circle spins on screen and displays no data.
  • In the NSX-T manager log 'syslog.log' you see log entries similar to the following:
021-02-03T13:07:59.551Z nsxmgr01 NSX 1254 - [nsx@6876 audit="true" comp="nsx-manager" level="INFO" reqId="78cd8f71-####-####-####-db165f19f460" subcomp="policy" update="true" username="user"] User
Name="User", ModuleName="FirewallFilter", Operation="GetSectionsByFilter", Operation status="failure", New value=[{"resource_type":"SecurityPolicy","sort_by":"internal_sequence_number,unique_id","sort_ascending":true,"cursor":"0","page_size":100} {"primary":{"resource_type":"GatewayPolicy","filters":[{"field_names":"path","value":"\\/infra\\/domains\\/default\\/gateway\\-policies\\/Policy_Default_Infra OR \\/infra\
\/domains\\/default\\/gateway\\-policies\\/Block_All OR \\/infra\\/domains\\/default\\/gateway\\-policies\\/Temp"}]},"related":[{"join_condition":"path:parent_path","size":1,"alias":"domains","resource_type":"Domain"}],"filters":[{"filter_column":"SCOPE","filter_value":["\\/infra\\/tier\\-0s\\/T0\\-vrf\\-dc"]}]}]
2021-02-03T13:07:59.551Z nsxmgr01 NSX 1254 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP100" level="ERROR" subcomp="policy"]
2021-02-03T13:07:59.553Z nsxmgr01 NSX 1254 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="policy"] UserName:'<username>' ModuleName:'common-services' Operation:'POST@/api/v1/ui/firewall/sections' Operation status: 'failure' Error: General error has occurred.



Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 3.x

Cause

Search APIs were not case sensitive before NSX-T 3.2, causing incorrect information or errors to be displayed in the UI for objects with the same name with different casing. For example:

This happens when you add a Gateway Firewall policy that has the same name as another Gateway Firewall policy, these names are not case sensitive.

To check and validate this you can run the following REST API calls, which will return all the Gateway Firewall policies:


GET https://<nsx-manager-ip>/api/v1/firewall/sections - MP API
GET https://<nsx-manager-ip>/policy/api/v1/infra/domains/default/gateway-policies - Policy API

In this example below, you can see the names are the same, although the case is different.

LR-01 rules:
      {
        "_create_time": 1624283819508, - Monday, June 21, 2021 1:56:59.508 PM
        "_create_user": "nsx_policy",
...
          {
            "scope": "policyPath",
            "tag": "/infra/domains/default/gateway-policies/block_all" -> same policy name as LR-02
          }
        ],
        "tcp_strict": true
      },

For LR-02
      {
        "_create_time": 1623248861241, - Wednesday, June 9, 2021 2:27:41.241 PM
        "_create_user": "nsx_policy",
...
          {
            "scope": "policyPath",
            "tag": "/infra/domains/default/gateway-policies/Block_All" -> same policy name as LR-01
          }
        ],
        "tcp_strict": true
      },

Resolution

This issue is resolved in VMware NSX-T Data Center 3.2 and later releases.

Workaround:
Use REST API's to delete one of the security policies and create a new one with a different name.

Get all rules under the policy you intend deleting:

GET https://<NSX-Manager-IP>/policy/api/v1/infra/domains/default/gateway-policies/block_all/rules


In order to remove the policy, we need to remove these rules, use the following REST API to delete any rules identified from above API, by adding each rule ID below:

DELETE https://<NSX-Manager-IP>/policy/api/v1/infra/domains/default/gateway-policies/block_all/rules/<rule id>


Once all the rules are removed, you can remove the policy:

DELETE https://<NSX-Manager-IP>/policy/api/v1/infra/domains/default/gateway-policies/block_all


Check the policy has been removed:

GET https://<NSX-Manager-IP>/policy/api/v1/infra/domains/default/gateway-policies/block_all


Now the GUI should work properly and you can create the policy, using a different name.

Additional Information

This issue affects other objects such as Groups as well, where the search API will incorrectly return the same results for both lower and uppercase objects:
Ex:
/infra/domains/default/groups/examplegroup01 
/infra/domains/default/groups/EXAMPLEGROUP01

Powered by Wolken Software