NSX-T DFW Jump to Application rule logged when logging is disabled
Article ID: 322463
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- You are using VMware NSX 4.0.
- Jump to Application rules are configured.
- Logging for the Jump to rule is disabled in the UI.
- Using the following API this can be confirmed
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>
"action": "JUMP_TO_APPLICATION",
"resource_type": "Rule",
"id": "Test_Rule",
"rule_id": 23465
...
"logged": false,
...
"resource_type": "Rule",
"id": "Test_Rule",
"rule_id": 23465
...
"logged": false,
...
- Confirm the rule has been pushed to the Dataplane (ESXi) use the following commands:
Use the summarize-dvfilter command to list the DFW slot 2 VM filter:
[root@esx-03:~] summarize-dvfilter | grep Test_VM -A2
world 1087494 vmm0:TEST_VM vcUuid:'50 1d 7f 04 d3 39 6d 46-09 c3 bb de 4d 80 a5 bd'
port 67108877 NSX-T Manager 01.eth0
vNic slot 2
name: nic-1087494-eth0-vmware-sfw.2
Using the slot 2 filter from above in the following command vsipioctl getrules -f <filter name> to view the rules:
[root@esx-03:~] vsipioctl getrules -f nic-1087494-eth0-vmware-sfw.2
rule 23465 at 1 inout protocol any from addrset rsrc123456 to addrset rdst654321 goto_filter tag 'Test_Rule'
Note if the rule was set to log, at the end of the line it will state "with log tag" followed by the log tag. See example below:
[root@esx-03:~] vsipioctl getrules -f nic-1087494-eth0-vmware-sfw.2
rule 23465 at 1 inout protocol any from addrset rsrc123456 to addrset rdst654321 goto_filter tag 'Test_Rule' with log tag 'Test_Logging';
- After you have confirmed logging is disabled on both the VMware NSX manager and ESXi, the rule is still getting logged in /var/run/log/dwfpktlogs.log on the ESXi host:
[root@esx-03:~]less dfwpktlogs.log
2023-03-29T12:00:07.908Z 403d7eed INET match GOTO_FILTER 23465 IN 52 TCP 10.10.10.185/12345-10.10.10.139/54321 Test_GOTO_Rule
2023-03-29T12:00:07.908Z 403d7eed INET match PASS 2 IN 52 TCP 10.10.10.185/12345-10.10.10.139/54321 Test_FILTER_Rule
2023-03-29T12:00:07.908Z 2a0e1fd3 INET match GOTO_FILTER 23465 IN 52 TCP 10.10.10.185/12345-10.10.10.140/554321 Test_GOTO_Rule
2023-03-29T12:00:07.908Z 2a0e1fd3 INET match PASS 2 IN 52 TCP 10.10.10.185/12345-10.10.10.140/554321 Test_FILTER_Rule
Environment
VMware NSX-T Data Center
Cause
When the application rule has logging enabled, the jump to application rule is also logged, regardless if logging is enabled or disabled.
Resolution
This is resolved in NSX version 4.1.1 VMware Downloads.
Workaround:
In order to stop the jump to rule from being logged, you need to disable logging on the application level rule.
Workaround:
In order to stop the jump to rule from being logged, you need to disable logging on the application level rule.
Feedback
Yes
No
Powered by
