Symptoms:
- You are using VMware NSX 4.0.
- Jump to Application rules are configured.
- Logging for the Jump to rule is disabled in the UI.
- Using the following API this can be confirmed
GET /policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>/rules/<rule-id>
"action": "JUMP_TO_APPLICATION",
"resource_type": "Rule",
"id": "Test_Rule",
"rule_id": 23465
...
"logged": false,
...
- Confirm the rule has been pushed to the Dataplane (ESXi) use the following commands:
Use the summarize-dvfilter command to list the DFW slot 2 VM filter:
[root@esx-03:~] summarize-dvfilter | grep Test_VM -A2
world 1087494 vmm0:TEST_VM vcUuid:'50 1d 7f 04 d3 39 6d 46-09 c3 bb de 4d 80 a5 bd'
port 67108877 NSX-T Manager 01.eth0
vNic slot 2
name: nic-1087494-eth0-vmware-sfw.2
Using the slot 2 filter from above in the following command vsipioctl getrules -f <filter name> to view the rules:
[root@esx-03:~] vsipioctl getrules -f nic-1087494-eth0-vmware-sfw.2
rule 23465 at 1 inout protocol any from addrset rsrc123456 to addrset rdst654321 goto_filter tag 'Test_Rule'
Note if the rule was set to log, at the end of the line it will state "with log tag" followed by the log tag. See example below:
[root@esx-03:~] vsipioctl getrules -f nic-1087494-eth0-vmware-sfw.2
rule 23465 at 1 inout protocol any from addrset rsrc123456 to addrset rdst654321 goto_filter tag 'Test_Rule' with log tag 'Test_Logging';
- After you have confirmed logging is disabled on both the VMware NSX manager and ESXi, the rule is still getting logged in /var/run/log/dwfpktlogs.log on the ESXi host:
[root@esx-03:~]less dfwpktlogs.log
2023-03-29T12:00:07.908Z 403d7eed INET match GOTO_FILTER 23465 IN 52 TCP 10.10.10.185/12345-10.10.10.139/54321 Test_GOTO_Rule
2023-03-29T12:00:07.908Z 403d7eed INET match PASS 2 IN 52 TCP 10.10.10.185/12345-10.10.10.139/54321 Test_FILTER_Rule
2023-03-29T12:00:07.908Z 2a0e1fd3 INET match GOTO_FILTER 23465 IN 52 TCP 10.10.10.185/12345-10.10.10.140/554321 Test_GOTO_Rule
2023-03-29T12:00:07.908Z 2a0e1fd3 INET match PASS 2 IN 52 TCP 10.10.10.185/12345-10.10.10.140/554321 Test_FILTER_Rule