NSX-T Firewall rules are not applied to physical device login/logout events using LogInsight events
book
Article ID: 322469
calendar_today
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- The AD user login/logout events are not seen in the NSX-T Active IDFW Sessions tab of the NSX-T UI.
- Firewall rules are not applied correctly to these sessions.
- The login/logout events are correctly seen in Aria Operations for Logs.
- In the NSX-T manager log syslog and nsxapi show the events received from Aria Operations for Logs:
2022-05-12T08:53:01.509Z INFO http-nio-127.0.0.1-7440-exec-48 PolicyIdentityFacadeImpl 13474 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" reqId="4d66c423-####-####-####-6e441441ffff" subcomp="manager" username="admin"] Received response for /api/v1/idfw/user-session-data as IdfwUserSessionDataAndMappingsDto{activeUserSessions='..........
IdfwUserSessionDataDto{id='ffccddvv-####-####-####-aa1227babe58', domainName='CORP', userName='username', userId='88779900-####-####-####-8cad2f9ef3ec', vmExtId='', userSessionId='-########', loginTime='1652345418586', logoutTime='1652345421706', sessionSource='ELS'}........
Environment
- You are using NSX-T IDFW (Identity Firewall).
- You are running VMware NSX-T Data Center 3.2.x and using Aria Operations for Logs to register the login/logout events from physical devices.
- The AD (Active Directory) username may start with a upper case letter and the remainder are lowercase.
Cause
AD usernames are case insensitive, the IDFW logic is NOT case insensitive.
Resolution
This issue is resolved in VMware NSX-T Data Center 3.2.2.0
This issue is resolved in VMware NSX 4.0.0.1
Workaround:
Ensure AD users login with the same case sensitivity as is in AD, if using Aria Operations for Logs to scrape these events.
Feedback
thumb_up
Yes
thumb_down
No