NSX-T Firewall rules are not applied to physical device login/logout events using LogInsight events
search cancel

NSX-T Firewall rules are not applied to physical device login/logout events using LogInsight events

book

Article ID: 322469

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • The AD user login/logout events are not seen in the NSX-T Active IDFW Sessions tab of the NSX-T UI.
  • Firewall rules are not applied correctly to these sessions.
  • The login/logout events are correctly seen in Aria Operations for Logs.
  • In the NSX-T manager log syslog and nsxapi show the events received from Aria Operations for Logs:
2022-05-12T08:53:01.509Z  INFO http-nio-127.0.0.1-7440-exec-48 PolicyIdentityFacadeImpl 13474 FIREWALL [nsx@6876 comp="nsx-manager" level="INFO" reqId="4d66c423-####-####-####-6e441441ffff" subcomp="manager" username="admin"] Received response for /api/v1/idfw/user-session-data as IdfwUserSessionDataAndMappingsDto{activeUserSessions='..........
IdfwUserSessionDataDto{id='ffccddvv-####-####-####-aa1227babe58', domainName='CORP', userName='username', userId='88779900-####-####-####-8cad2f9ef3ec', vmExtId='', userSessionId='-########', loginTime='1652345418586', logoutTime='1652345421706', sessionSource='ELS'}........

Environment

  • You are using NSX-T IDFW (Identity Firewall).
  • You are running VMware NSX-T Data Center 3.2.x and using Aria Operations for Logs to register the login/logout events from physical devices.
  • The AD (Active Directory) username may start with a upper case letter and the remainder are lowercase.

Cause

AD usernames are case insensitive, the IDFW logic is NOT case insensitive.

Resolution

This issue is resolved in VMware NSX-T Data Center 3.2.2.0
This issue is resolved in VMware NSX 4.0.0.1

Workaround:
Ensure AD users login with the same case sensitivity as is in AD, if using Aria Operations for Logs to scrape these events.