NSX-T TLS & L7 access profile(configured on Gateway Firewall) having APP ID as HTTP2 not being rejecting traffic
search cancel

NSX-T TLS & L7 access profile(configured on Gateway Firewall) having APP ID as HTTP2 not being rejecting traffic

book

Article ID: 322532

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • While running command get firewall <uuid> ruleset [type <rule-type>] stats as admin user on the NSX-T Edge Node CLI we can see the L7 profile reject gets hit.
Firewall rule count: 2
Rule ID : 1039
Input bytes : 2772
Output bytes : 1251
Input packets : 10
Output packets : 12
Evaluations : 3
Hits : 1
Active connections : 0
L7 profile allow : 0
L7 profile reject : 2 <<<<<<-------- It gets a HIT
L7 profile reject page : 0
  • While running the command  get tls-inspection traffic-stats lr-uuid <uuid> as admin user on the NSX-T Edge Node CLI you can see the TLS rules are being hit.
rule hits : 1 <<<<<<-------- It gets a HIT
cached certs : 1
cached cert hits : 0
cached cert misses : 1
open connections : 0
total connections : 1
decrypted connections : 1
bypassed due to rules : 0
bypassed due to failures : 0
failed connections : 0
client-to-server bytes : 114
server-to-client bytes : 367
  • You observe the traffic is being forwarded although it is supposed to be rejected based on TLS and L7 profile.
# curl -vk --tlsv1.2 --resolve www.example.com:443:10.1.1.10 https://www.example.com --http1.1
* Added www.example.com:443:1.1.1.10 to DNS cache
* Rebuilt URL to: https://www.example.com/
* Hostname www.example.com was found in DNS cache
* Trying 10.1.1.10...
* TCP_NODELAY set
* Connected to www.example.com (10.1.1.10) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=MH; L=Pune; O=trustsign; OU=servercert; CN=www.example.com; [email protected]
* start date: Sep 16 16:56:00 2021 GMT
* expire date: Sep 16 16:56:00 2029 GMT
* issuer: C=IN; ST=MH; L=Pune; O=trustsign; OU=certissuer; CN=Enterprise Trusted Root CA; emailAddress=enterprise_trusted_root_ca@trustsign
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.



Environment

VMware NSX-T Data Center 3.x
VMware NSX 4.x

You have configured TLS and layer 7 access on your Gateway firewall.

You have configured an ANY ANY rule to reject traffic

Resolution

This issue is resolved in VMware NSX 4.1.1



Workaround:
Instead of configuring APPID as HTTP2 in L7 profile, you can configure HTTP2 APPID in GW Firewall Rule directly and make the action as REJECT.
This needs to be configured carefully as per requirements. See NSX-T Documentation

 



Powered by Wolken Software