NSX-T TLS & L7 access profile(configured on Gateway Firewall) having APP ID as HTTP2 not being rejecting traffic
Article ID: 322532
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- You have configured TLS and layer 7 access on your Gateway firewall.
- You have configured an ANY ANY rule to reject traffic
- While running command get firewall <uuid> ruleset [type <rule-type>] stats as admin user on the NSX-T Edge Node CLI we can see the L7 profile reject gets hit.
Firewall rule count: 2
Rule ID : 1039
Input bytes : 2772
Output bytes : 1251
Input packets : 10
Output packets : 12
Evaluations : 3
Hits : 1
Active connections : 0
L7 profile allow : 0
L7 profile reject : 2 <<<<<<-------- It gets a HIT
L7 profile reject page : 0
Rule ID : 1039
Input bytes : 2772
Output bytes : 1251
Input packets : 10
Output packets : 12
Evaluations : 3
Hits : 1
Active connections : 0
L7 profile allow : 0
L7 profile reject : 2 <<<<<<-------- It gets a HIT
L7 profile reject page : 0
- While running the command get tls-inspection traffic-stats lr-uuid <uuid> as admin user on the NSX-T Edge Node CLI we can see the TLS rules are being hit.
rule hits : 1 <<<<<<-------- It gets a HIT
cached certs : 1
cached cert hits : 0
cached cert misses : 1
open connections : 0
total connections : 1
decrypted connections : 1
bypassed due to rules : 0
bypassed due to failures : 0
failed connections : 0
client-to-server bytes : 114
server-to-client bytes : 367
cached certs : 1
cached cert hits : 0
cached cert misses : 1
open connections : 0
total connections : 1
decrypted connections : 1
bypassed due to rules : 0
bypassed due to failures : 0
failed connections : 0
client-to-server bytes : 114
server-to-client bytes : 367
- You observe the traffic is being forwarded although it is supposed to be rejected based on TLS and L7 profile.
root@10:~# curl -vk --tlsv1.2 --resolve www.example.com:443:1.1.1.10 https://www.example.com --http1.1
* Added www.example.com:443:1.1.1.10 to DNS cache
* Rebuilt URL to: https://www.example.com/
* Hostname www.example.com was found in DNS cache
* Trying 1.1.1.10...
* TCP_NODELAY set
* Connected to www.example.com (1.1.1.10) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=MH; L=Pune; O=trustsign; OU=servercert; CN=www.example.com; [email protected]
* start date: Sep 16 16:56:00 2021 GMT
* expire date: Sep 16 16:56:00 2029 GMT
* issuer: C=IN; ST=MH; L=Pune; O=trustsign; OU=certissuer; CN=Enterprise Trusted Root CA; emailAddress=enterprise_trusted_root_ca@trustsign
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Added www.example.com:443:1.1.1.10 to DNS cache
* Rebuilt URL to: https://www.example.com/
* Hostname www.example.com was found in DNS cache
* Trying 1.1.1.10...
* TCP_NODELAY set
* Connected to www.example.com (1.1.1.10) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=MH; L=Pune; O=trustsign; OU=servercert; CN=www.example.com; [email protected]
* start date: Sep 16 16:56:00 2021 GMT
* expire date: Sep 16 16:56:00 2029 GMT
* issuer: C=IN; ST=MH; L=Pune; O=trustsign; OU=certissuer; CN=Enterprise Trusted Root CA; emailAddress=enterprise_trusted_root_ca@trustsign
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Environment
VMware NSX-T Data Center
Resolution
- This issue is resolved in VMware NSX 4.1.1, available at VMware downloads.
Workaround:
Instead of configuring APPID as HTTP2 in L7 profile, you can configure HTTP2 APPID in GW Firewall Rule directly and make the action as REJECT.
This needs to be configured carefully as per requirements. See NSX-T Documentation
Feedback
Yes
No
Powered by
