Symptoms:
- The position of a policy is being revised on the Gateway Firewall using the following POST API with an empty body:
<NSXManager>/policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>?action=revise&operation=insert_bottom
- The expected behavior, is that policy referenced by 'gateway-policy-id' will be placed at the bottom. However, the result is that the policy is placed on the top.
- NSX-T prior to 3.2.0.
- The following error is returned when the API is called:
"Once a category has been assigned to a Security Policy, it cannot be modified"
- In the /var/log/policy.log the following message will be reported:
2021-08-24T10:50:44.140Z INFO http-nio-127.0.0.1-6440-exec-20 PolicyEdgeFirewallFacadeImpl - POLICY [nsx@6876 comp="nsx-manager" level="INFO" reqId="c58a0ee2-####-####-####-########9fb" subcomp="policy" use
rname="admin"] Revising gateway policy for domain default with operation insert_bottom and anchor null
2021-08-24T10:50:44.144Z ERROR http-nio-127.0.0.1-6440-exec-20 AbstractCommunicationMapServiceImpl - POLICY [nsx@6876 comp="nsx-manager" errorCode="MP500097" level="ERROR" reqId="c58a0ee2-####-####-####-########a66
c8049fb" subcomp="policy" username="admin"] Category of CommunicationMap cannot be updated from LOCAL_GATEWAY_RULES to APPLICATION
2021-08-24T10:50:44.145Z INFO http-nio-127.0.0.1-6440-exec-20 NsxBaseRestController - - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="policy"] Error in API /policy/api/v1/infra/domains/default/gateway-p
olicies/Insert-Test2?action=revise&operation=insert_bottom caused by exception com.vmware.nsx.management.policy.policyframework.exceptions.InvalidParameterException: {"moduleName":"Policy","errorCode":500097
,"errorMessage":"Once a category has been assigned to a Security Policy, it cannot be modified"}
- The equivalent POST API call on the DFW can be made against the DFW (not Gateway) policies with an empty body and works as expected:
<NSXManager>/policy/api/v1/infra/domains/<domain-id>/security-policies/<security-policy-id>?action=revise&operation=insert_bottom