This is a known issue impacting NSX-T Data center.
Workaround:
We would recommend to perform an update on "/infra/settings/firewall/security" entity to encourage sync operation between MP to CCP. This can be done in 2 ways. For this case we will choose an attribute in settings entity to toggle e.g. say "Firewall Auto draft" field. It is recommend to not modify any security configuration when this operation is performed.
- Via Manager UI:
Step 1: Navigate to Security -> Distributed Firewall -> Actions -> General Settings -> General Firewall -> Auto Save Drafts -> Toggle (set it OFF if its ON or set it ON if its OFF) -> Save
Step 2: Repeat Step1 to revert "Auto Save Drafts" setting i.e. to it previous state.
- Via Policy APIs:
Step 1: Gather the body required to proform these steps:
GET
https://<Manager IP>/policy/api/v1/infra/settings/firewall/security
{
"idfw_enabled": false,
"idfw_event_log_scraper_enabled": false,
"idfw_loginsight_enabled": false,
"resource_type": "DfwFirewallConfiguration",
"id": "security",
"display_name": "security",
"path": "/infra/settings/firewall/security",
"relative_path": "security",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"realization_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"owner_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"origin_site_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"marked_for_delete": false,
"overridden": false,
"enable_firewall": true,
"disable_auto_drafts": false, <------------- We will use this attribute to toggle (this value can be 'true' or 'false')
"global_addrset_mode_enabled": true,
"_create_time": 1662999213629,
"_create_user": "system",
"_last_modified_time": 1663098757027,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 4
}
Step 2: Copy API response from Step 1 and use it as payload, toggle "disable_auto_drafts" value and invoke below API to update settings
PUT
https://<Manager IP>/policy/api/v1/infra/settings/firewall/security
{
"idfw_enabled": false,
"idfw_event_log_scraper_enabled": false,
"idfw_loginsight_enabled": false,
"resource_type": "DfwFirewallConfiguration",
"id": "security",
"display_name": "security",
"path": "/infra/settings/firewall/security",
"relative_path": "security",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"realization_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"owner_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"origin_site_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"marked_for_delete": false,
"overridden": false,
"enable_firewall": true,
"disable_auto_drafts": true, <------------------------ Toggled this attribute to 'true'
"global_addrset_mode_enabled": true,
"_create_time": 1662999213629,
"_create_user": "system",
"_last_modified_time": 1663098757027,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 4
}
Step 3: Copy API response from Step 2 and use it again as payload to revert back to original value.
PUT
https://<Manager IP>/policy/api/v1/infra/settings/firewall/security
{
"idfw_enabled": false,
"idfw_event_log_scraper_enabled": false,
"idfw_loginsight_enabled": false,
"resource_type": "DfwFirewallConfiguration",
"id": "security",
"display_name": "security",
"path": "/infra/settings/firewall/security",
"relative_path": "security",
"parent_path": "/infra",
"remote_path": "",
"unique_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"realization_id": "9cd8b89a-f7e3-473d-xxxx-xxxxxxxxxx",
"owner_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"origin_site_id": "0ea7293f-a909-4a7c-xxxx-xxxxxxxxxx",
"marked_for_delete": false,
"overridden": false,
"enable_firewall": true,
"disable_auto_drafts": false, <------------------------ Toggled this attribute back to 'false' (original value)
"global_addrset_mode_enabled": true,
"_create_time": 1662999213629,
"_create_user": "system",
"_last_modified_time": 1663098757027,
"_last_modified_user": "admin",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 5
}
Once complete confirm the DFW exclusion list is now functioning as expected.