NSX-T Data Center Edge Gateway Firewall Default rule gets modified by system
book
Article ID: 322659
calendar_today
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
On the NSX-T Data Center, Security, Gateway Firewall, for a particular Logical Router (LR), in the Policy UI the Default rule is set to Reject or Drop.
In the Manager UI the same rule is set to Reject or Drop accordingly.
When enabling the Default Rule Loggingoption in the Actions, General Firewall Settings of the Policy UI for the Logical Router, the Default rule Action changes to Allow.
The same behavior can be seen when using the Gateway Firewall API's instead of the UI:
/infra/tier-0s/<tier-0-id>
/infra/tier-1s/<tier-1-id>
And setting the default_rule_logging to True.
Environment
VMware NSX-T Data Center 2.5.x VMware NSX-T Data Center VMware NSX-T Data Center 3.x
Cause
The Gateway Firewall, General Settings, Default Rule logging is using the LR property default_rule_logging which has been marked as deprecated. The current issue is a result of the LR API behavior which resets force_whitelisting to the false whenever the user toggles the default_rule_logging flag. This behavior is present from the UI as well as from the API.