NSX-T Data Center Edge Gateway Firewall Default rule gets modified by system
Article ID: 322659
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- On the NSX-T Data Center, Security, Gateway Firewall, for a particular Logical Router (LR), in the Policy UI the Default rule is set to Reject or Drop.
- In the Manager UI the same rule is set to Reject or Drop accordingly.
- When enabling the Default Rule Logging option in the Actions, General Firewall Settings of the Policy UI for the Logical Router, the Default rule Action changes to Allow.
- The same behavior can be seen when using the Gateway Firewall API's instead of the UI:
- /infra/tier-0s/<tier-0-id>
- /infra/tier-1s/<tier-1-id>
- And setting the default_rule_logging to True.
Environment
VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
Cause
The Gateway Firewall, General Settings, Default Rule logging is using the LR property default_rule_logging which has been marked as deprecated.
The current issue is a result of the LR API behavior which resets force_whitelisting to the false whenever the user toggles the default_rule_logging flag.
This behavior is present from the UI as well as from the API.
The current issue is a result of the LR API behavior which resets force_whitelisting to the false whenever the user toggles the default_rule_logging flag.
This behavior is present from the UI as well as from the API.
Resolution
Feedback
Yes
No
Powered by
