IDFW not functioning as expected when using Tools for login detection
book
Article ID: 324222
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
NSX-T Data Center
IDFW is configured
VMware Tools Guest Introspection is used for login detection
AD user Logins are detected correctly and on the UI, the AD Group shows the VM has been added as a member
IDFW rules using this AD Group are not matched as expected. A default Allow or Drop rule may be hit instead
The Guest VM has third party security software installed
Environment
VMware NSX-T Data Center VMware NSX-T Data Center 3.x
Cause
When third party network security software runs on a Virtual Machine as a system service, it can result in network connections being masqueraded to run in system context instead of the logged in user context. This can lead to IDFW being unable to apply user specific rules to that network callback.
Resolution
This issue is not present on NSX-T Datacenter 3.2.0 and later in combination with VMware Tools 11.2.5 and later.
Workaround: To workaround the issue, uninstall the 3rd party software from the guest VM.
Alternatively, from NSX-T 3.2 use Event Server log scraper for login detection instead of introspection via VMware Tools