IP address or as a Container IP in Firewall data plane in NSX
search cancel

IP address or as a Container IP in Firewall data plane in NSX


Article ID: 325085


Updated On:


VMware NSX Networking



  • Whenever an IP address or is configured as IPSet and applied to a Security Group, then firewall default deny action will occur.
  • Whenever an IP address or used in a FW Rule along with any other Source/Destination IP address, firewall rule action will not happen for, action applies to other IP(s).

Non-working condition:

Container set (Security Group containing IPSet as or
vsipioctl getaddrsets -f nic-69152-eth0-vmware-sfw.2
addrset ip-ipset-4
} -----------> empty here

DFW dropping the packets as it hits default deny since it cant match the correct rule as addrsets is empty.

OR configured along with IP, only shows up in address sets
] vsipioctl getaddrsets -f nic-69152-eth0-vmware-sfw.2 | grep -A 3 23869
addrset rsrc23869 {

addrset src21978 {
[root@sc2-rdops-vm09-dhcp-61-132:/var/log] vsipioctl getrules -f nic-69152-eth0-vmware-sfw.2 | grep 23869
  rule 23869 at 4 inout protocol any from addrset rsrc23869 to any accept with log;


VMware NSX for vSphere 6.3.x


This issue is resolved in VMware NSX for vSphere 6.3.7, available at VMware Downloads.

In VMware NSX for vSphere 6.4.1 a ‘Critical’ event will be generated for an IPSet containing either or address' 



To work around this issue if you do not want to upgrade, use IP address or in Firewall rule's Source or Destination IP with an action.

For example:


vsipioctl getrules -f nic-69152-eth0-vmware-sfw.2 | grep "ip 0."
rule 23869 at 4 inout protocol any from ip to any accept;