Impact of Identity Firewall (IDFW) Enable/Disable on existing connections in NSX-T
Article ID: 325103
Updated On:
Products
VMware NSX Networking
Issue/Introduction
This article provides insight on the impact of Identify Firewall (IDFW) Enable/Disable.
Environment
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Resolution
In IDFW disable state, user identity information is not available and IDFW rules will not be enforced. The connections established during this time period will skip the IDFW rule evaluation and will be matched against other NON-IDFW rules in the rule set. At a later time when IDFW is enabled, the existing connections will continue to skip IDFW evaluations. Only the new connections will be evaluated against the IDFW rules.
In IDFW enabled state, user identity information is available and IDFW rules will be enforced. The connections established during this time period will be evaluated against IDFW rules for a match. At a later time when the IDFW is disabled, the existing connections will continue to be evaluated against the IDFW rules. Only the new connections will not be evaluated against the IDFW rules.
In conclusion IDFW enable/disable will not change the behavior for existing connections. Only the new connections will be affected by this change.
In IDFW enabled state, user identity information is available and IDFW rules will be enforced. The connections established during this time period will be evaluated against IDFW rules for a match. At a later time when the IDFW is disabled, the existing connections will continue to be evaluated against the IDFW rules. Only the new connections will not be evaluated against the IDFW rules.
In conclusion IDFW enable/disable will not change the behavior for existing connections. Only the new connections will be affected by this change.
Feedback
Yes
No
Powered by
