Default NAT behavior changes in NSX-T Data Center 3.0.0
search cancel

Default NAT behavior changes in NSX-T Data Center 3.0.0

book

Article ID: 325118

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
NAT traffic flow is not subjected to firewall processing for specific NAT rules, after upgrade to NSX-T Data Center 3.0.0:
  • NAT rules were created through the User Interface, with the Firewall option as "None".
  • NAT rules were created through the API without specifying the "Firewall_Match" parameter.


Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

This issue occurs as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0, any NAT rules configured with the Firewall parameter as "None" in the UI and any NAT rules configured through the API without "Firewall_Match" parameter are not subjected to firewall processing post-upgrade, even though the necessary firewall rules are configured at the Gateway firewall.

How to identify

Identify NAT rules with Firewall Parameter as "None" in the UI:

These rules are either configured through the API without specifying the "Firewall_Match" parameter or configured through the UI by manually selecting "None".

Resolution

VMware recommends to either configure or "Match_internal" or "Match_external" in NAT page as per need to have NAT to do firewall rules processing as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0. Use the "Bypass" for Firewall Option if you want to skip Firewall processing with NAT.

Workaround:
To work around this issue, Set the firewall parameter to "Match_internal" or "Match_external" in the NAT page through the UI or API and configure corresponding firewall rules at that specific gateway firewall as per the need, before upgrading to NSX-T Data Center 3.0.0.  

Use the "Bypass" for Firewall Option if you to skip Firewall processing with NAT. 

THE Following are the API to set the Firewall_Match parameter as “MATCH_INTERNAL_ADDRESS” or “MATCH_EXTERNAL_ADDRESS”.

PATCH https://IPADDRESS/policy/api/v1/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5 
{
  "sequence_number": 0,
  "action": "SNAT",
  "source_network": "192.168.1.1",
  "service": "",
  "translated_network": "10.1.1.1",
  "scope": [],
  "enabled": true,
  "logging": false,
  "firewall_match": "MATCH_INTERNAL_ADDRESS",
  "resource_type": "PolicyNatRule",
  "id": "test5",
  "display_name": "test5",
  "description": "test5",
  "path": "/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5",
  "relative_path": "test5",
  "parent_path": "/infra/tier-0s/NAT_test_t0/nat/USER",
  "unique_id": "841e4efe-####-####-####-########8144",
  "marked_for_delete": false,
  "overridden": false,
  "_create_user": "admin",
  "_create_time": 1463081577291,
  "_last_modified_user": "admin",
  "_last_modified_time": 1463081577292,
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 0
}


Update gateway rule:

This patch API will update the rule if it is already present or create a new one, if the rule-I is not present.

PATCH /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Example:

PATCH https://1PADDRESS/policy/api/v1/infra/domains/default/gateway-policies/fc522750-####-####-####-########0158/rules/rule5

{

       "source_groups": [
        "192.168.1.1",
      ],
      "destination_groups": [
        "ANY"
      ],
      "services": [
        "ANY"
      ],
      "profiles": [
        "ANY"
      ],
      "action": "ALLOW",
      "logged": false,
      "scope": [
        "/infra/tier-0s/NAT_test_t0/locale-services/5fb11430-####-####-####-########8d52/interfaces/ext1"
      ]
}


Additional Information

Impact/Risks:
NAT traffic flow is not subjected to firewall processing post-upgrade to NSX-T Data Center 3.0.0  from earlier NSX-T Data Center 2.x releases.