book
Article ID: 325118
calendar_today
Updated On:
Issue/Introduction
Symptoms:
NAT traffic flow is not subjected to firewall processing for specific NAT rules, after upgrade to NSX-T Data Center 3.0.0:
- NAT rules were created through the User Interface, with the Firewall option as "None".
- NAT rules were created through the API without specifying the "Firewall_Match" parameter.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 3.x
Cause
This issue occurs as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0, any NAT rules configured with the Firewall parameter as "None" in the UI and any NAT rules configured through the API without "Firewall_Match" parameter are not subjected to firewall processing post-upgrade, even though the necessary firewall rules are configured at the Gateway firewall.
How to identify
Identify NAT rules with Firewall Parameter as "None" in the UI:
These rules are either configured through the API without specifying the "Firewall_Match" parameter or configured through the UI by manually selecting "None".
Resolution
VMware recommends to either configure or "Match_internal" or "Match_external" in NAT page as per need to have NAT to do firewall rules processing as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0. Use the "Bypass" for Firewall Option if you want to skip Firewall processing with NAT.
Workaround:
To work around this issue, Set the firewall parameter to "Match_internal" or "Match_external" in the NAT page through the UI or API and configure corresponding firewall rules at that specific gateway firewall as per the need, before upgrading to NSX-T Data Center 3.0.0.
Use the "Bypass" for Firewall Option if you to skip Firewall processing with NAT.
THE Following are the API to set the Firewall_Match parameter as “MATCH_INTERNAL_ADDRESS” or “MATCH_EXTERNAL_ADDRESS”.
PATCH https://IPADDRESS/policy/api/v1/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5
{
"sequence_number": 0,
"action": "SNAT",
"source_network": "121.122.123.124",
"service": "",
"translated_network": "2.62.63.64",
"scope": [],
"enabled": true,
"logging": false,
"firewall_match": "MATCH_INTERNAL_ADDRESS",
"resource_type": "PolicyNatRule",
"id": "test5",
"display_name": "test5",
"description": "test5",
"path": "/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5",
"relative_path": "test5",
"parent_path": "/infra/tier-0s/NAT_test_t0/nat/USER",
"unique_id": "841e4efe-63fe-4af1-80a5-5e335a178144",
"marked_for_delete": false,
"overridden": false,
"_create_user": "admin",
"_create_time": 1463081577291,
"_last_modified_user": "admin",
"_last_modified_time": 1463081577292,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
Update gateway rule:
This patch API will update the rule if it is already present or create a new one, if the rule-I is not present.
PATCH /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>
Example:
PATCH https://1PADDRESS/policy/api/v1/infra/domains/default/gateway-policies/fc522750-946d-11ea-a9d3-f386ccd20158/rules/rule5
{
"source_groups": [
"121.122.123.124",
],
"destination_groups": [
"ANY"
],
"services": [
"ANY"
],
"profiles": [
"ANY"
],
"action": "ALLOW",
"logged": false,
"scope": [
"/infra/tier-0s/NAT_test_t0/locale-services/5fb11430-9470-11ea-9ff8-8ba8ef778d52/interfaces/ext1"
]
}
Additional Information
Impact/Risks:
NAT traffic flow is not subjected to firewall processing post-upgrade to NSX-T Data Center 3.0.0 from earlier NSX-T Data Center 2.x releases.