Default NAT behavior changes in NSX-T Data Center 3.0.0

Products

VMware NSX

Issue/Introduction

Symptoms:
NAT traffic flow is not subjected to firewall processing for specific NAT rules, after upgrade to NSX-T Data Center 3.0.0:

NAT rules were created through the User Interface, with the Firewall option as "None".
NAT rules were created through the API without specifying the "Firewall_Match" parameter.

Environment

VMware NSX-T Data Center
VMware NSX-T Data Center 3.x

Cause

This issue occurs as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0, any NAT rules configured with the Firewall parameter as "None" in the UI and any NAT rules configured through the API without "Firewall_Match" parameter are not subjected to firewall processing post-upgrade, even though the necessary firewall rules are configured at the Gateway firewall.

How to identify

Identify NAT rules with Firewall Parameter as "None" in the UI:

These rules are either configured through the API without specifying the "Firewall_Match" parameter or configured through the UI by manually selecting "None".

Resolution

VMware recommends to either configure or "Match_internal" or "Match_external" in NAT page as per need to have NAT to do firewall rules processing as Firewall Parameter "None" was deprecated in NSX-T Data Center 3.0.0. Use the "Bypass" for Firewall Option if you want to skip Firewall processing with NAT.

Workaround:
To work around this issue, Set the firewall parameter to "Match_internal" or "Match_external" in the NAT page through the UI or API and configure corresponding firewall rules at that specific gateway firewall as per the need, before upgrading to NSX-T Data Center 3.0.0.

Use the "Bypass" for Firewall Option if you to skip Firewall processing with NAT.

THE Following are the API to set the Firewall_Match parameter as “MATCH_INTERNAL_ADDRESS” or “MATCH_EXTERNAL_ADDRESS”.

PATCH https://IPADDRESS/policy/api/v1/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5
{
"sequence_number": 0,
"action": "SNAT",
"source_network": "192.168.1.1",
"service": "",
"translated_network": "10.1.1.1",
"scope": [],
"enabled": true,
"logging": false,
"firewall_match": "MATCH_INTERNAL_ADDRESS",
"resource_type": "PolicyNatRule",
"id": "test5",
"display_name": "test5",
"description": "test5",
"path": "/infra/tier-0s/NAT_test_t0/nat/USER/nat-rules/test5",
"relative_path": "test5",
"parent_path": "/infra/tier-0s/NAT_test_t0/nat/USER",
"unique_id": "841e4efe-####-####-####-########8144",
"marked_for_delete": false,
"overridden": false,
"_create_user": "admin",
"_create_time": 1463081577291,
"_last_modified_user": "admin",
"_last_modified_time": 1463081577292,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}

Update gateway rule:

This patch API will update the rule if it is already present or create a new one, if the rule-I is not present.

PATCH /policy/api/v1/infra/domains/<domain-id>/gateway-policies/<gateway-policy-id>/rules/<rule-id>

Example:

PATCH https://1PADDRESS/policy/api/v1/infra/domains/default/gateway-policies/fc522750-####-####-####-########0158/rules/rule5

{

"source_groups": [
"192.168.1.1",
],
"destination_groups": [
"ANY"
],
"services": [
"ANY"
],
"profiles": [
"ANY"
],
"action": "ALLOW",
"logged": false,
"scope": [
"/infra/tier-0s/NAT_test_t0/locale-services/5fb11430-####-####-####-########8d52/interfaces/ext1"
]
}

Additional Information

Impact/Risks:
NAT traffic flow is not subjected to firewall processing post-upgrade to NSX-T Data Center 3.0.0 from earlier NSX-T Data Center 2.x releases.