Distributed firewall rules fail to apply on VM's without VMware tools
search cancel

Distributed firewall rules fail to apply on VM's without VMware tools

book

Article ID: 325456

calendar_today

Updated On:

Products

VMware NSX Networking

Issue/Introduction

Symptoms:

When VM names are used as security tags in NSX distributed firewall,

  • Firewall rules using IP addresses does not apply on virtual machines.
  • VMware tools are not installed in the affected virtual machines.


Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x

Resolution

To resolve this issue, use one of the these options:

  • Install VMware tools on the virtual machine.
  • Change IP Detection Type on cluster level to DHCP snooping, ARP snooping or both.
  • Use IP Addresses instead of VM names.

For more information, see IP Discovery for Virtual Machines and Change IP Detection Type.

Note: If you enable ARP snooping and on some VM's, you have two IP address on same NIC, then spoof guard should be enabled.