NetX failure policy - how to change the third party failure policy
book
Article ID: 327285
calendar_today
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
This articles intends to explain how the failure policy works and the process to change it after installation.
Symptoms:
A Failure policy defines what actions will be taken if the third party NetX service is unavailable.
There are 2 states:
failOpen: The traffic for the VMs on the associated host will continue to pass if the third party service is not available, i.e. powered off.
failClose: The traffic for the VMs on the associated host will no longer pass if the third party service is not available, i.e. powered off.
Failure policy configuration is a day-1 installation configuration and ideally should not be changed regularly.
Environment
VMware NSX Data Center for vSphere 6.x
Resolution
If after deployment, you decide to change it, the failure policy is located in Service Definitions / select the third party Service Insertion / Security Profile.
Please be aware that carrying out this procedure will remove protection from already protected VMs for the duration of the procedure.
Therefore it is recommended to isolate the protected VMs before the operation and carry out the operation in a maintenance window. There is one location for the failure policy change and two locations were you can remove the Security Groups from the Security Policy which uses the failure policy.
The first option is in Service Definitions:
Go to Service Definitions, select the third party Service Insertion, click the Service Instance, click the profile associated with the filters, go to the applied objects tab and click Edit.
Unbind "Security Group/Dvpg/Logical Switch" from service profile and click OK.
On the ESXi hosts with protected VM, check the slot 4 filters are removed, use the following command: summarize-dvfilter
Change failure policy on Service Profile to be true or false as required.
Go to Service Definitions, select the third party Service Insertion, click the Service Instance, click the profile associated with the filters, go to the applied objects tab and click Edit.
Rebind "Security group/Dvpg/Logical Switch" to the service profile and click ok.
Verify failure policy by using summarize-dvfilter command on ESXi host. Slot 4 should now be either failOpen or failClose, depending on the selection made.
The second option is in Service Composer:
Unbind "Security Group/Dvpg/Logical Switch" from Service Profile if you are using "Firewall" tab for configuring rules or unbind Security Policy from Security Group if you are using "Service Composer" tab.
Change failure policy on Service Profile to be true or false as required.
Rebind "Security Group/Dvpg/Logical Switch" from Service Profile if you are using "Firewall" tab for configuring rules or bind Security Policy from Security Group if you are using "Service Composer" tab.
Verify failure policy by using summarize-dvfilter command on ESXi host.
The failure policy can only be failClose or failOpen per slot, there should not be a mix of these policies, however each slot can have a different policy i.e. slot 2 can be failOpen and slot 4 can be failClose. But all VMs slot 2 should be the same failure policy and likewise slot 4 VMs should also have the same failure policy.
Additional Information
Impact/Risks: If incorrectly configured, VMs may become unprotected when the third party service is not available, i.e. powered off.