NCP 2.5.0 may not apply Security Policy updates to NSX-T DFW
search cancel

NCP 2.5.0 may not apply Security Policy updates to NSX-T DFW


Article ID: 327298


Updated On:


VMware NSX Networking


The following conditions are met:
  • Container environments running NSX Container Plugin (NCP) 2.5.0
  • When a Security Policy is created, updated and then updated again to restore the original configuration, the final configuration change is not reflected on the NSX-T DFW
Example scenario
  - Create a Security Policy
    e.g. Allow traffic on port 443
    The Distributed Firewall Section and Rule is confirmed to be present in NSX-T
  - Edit the Security Policy
    e.g. Change the allowed traffic from port 443 to port 80
    The Distributed Firewall Rule is updated in NSX-T
  - Edit the Security Policy to change it back to the original configuration
    In this example the Security Policy is changed to allow traffic on port 443
    The DFW Rule is not updated in NSX-T and continues to show the last edit, allow port 80


VMware NSX-T Data Center 2.5.x
VMware NSX-T Data Center


This problem behaviour is observed only in the specific scenario of reverting a Security Policy to its original configuration.
In the 2.5.0 NSX Container Plugin when a configuration change is made there is an issue that results in the rule hash of the Firewall section not being updated.
Because of this incorrect firewall rule hash, when the configuration change to revert to the original configuration is seen by NCP it believes NSX-T already has this same configuration and does not update NSX-T of the configuration change.


This issue is resolved in NSX Container Plugin 2.5.1, available at VMware Downloads.

Until NCP can be upgraded the Security Policy can be deleted and recreated.