URI/FQDN DFW is not working
Article ID: 327375
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
Few sites like Youtube.com do not load completely when added in explicit allow and deny all DFW configuration.
Few sites like Youtube.com do not load completely when added in explicit allow and deny all DFW configuration.
Environment
VMware NSX-T Data Center 3.x
VMware NSX-T Data Center
VMware NSX-T
VMware NSX-T Data Center
VMware NSX-T
Cause
Specific websites where there is a dependency on multiple domains for the page to load fully face issues when used in URI DFW as explicit allow.
Below is an example :
Youtube.com : dependency on multiple domains (*youtube.com || *.googleapis.com || *.googlevideo.com || *ytimg.com etc)
DFW config allowing ONLY youtube.com
0: any any allow DNS
1: any any allow www.youtube.com
2: any any block
Below is an example :
Youtube.com : dependency on multiple domains (*youtube.com || *.googleapis.com || *.googlevideo.com || *ytimg.com etc)
DFW config allowing ONLY youtube.com
0: any any allow DNS
1: any any allow www.youtube.com
2: any any block
Resolution
Create an explicit allow DFW FQDN based rule for website with multiple dependencies
Workaround:
Use the Network option in developer tool to gather details of the domain where there is dependency and allow them in the DFW policy.
Workaround:
Use the Network option in developer tool to gather details of the domain where there is dependency and allow them in the DFW policy.
Additional Information
NSX is working as expected to allow youtube.com and block the rest of the domains. Hence in order to load the website fully, all the dependent domains are also required to be allowed in DFW configuration before the "deny all" rule.
Impact/Risks:
Specific websites don’t load completely
Impact/Risks:
Specific websites don’t load completely
Feedback
Yes
No
Powered by
