Edge Pre-rules configured from centralized Distributed FW section are not applied
Article ID: 338614
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
- When DFW rule applied to the edge, it is reflected directly to the edge FW tab UI but the rule is not present in the edge appliance.
- Traffic does not matching the rule although it is present in UI
- Go to Networking & security > Firewall > Add Rule > Applied To edge > Publish and rule ID will be created.
- Rule ID is also present from NSX Edges menu Networking & security > NSX Edges > Select Edge > Firewall section > Rule ID xxxx is present in the pre-rules section
- Accessing through console/ssh to the edge VM if you execute show firewall rule-id xxxx the rule does not exist
Environment
VMware NSX Data Center for vSphere 6.4.x
Cause
Due to the global publish feature introduced in 6.4.2, all rules are pushed at the same time for all the clusters and edges. There has been a regression where if there are no rules applied to clusters in a section edge rules does not get published.
Resolution
This particular issue has been resolved in NSX 6.4.4.
Workaround:
Workaround:
- Apply the rules directly from the NSX Edge FW section
- Disable Globalpublish feature and publish the rule again
- POST https:// NSX-manager-IP /api/internal/firewall/globalpublish?enable=false
Feedback
Yes
No
Powered by
