When configuring an IPset as part of a Security Group in the NSX DFW, if the firewall rule is applied to the Security Group it is not published to designated hosts/virtual machines
search cancel

When configuring an IPset as part of a Security Group in the NSX DFW, if the firewall rule is applied to the Security Group it is not published to designated hosts/virtual machines

book

Article ID: 339175

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article is to document a frequently replicated symptom and explain why it happens.

Symptoms:
You have created an "IP Set" inside the NSX Manager. This "IP Set" is applied to a "Security Group" using the NSX Service Composer. In the DFW, this "Security Group" has been selected in the "Applied To" field. After publishing, you see these symptoms:
  • The firewall rules traffic that should be getting caught and processed by the DFW fails.
  • A search for the rules applied to an expected virtual machine through the vsipioctl getrules -f <nic_filter> command reveals the intended rule is missing from the virtual machine.


Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

Cause

IP Sets are not supported in the "Applied to" field of the DFW.

The "Applied to" field of the DFW supports only the following selected objects:
  1. Cluster
  2. Datacenter
  3. Distributed Virtual Port Group
  4. NSX Edge
  5. Network
  6. Virtual Machine
  7. vNIC
  8. Logical Switch
  9. Security Group
  10. Host System
For more information, see the NSX-v 6.3 Administration Guide.

While all of the above items are supported in the "Applied to" field, it is possible to configure unsupported items indirectly through the DFW interface. For instance, an IP or MAC set can be applied to a given Security Group, and then apply the DFW to that Security Group. This results in an unsupported configuration and NSX Manager does not push the firewall rules to the VMs/hosts.

Resolution

To resolve this issue, to keep the firewall rules applied to the selected IPs in the IP Set and ensure they are pushed to the hosts/VMs, ensure those rules are "Applied to" the Distributed Firewall as a whole or one of the listed supported values.
  1. Identify the rule in the DFW list of the Web Client.
  2. Click the pencil icon in the "Applied To" field.
  3. Select the checkbox beside "Apply this rule on all clusters on which the Distributed Firewall is installed."