Malicious IPs Group Feature in Distributed Firewall dropping traffic
search cancel

Malicious IPs Group Feature in Distributed Firewall dropping traffic

book

Article ID: 345417

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Customers may encounter DFW packet drops when the Malicious IPs Group Feature is activated. This feature permits the blocking of traffic to and from malicious IPs.

You will observe the following symptoms:

  • Traffic from VM's to certain destinations is not working.
  • You have rules configured that should allow this traffic.
  • There are no drops seen in the dfwpktlogs for the traffic from the VM, despite logging being enabled on all user-configured drop rules.
  • Placing the VM in the DFW exclusion list resolves the issue.

Note: This feature is not entitled under the NSX Enterprise Plus license. Adding the VMware vDefend Firewall or VMware vDefend Firewall w/ATP license to an environment originally licensed with the NSX Enterprise Plus license will enable the feature automatically and start blocking traffic to any IP's flagged as malicious. 

Environment

VMware NSX-T Data Center versions 4.x 

Cause

When the Malicious IPs feature is activated it enables 2 firewall rules in DFW and will drop traffic matched to the Malicious IP security group.  

Resolution

  1. Utilize Traceflow to identify which rule is blocking the traffic. Refer to the following documentation:  
    Traceflow

  2. If packets are being dropped under "Default Malicious IP Block Rules" within the infrastructure category, it indicates that the Malicious IP group feature is enabled on the Distributed Firewall (DFW). Confirm this using the following link                    
    Malicious IP Feeds

  3. Check the details of the blocked IP addresses on the Malicious IPs Filtering and Analysis Dashboard
    Malicious IPs Filtering and Analysis Dashboard

  4. Verify if the IP address/URL is categorized as a threat using content and reputation analysis. You can use the following tool (going to this website will migrate you away from Broadcom Support Page) > https://www.brightcloud.com/tools/url-ip-lookup.php

Workarounds and Fix

  • Temporary workaround: Add the problematic IP to the exception list under
    Inventory -> Group -> DefaultMaliciousIpGroup -> View -> Edit -> Add IP in "Exception IP Address Category."
  • Temporary workaround: Disable the firewall rules in the Infrastructure Category under Security (usually rule id 5 and 6)
  • Permanent fix: Whitelist the problematic IP/URL from the third-party website group to ensure its acceptance across the globe. Use the following URL to submit a request for whitelisting, (going to this website will migrate you away from Broadcom Support Page) > https://www.brightcloud.com/tools/url-ip-lookup.php
Powered by Wolken Software