Customers may encounter DFW packet drops when the Malicious IPs Group Feature is activated. This feature permits the blocking of traffic to and from malicious IPs.
VMware NSX-T Data Center versions 4.x
When Malware protection is activated it enables 2 firewall rules in DFW and will drop traffic matched to the Malicious IP security group.
1. Utilize Traceflow to identify which rule is blocking the traffic. Refer to the following documentation:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-A85621BC-1CFD-4703-846A-2B3D36E7ABAC.html
2. If packets are being dropped under "Default Malicious IP Block Rules" within the infrastructure category, it indicates that the Malicious IP group feature is enabled on the Distributed Firewall (DFW). Confirm this using the following link
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-471BA79D-C594-405D-912E-833206D1702C.html
3. Check the details of the blocked IP addresses on the Malicious IPs Filtering and Analysis Dashboard
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-211A00DE-5B49-40BC-9426-D30A28E81905.html
4. Verify if the IP address/URL is categorized as a threat using content and reputation analysis. You can use the following tool (going to this website will migrate you away from Broadcom Support Page) > https://www.brightcloud.com/tools/url-ip-lookup.php
Workarounds and Fix