Malicious IPs Group Feature in Distributed Firewall dropping traffic
search cancel

Malicious IPs Group Feature in Distributed Firewall dropping traffic

book

Article ID: 345417

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Customers may encounter DFW packet drops when the Malicious IPs Group Feature is activated. This feature permits the blocking of traffic to and from malicious IPs.

Environment

VMware NSX-T Data Center versions 4.x 

Cause

When Malware protection is activated it enables 2 firewall rules in DFW and will drop traffic matched to the Malicious IP security group.  

Resolution

1. Utilize Traceflow to identify which rule is blocking the traffic. Refer to the following documentation:  
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-A85621BC-1CFD-4703-846A-2B3D36E7ABAC.html

2. If packets are being dropped under "Default Malicious IP Block Rules" within the infrastructure category, it indicates that the Malicious IP group feature is enabled on the Distributed Firewall (DFW). Confirm this using the following link                    
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-471BA79D-C594-405D-912E-833206D1702C.html

3. Check the details of the blocked IP addresses on the Malicious IPs Filtering and Analysis Dashboard
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-211A00DE-5B49-40BC-9426-D30A28E81905.html

4. Verify if the IP address/URL is categorized as a threat using content and reputation analysis. You can use the following tool (going to this website will migrate you away from Broadcom Support Page) > https://www.brightcloud.com/tools/url-ip-lookup.php

Workarounds and Fix

  • Temporary workaround: Add the problematic IP to the exception list under
    Inventory -> Group -> DefaultMaliciousIpGroup -> View -> Edit -> Add IP in "Exception IP Address Category."
  • Temporary workaround: Disable the firewall rules in the Infrastructure Category under Security (usually rule id 5 and 6)
  • Permanent fix: Whitelist the problematic IP/URL from the third-party website group to ensure its acceptance across the globe. Use the following URL to submit a request for whitelisting, (going to this website will migrate you away from Broadcom Support Page) > https://www.brightcloud.com/tools/url-ip-lookup.php