IDFW rules not matched in NSX-T when projects are created
Article ID: 369394
Updated On:
Products
Issue/Introduction
Symptoms:
- You are running an NSX-T version 4.1.x
- You have recently created a new Project within the NSX-T UI.
- You may observe that the IDFW rules will not be realized on the ESXi Host
- You will observe that existing IDFW rules are not being matched.
- You will observe similar logging on the NSX Manager in /var/log/syslog
2024-04-02T05:27:05.201Z vdpi[2406522]: NSX 2406522 - [nsx@6876 comp="nsx-esx" subcomp="nsx-vdpi" tid="2406556" level="INFO"] received delta update of object SECURITY_FEATURE_TOGGLE
2024-04-02T05:27:05.202Z cfgAgent[2406299]: NSX 2406299 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="13ECFC80" level="info"] Decoder: Received SECURITY_FEATURE_TOGGLE msg (Operation SET): self { op: SET } : id { left: 3019851511744253762 right: 12202973688529688464 } applied_to { } feature_msg { feature_type: FEATURE_IDPS enabled: true } feature_msg { feature_type: FEATURE_IDFW enabled: false } tenant_context { org: "" proj: "" vpc: "" }
2024-04-02T05:27:05.202Z cfgAgent[2406299]: NSX 2406299 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="13ECFC80" level="info"] Decoder: Received SECURITY_FEATURE_TOGGLE msg UPDATE
2024-04-02T05:27:05.202Z vdpi[2406522]: NSX 2406522 - [nsx@6876 comp="nsx-esx" subcomp="nsx-vdpi" tid="2406556" level="INFO"] Received Security Feature msg ID: id { left: 3019851511744253762 right: 12202973688529688464 } applied_to { } feature_msg { feature_type: FEATURE_IDPS enabled: true } feature_msg { feature_type: FEATURE_IDFW enabled: false } tenant_context { org: "" proj: "" vpc: "" } , type: 195 - SECURITY_FEATURE_TOGGLE, op: 7
2024-04-02T05:27:05.202Z vdpi[2406522]: NSX 2406522 - [nsx@6876 comp="nsx-esx" subcomp="nsx-vdpi" tid="2406555" level="INFO"] IDS mode remains unchanged with newly parsed SecFeatureToggleMsg
2024-04-02T05:27:05.202Z cfgAgent[2406299]: NSX 2406299 - [nsx@6876 comp="nsx-controller" subcomp="cfgAgent" tid="14E7F700" level="info" org="" proj="" vpc=""] ids: IDSMsgCache: Update SecurityFeatureToggleMsg, ids status: true, ID: 29e8aaf3-37f1-4f42-a959-abea64401790
- You will observe silmilar logging on the ESXI host in /var/run/log/nsx-syslog
2024-05-04T06:00:01.470Z In(182) nsx-opsagent[61396648]: NSX 61396648 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="61397157" level="INFO"] Idfw: Idfw enable update detected, new config = enabled, UUID: b0fcc11a-46b8-4520-b9d2-a4e00ebcd62e
2024-05-04T06:00:01.688Z In(182) nsx-opsagent[61396648]: NSX 61396648 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="61397155" level="INFO"] Idfw: Idfw enable update detected, new config = disabled, UUID: b0fcc11a-46b8-4520-b9d2-a4e00ebcd62e
2024-05-04T06:05:00.899Z In(182) nsx-opsagent[61396648]: NSX 61396648 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="61397155" level="INFO"] Idfw: Idfw enable update detected, new config = enabled, UUID: b0fcc11a-46b8-4520-b9d2-a4e00ebcd62e
2024-05-04T06:05:00.992Z In(182) nsx-opsagent[61396648]: NSX 61396648 - [nsx@6876 comp="nsx-esx" subcomp="opsagent" s2comp="ctxteng" tid="61397154" level="INFO"] Idfw: Idfw enable update detected, new config = disabled, UUID: b0fcc11a-46b8-4520-b9d2-a4e00ebcd62e
- You may observe that the SidCache on the ESXi host is empty for the VM that is not matching IDFW rules.
[root@localhost~] summarize-dvfilter | grep -A 9 <VM-Name>
port 67108898 <VM-Name>
vNic slot 2
name: nic-34829825-eth0-vmware-sfw.2 <<< VM-Filter-Name
agentName: vmware-sfw
state: IOChain Attached
vmState: Attached
failurePolicy: failClosed
serviceVMID: 4
filter source: Dynamic Filter Creation
moduleName: nsxt-vsip-2073718
[root@localhost:~] vsipioctl getsidcache -f <VM-Filter-Name>
uid2sid map size : 0
uid2sid map num entries : 0
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 4.x VMware NSX-T
Cause
Identity firewall support is not available under projects and when a new project is created it toggles the IDFW feature to off state in the default project.
Resolution
The issue will be fixed in future release VMware NSX-T 4.2. From version 4.2 when a new project is created the IDFW feature in the default project will not get disabled.
Workaround:
Even Though IDFW is not supported in projects, to workaround this issue IDFW should be enabled in all projects using below API
- Get the output of API "https://<NSX-manager-IP>/policy/api/v1/orgs/default/projects/<project-id>/infra/settings/firewall/security"
{
"idfw_enabled": false,
"idfw_event_log_scraper_enabled": false,
"idfw_loginsight_enabled": false,
"resource_type": "DfwFirewallConfiguration",
"id": "security",
"display_name": "security",
"path": "/orgs/default/projects/<project-id>/infra/settings/firewall/security",
"relative_path": "security",
"parent_path": "/orgs/default/projects//<project-id>/infra",
"remote_path": "",
"unique_id": "e598d65d-dd3f-4ad4-917b-737a791e2519",
"realization_id": "e598d65d-dd3f-4ad4-917b-737a791e2519",
"owner_id": "801c66c7-854d-4562-871e-0030df465669",
"marked_for_delete": false,
"overridden": false,
"enable_firewall": true,
"disable_auto_drafts": false,
"global_addrset_mode_enabled": true,
"_create_time": 1712035624429,
"_create_user": "system",
"_last_modified_time": 1712035624429,
"_last_modified_user": "system",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
2. Modify "idfw_enabled": false" to "idfw_enabled": true" and patch it using API "https://<NSX-manager-IP>/policy/api/v1/orgs/default/projects/<project-id>/infra/settings/firewall/security"
{
"idfw_enabled": true, --------------> modify only this parameter to true and keep rest of fields same.
"idfw_event_log_scraper_enabled": false,
"idfw_loginsight_enabled": false,
"resource_type": "DfwFirewallConfiguration",
"enable_firewall": true,
"disable_auto_drafts": false,
"global_addrset_mode_enabled": true,
"global_macset_optimization_mode_enabled": false
}
Additional Information
Impact/Risk: Existing IDFW based rules will stop working once a new non default project is created in the NSX.
Feedback
