Firewall Drops Traffic Despite User-Created DFW Allow Rules
search cancel

Firewall Drops Traffic Despite User-Created DFW Allow Rules

book

Article ID: 372897

calendar_today

Updated On:

Products

VMware NSX-T Data Center VMware NSX Firewall

Issue/Introduction

- Traffic from VM's to certain destinations is not working.
- The customer has rules configured that should allow this traffic.
- There are no drops seen in the dfwpktlogs for the traffic from the VM, despite logging being enabled on all user-configured drop rules. 
- Placing the VM in the DFW exclusion list resolves the issue.

Environment

NSX 4.x

Cause

- The destination IP address that the customer is trying to reach is in the Malicious IP database.

Resolution

- In the NSX Manager UI under Security -> Filtering and Analysis -> Malicious IPs, identify the IP address corresponding to the blocked URL and add it to the Exception List

- Alternatively, add a policy and rule referencing an nsgroup containing the IP addresses that you want to whitelist above the Default Malicious IP Block Rules to proactively allow the known good destinations. These rules can be found in the NSX Manager UI under Security -> Distributed Firewall -> Infrastructure. 

Powered by Wolken Software