NSX Manager UI shows Error 403 - Access denied when trying to access Security

Products

VMware NSX

Issue/Introduction

After successful login, the customer is getting 403 Access Denied error when they are trying to access Security tab.

All the admin logins are marked as success in the syslog:

2024-06-26T17:05:31.992Z <nsx-manager.fqdn> NSX 74138 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="http"] UserName="admin@<nsx-manager>", ModuleName="ACCESS_CONTROL", Operation="LOGIN", Operation status="success"
2024-06-26T17:05:33.698Z <nsx-manager.fqdn> NSX 70816 - [nsx@6876 audit="true" comp="nsx-manager" level="INFO" reqId="<req-uuid>" subcomp="manager" username="admin"] UserName="admin", ModuleName="AAA", Operation="GetCurrentUserInfo", Operation status="success", New value=[{}]

NAPP was not deployed successfully

On collection and inspection of HAR file, napp/api/v1/platform/features/ndr/status and napp/api/v1/platform/ui-plugin-permissions?APP_NAME=INTELLIGENCE show 403 response error code.

Environment

NSX-T 3.x

NSX 4.x

Cause

When the customer is trying to access the Security tab, NSX redirects the request to NAPP. As NAPP has not been deployed properly, the customer sees the 403 forbidden error.

Resolution

Force undeploy NAPP from customer's environment manually using this API command:

PATCH https://<nsx-manager-ip>/policy/api/v1/infra/sites/<site-id>/napp/deployment/platform

{

"deployment_action": {
"action": "FORCE_UNDEPLOY"
}

}

The customer should be able to access Security tab now however, some sections of UI such as Plan & Troubleshoot will not load. Since the NAPP is being force undeployed manually, the UI plugin is not cleaned up. There are two UI plugins which should be removed as well:

1. Platform UI - which is displayed under System => NSX Application Platform.
2. Intelligence UI - which is under Plan & Troubleshoot.

Please follow below step to remove/reset these plugins manually.

Delete Platform UI Plugin

DELETE https://<nsx-manager-ip>/policy/api/v1/ui-controller/remote-ui-plugins/platform-ui

Reset Intelligence UI Plugin:

Note: This will reset the Intelligence to the teaser pages.

PUT https://<nsx-manager-ip>/policy/api/v1/ui-controller/remote-ui-plugins/pace-ui

PAYLOAD:

{
"id": "pace-ui",
"url": "/nsx/intelligence-ui/",
"navItems": [
{
"navId": "nsx-intelligence-ui-placeholder-home",
"title": "plugin.placeholder.title",
"parentModule": "tools",
"siblingNavItem": "troubleShootingTools",
"insertBeforeSibling": true,
"children": [
{
"navId":"nsx-intelligence-placeholder-home-security-posture",
"title": "plugin.placeholder.discoverandtakeaction",
"iconUrl": "assets/img/discover.svg",
"insertBeforeSibling": false,
"routerLink": "securityposture",
"childRoute": "/#/placeholder/visualization",
"rbacFeature": [
"policy_napp"
],
"isCollapsible": false,
"childrenExpanded": false
},
{
"navId":"nsx-intelligence-placeholder-home-recommendations",
"title": "plugin.placeholder.recommendations",
"iconUrl": "assets/img/recommendations.svg",
"insertBeforeSibling": false,
"routerLink": "recommendations",
"childRoute": "/#/placeholder/recommendations",
"rbacFeature": [
"policy_napp"
],
"isCollapsible": false,
"childrenExpanded": false
}
],
"isCollapsible": false,
"childrenExpanded": false
},
{
"navId": "nsx-intelligence-anomaly-detection",
"title": "plugin.nav.title.threat.detections",
"iconUrl": "assets/img/anomaly.svg",
"parentModule": "security",
"siblingNavItem": "urlAnalysisUrls",
"insertBeforeSibling": true,
"routerLink": "anomalydetection",
"childRoute": "/#/placeholder/anomaly/home",
"rbacFeature": [
"policy_napp"
],
"isCollapsible": false,
"childrenExpanded": false
}
],
"plugin_items": [
{
"col_span": 12,
"child_route": "#/placeholder/anomaly/dashboard",
"min_height": "265px",
"item_id": "nsxi-ui-anomaly-security-dashboard-widget",
"item_type": "RemoteDashboardContainer",
"parent_item": "dashboard_security_insights",
"rbac_feature": [
"policy_napp"
]
}
],
"featurePermissionUrl": "../../policy/api/v1/aaa/user-info/permissions",
"translations": {
"en-US": {
"plugin.placeholder.title": "Discover & Plan",
"plugin.placeholder.discoverandtakeaction": "Discover & Take Action",
"plugin.placeholder.recommendations": "Recommendations",
"plugin.nav.title.network.traffic.analysis": "Network Traffic Analysis",
"plugin.nav.title.threat.detections": "Suspicious Traffic"
},
"de-DE": {
"plugin.placeholder.title": "Erkennen und planen",
"plugin.placeholder.discoverandtakeaction": "Erkennen und aktiv werden",
"plugin.placeholder.recommendations": "Empfehlungen",
"plugin.nav.title.network.traffic.analysis": "Analyse des Netzverkehrs",
"plugin.nav.title.threat.detections": "Bedrohungserkennungen"
},
"es-ES": {
"plugin.placeholder.title": "Detectar y planificar",
"plugin.placeholder.discoverandtakeaction": "Detectar y actuar",
"plugin.placeholder.recommendations": "Recomendaciones",
"plugin.nav.title.network.traffic.analysis": "Análisis de tráfico de red",
"plugin.nav.title.threat.detections": "Detecciones de amenazas"
},
"fr-FR": {
"plugin.placeholder.title": "Découvrir et planifier",
"plugin.placeholder.discoverandtakeaction": "Découvrir et résoudre",
"plugin.placeholder.recommendations": "Recommandations",
"plugin.nav.title.network.traffic.analysis": "Analyse du trafic réseau",
"plugin.nav.title.threat.detections": "Détections des menaces"
},
"it-IT": {
"plugin.placeholder.title": "Scopri e pianifica",
"plugin.placeholder.discoverandtakeaction": "Scopri e intervieni",
"plugin.placeholder.recommendations": "Consigli",
"plugin.nav.title.network.traffic.analysis": "Rilevamento delle minacce e risposta",
"plugin.nav.title.threat.detections": "Traffico sospetto"
},
"ja-JP": {
"plugin.placeholder.title": "検出とプラン",
"plugin.placeholder.discoverandtakeaction": "検出とアクションの実行",
"plugin.placeholder.recommendations": "推奨事項",
"plugin.nav.title.network.traffic.analysis": "ネットワークトラフィックの分析",
"plugin.nav.title.threat.detections": "脅威の検出"
},
"ko-KR": {
"plugin.placeholder.title": "검색 및 계획",
"plugin.placeholder.discoverandtakeaction": "검색 및 작업",
"plugin.placeholder.recommendations": "권장 사항",
"plugin.nav.title.network.traffic.analysis": "네트워크 트래픽 분석",
"plugin.nav.title.threat.detections": "위협 감지"
},
"zh-CN": {
"plugin.placeholder.title": "检测和规划",
"plugin.placeholder.discoverandtakeaction": "检测和采取措施",
"plugin.placeholder.recommendations": "建议",
"plugin.nav.title.network.traffic.analysis": "网络流量分析",
"plugin.nav.title.threat.detections": "威胁检测"
},
"zh-TW": {
"plugin.placeholder.title": "探索和計劃",
"plugin.placeholder.discoverandtakeaction": "探索和採取動作",
"plugin.placeholder.recommendations": "建議",
"plugin.nav.title.network.traffic.analysis": "網路流量分析",
"plugin.nav.title.threat.detections": "威脅偵測"
}
},
"cachingEnabled": false
}