NSX-T MP sections and rules are enforced on top of policy sections.
Article ID: 373552
Updated On:
Products
Issue/Introduction
NSX-T MP sections and rules are enforced on top of policy sections.
Symptoms:
+ Rules are configured in mix mode (having rules in MP and policy sections).
+ Customer may observe MP section's rule are enforced before policy section on the datapath "vsipioctl getrules -f <filter name>"
Example:
[root@ESXI:~] vsipioctl getrules -f nic-XXXX-eth0-vmware-sfw.2
rule 537300088 at 72 inout protocol udp from addrset <addrset> to addrset <addrset> port <port> accept;
rule 537300089 at 73 inout protocol tcp from addrset <addrset> to addrset <addrset> port <port> accept;
rule 134027 at 82 inout protocol tcp strict from addrset<addrset> to addrset <addrset> port <port> accept;
rule 134029 at 83 inout protocol udp from addrset <addrset> to addrset<addrset> port <port> accept;
Environment
NSX-T 3.x
NSX-T 4.x
Cause
This is due to MP section priority overlaps with policy security priority range in mix mode.
Resolution
Workaround:
While creating MP sections use MP API with 'insert_after' OR 'insert_before' params with reference anchor as default section instead of 'insert_top'.
Examples below:
POST /api/v1/firewall/sections?action=create_with_rules&operation=insert_after&id=ffffffff-8a04-4924-a5b4-54d30e81befe
POST /api/v1/firewall/sections?action=create_with_rules&operation=insert_before&id=ffffffff-8a04-4924-a5b4-54d30e81befe
Note: As the MP API for creating firewall sections/rules is deprecated, we discourage customers from using MP sections.
Use below revise API to recover the offending MP sections:
POST /api/v1/firewall/sections/<section-id>?action=revise&operation=insert_before&id=ffffffff-8a04-4924-a5b4-54d30e81befe
Resolution:
This issue is resolved in NSX-T 4.2.0
Feedback
