Distributed firewall rule missing after update of policy/section in NSX 4.1.2.X (NSX upgrade or policy modification)..
search cancel

Distributed firewall rule missing after update of policy/section in NSX 4.1.2.X (NSX upgrade or policy modification)..

book

Article ID: 375877

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

You have upgraded NSX-T from 3.X to NSX 4.1.2.X or you are using NSX 4.1.2.X and modified the  layer3 default section.

Post upgrade of NSX or modification of the policy the DFW user created rules located in the default section are missing.

These rules were created via Manager (MP) API call invoking 'X-Allow-Overwrite=true' in HTTP headers.

Prior to upgrade/modification the rules were realised on the ESXi filter using vsipioctl getrules -f <filter> and visible in the MP UI or via MP API call .

During the upgrade of the Manager to 4.1.2.X the rule is removed during the data migration stage or during the publish of the modified default section.

Environment

NSX-T 3.X and NSX 4.X.

Cause

This is caused when Policy is overwritten & modified by MP APIs using 'X-Allow-Overwrite=true' in HTTP headers. This is non-native way to edit Policy owned section and is not recommended for firewall CRUD operations. It is recommended for troubleshooting purposes only.

The Policy  layer3 default section is contaminated by the MP layer, which is corrected during a policy update (upgrade or update/modification) of the section/policy.

Resolution

This is expected behaviour of NSX.

Powered by Wolken Software