• When searching for a source and/or destination IP you observe that the correct and incorrect rules are displayed
  • As per the example screenshot below, when source IP 10.17.77.7 is searched we also receive the rule with the group that had IP range 10.17.7.77.

• • If you search for the IP as an example 10.17.77.5 the correct rule containing the correct groups and IPs will appear.
  • This behavior is seen in both DFW and Gateway Firewall.
• You will observe similar logging on the NSX Manager in /var/log/proton/nsxapi.log

2024-08-25T04:47:57.577Z  INFO http-nio-127.0.0.1-7440-exec-4 RuleQueryBuilder 85700 - [nsx@6876 comp="nsx-manager" level="INFO" reqId="13938e30-b859-45aa-a07e-7b0bfbe3e4fb" subcomp="manager" username="admin"] updateRuleQueryForGroupingObjects groupingObjFilter FirewallFilterDto{filterColumn='SOURCE', filterValue='[10.17.77.7]', filterObjectType='IP', caseSensitive='false'} and firewallType Optional[SecurityPolicy]

2024-08-25T04:47:57.578Z  INFO RuleQueryBuilder-25-1 RuleQueryBuilder 85700 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Request for IP Address Groups : IPAddressGroupAssociationRequestParamsDto{ipAddress='10.17.77.7', enforcementPointPath='null', super{PolicyListRequestParametersDto{includeMarkForDeleteObjects='false', super{ListRequestParameters{sortBy='null', sortAscending='null', cursor='null', pageSize='1000', super{IncludedFieldsParameters{includedFields='null'}}}}}}}

2024-08-25T04:47:57.609Z  INFO http-nio-127.0.0.1-7440-exec-4 SearchQueryBuilder 85700 - [nsx@6876 comp="nsx-manager" level="INFO" reqId="13938e30-b859-45aa-a07e-7b0bfbe3e4fb" subcomp="manager" username="admin"] FirewallFilter: RULE query => resource_type:Rule AND   ( source_groups:"ANY" OR source_groups:"/infra/domains/default/groups/4c57ac3c-422b-4c99-b364-b373389215bf" OR _meta.source_groups_ip_range:10.17.77.7 OR source_groups:"/infra/domains/default/groups/920b9785-2e91-4b08-9abe-1eb9c35aa4fa" )   AND   ( destination_groups:"ANY" OR destination_groups:"/infra/domains/default/groups/4c57ac3c-422b-4c99-b364-b373389215bf" OR _meta.destination_groups_ip_range:10.17.77.7 OR destination_groups:"/infra/domains/default/groups/920b9785-2e91-4b08-9abe-1eb9c35aa4fa" )

• While searching using a similar API to the one below you notice that the correct and incorrect groups are returned.
  • The IP you query will depend on your use case and environment and will be different to the one seen the command below.

GET https://<ManagerIP>/policy/api/v1/infra/ip-address-group-associations?ip_address=10.17.77.7&enforcement_point_path=/infra/sites/default/enforcement-points/default

NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment

VMware NSX-T Data Center 4.1.2.4 and onward.

The wrong rules are returned when filtering source and/or destination IP as the wrong groups being returned by API due to the an issue with the ip-address-group-associations.

This issue is resolved in feature releases of NSX-T

There is no workaround for this issue as the issue is resolved with a code fix.

The rule filtering issue has no impact to data plane and is a cosmetic issue.