Duplicate Sequence Numbers in NSX Firewall Policies Preventing UI Reordering
search cancel

Duplicate Sequence Numbers in NSX Firewall Policies Preventing UI Reordering

book

Article ID: 378483

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

In NSX-T, firewall policies may not reorder as expected through the NSX Manager UI. Although the UI indicates that changes have been successfully published, the ordering remains unchanged.

Environment

VMware NSX

Cause

The issue arises due to duplicate sequence numbers in the firewall policy list. This occurs when multiple API calls to NSX Manager create new policies without specifying a unique sequence number, resulting in the same number being assigned to multiple policies. In environments where tools like vRealize Automation (VRA) are used to manage policies, this issue is common.

While NSX allows duplicate sequence numbers, the order of rule evaluation depends on the order in which policies are added and any placement configurations. When duplicate sequence numbers are present, the NSX Manager UI may fail to reorder policies correctly, even though it displays the sequence as updated.

Resolution

The issue can be resolved by updating the sequence numbers through the NSX Manager API:

  1. Retrieve Current Policy List:

    GET https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies
     
    If the above output doesn't show duplicate sequence numbers and you want to re-order the Firewall Policy then use the following API to update the Sequence number which successfully re-orders the Firewall Policy.

  2. Update Sequence Number for Specific Policy:

    PATCH https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/<policy-id>

    JSON Body:

     
    { "resource_type": "SecurityPolicy", "sequence_number": 5 }

    If the GET output shows duplicate sequence numbers, then use the below POST API to revise and update the sequence numbers.

  3. API Call to Revise and Update Sequence Numbers: A new API call can be used to revise and update the sequence numbers of all policies:

    POST https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/TEST_POLICY?action=revise&operation=insert_top

    JSON Body:

     
    {
    }

    This approach successfully updates the sequence numbers and resolves the issue. 

Note: This is due to a bug in the code, and a fix is scheduled for the next NSX release (NSX 9.0).

Powered by Wolken Software