Traffic passing through vDefend Gateway Firewall, which has overlapping subnets in the address sets associated across rules, may hit an incorrect firewall rule. Depending on the rule hit, traffic may pass through or get dropped.

The following features are impacted by this issue:

• Gateway Firewall Rules
• NAT
• All features/products involving North/South Service Insertion
• 3rd Party Service for Introspection
• HCX
• AVI

In the edge CLI example below from a firewall interface, traffic from source IP 10.0.0.3 to any destination IP other than {10.0.0.0/21, 10.0.2.0/23} is expected to hit firewall rule ID 17420 but traffic is hitting rule ID 17412.

nsx-edge> get firewall 16cea0ab-c977-dead-beaf-3772436ad972 ruleset rules

Wed Dec 16 2020 PST 17:43:53.047

Firewall rule count: 3
    Rule ID : 17412
    Rule : inout protocol any stateless from addrset {10.0.0.0/21, 10.0.2.0/23} to addrset {10.0.0.0/21, 10.0.2.0/23} reject with log

    Rule ID : 17420
    Rule : inout protocol any from ip 10.0.0.0/8 to any accept with log

    Rule ID : 1004
    Rule : inout protocol any from any to any accept

To confirm traffic is hitting the incorrect rule enable rule logging and check /var/log/firewallpkt.log on the NSX Edge to verify if the traffic is hitting an incorrect firewall rule when the issue occurs.