NSX UI reporting rules are deactivated and DFW is turned off
search cancel

NSX UI reporting rules are deactivated and DFW is turned off

book

Article ID: 385481

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware NSX

Issue/Introduction

  • NSX reports "Distributed Firewall is turned off. All rules, including those containing groups with identity entities, will not be enforced.":

  • DFW Rules status shows as "Deactivated"  or "Unknown":

  • Distributed Firewall Service toggle is "Off" under the settings tab for Distributed Firewall 
  • The following error seen under Distributed Firewall settings : Could not resolve subtype of [simple type, class DfwFirewallConfiguration]: missing type id property 'resource_type'(Error code: 220):

  • Running the follow API call: GET  https://NSX-Manager-IP/api/v1/infra/settings/firewall/security , the field 'enable_firewall' is set to true:

enable_firewall = true

Environment

 VMWare NSX 4.2.0.1

Cause

The cause is that search indexes are not completed. Because of this the NSX UI mistakenly reports the Disturbed Firewall as off and the rules are "Unknown" or "Deactivated".

Resolution

Run the following command on each NSX Manager one at a time in admin mode:

start search resync all

Note: This command does not impact the data plane or the NSX infrastructure. 

 

Workaround

Toggle Auto Draft in Distributed Firewall settings off and back on.

Note: This will only temporarily fix the issue, please run the above command to fix it permanently.  

Additional Information

This issue does not impact the DFW on the management plane. Hosts will process rules (Deny, Drop or Allow) as normal. There is no data plane impact on the environment, this is purely an NSX UI issue.

In the API Call:  GET https://NSX-Manager-IP/api/v1/infra/settings/firewall/security , the field 'enable_firewall' ensures the firewall is enabled. 

Powered by Wolken Software