When IDS/IPS rules are applied to the Distributed Firewall (DFW) in a Network Application Platform (NAPP) setup, the traffic within Kubernetes containers ceases to function properly. This results in the NAPP entering a degraded state accompanied by an error code 403.

NAPP 4.2

The issue arises because VXLAN/Geneve encapsulated traffic (used by Tanzu workloads) is being improperly handled by the Intrusion Detection and Prevention System (IDPS). The root cause is a failure to preserve Checksum (CSUM) and TCP Segmentation Offload (TSO) attributes across the service hop when the traffic passes through the IDPS.

Add the relevant Workload and Management Virtual Machine names to the Distributed Firewall (DFW) exclusion list. Post-exclusion, the NAPP dashboard will function correctly, allowing successful loading of the application. Alternatively, the IDS rules can be fine tuned to exclude the IDPS service for these flows.