DNAT and SNAT rules logging when those rules are set to logging disabled
search cancel

DNAT and SNAT rules logging when those rules are set to logging disabled

book

Article ID: 393947

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

  • NSX UI > Networking > NAT >DNAT Rule's 
  • You can see logging in the /var/log/firewallpkt.log even though logging for DNAT above is set to No
  •  Example
    • 20##-##-##T20:48:32.258Z nsx-edge-421-03 NSX 2626563 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <3 a1861d0f17914a07:a679527a56353660> INET reason-match PASS 11252 IN 60 TCP ##.##.##.#/37894->##.##.##.#/22 S
  • And observed in the /var/log/syslog
    • 2025-04-01T20:50:35.314Z nsx-edge-421-03 NSX 2626563 SYSTEM [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="unified-logs" tname="dp-fw-purge9" level="INFO"] {"event_type": "fw-flow-terminate-log", "event_trigger": ["fw-rule-log"], "origin": {"fw_type": "gateway", "fw_uuid": "UUID###-f82b-4db3-7681-###########", "node_uuid": "UUID####-ef11-699d-5000-#########"}, "flow": {"start": "20##-##-##T20:48:32.000Z", "end": "20##-##-##T20:50:35.000Z", "ip_ver": "ipv4", "flow_id": "0x260f002cbd790002", "src_ip": "##.##.##.#", "src_port": 37894, "dest_ip": "##.##.##.#", "dest_port": 22, "proto": "TCP", "tcp_flags": "FRW", "bytes_toserver": 3496, "bytes_toclient": 7848, "pkts_toserver": 23, "pkts_toclient": 29, "reason": "FIN-close", "final_action": "PASS"}, "fw": {"action": "PASS", "rule_id": 11252, "direction": "", "rule_tag": ""}, "http": {"http_method": "", "hostname": "", "url": "", "scheme": "", "http_user_agent": "", "status": "", "site_category": "", "site_reputation": "UNKNOWN"}, "app_id": {"app": ""}}

Environment

NSX 3.2.x
NSX 4.2.x

Cause

  • This is caused by the corresponding Gateway Firewall Rule being logged having matched criteria in the flow and applied to the same interface at the DNAT/SNAT rule.
  • Check to see if this correspondence is correct by logging into the Edge and running command 'get firewall <UUID> connection'
  • Example shows in a live flow format and the rule id will matched with the corresponding DNAT rule  [Gateway Firewall Rule ID = 11252] & [DNAT Rule ID = 536870915]
    • 0x020079bd2c000f26: ##.##.##.#:37894 -> ##.##.##.#:22 (##.##.##.#:22) dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 11252:536870915 
  • Example or rule settings shows rule 11252 is set to logging

Resolution

Use command 'get firewall <UUID> connection' to get a live connection flow and match rule id to corresponding DNAT/SNAT rule. 

Additional Information

Troubleshooting, Logging information, and Commands for Edge Firewall. Follow steps to get the proper UUID for command 'get firewall <UUID> connection'
Troubleshooting Gateway Firewall

Powered by Wolken Software