Distributed Firewall Rule is applied to different VM's than are specified in the Applied To group.
search cancel

Distributed Firewall Rule is applied to different VM's than are specified in the Applied To group.

book

Article ID: 395504

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

A DFW (Distributed Firewall Rule) is created with an Applied To group assigned but the rule is applied to VM's outside of that group.

Environment

vDefend Firewall - All Versions

vDefend Firewall with Advanced Threat Prevention - All Versions

Cause

When an Applied To is assigned at the Policy level it will override any settings on the individual rules.   If will cause confusion when a different group is assigned to the Applied To on individual rules as it will be ignored.

See the NSX Manual.  https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/security/distributed-firewall/add-a-distributed-firewall.html

Resolution

To prevent the confusion, there are two option:

  1. Set the individual rules to the default "DFW" Applied To setting
  2. Ensure all individual Rules have the same Applied To as the Policy level.
Powered by Wolken Software