Patch without tcp_strict attribute on existing Stateful firewall policy section is setting it to null
search cancel

Patch without tcp_strict attribute on existing Stateful firewall policy section is setting it to null

book

Article ID: 397473

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

When a Stateful Firewall Policy is updated using the API's PATCH method without specifying tcp_strict, the TCP Strict setting is set to null.
As a result, the TCP Strict function is unintentionally disabled.

Note:
By default during Policy creation, tcp_strict is set to true if policy is stateful ("stateful": true)
tcp_strict is set to false if policy is not stateful ("stateful": false)


For example:

1. When creating a stateful fw policy with PUT, tcp_strict = True is set automatically, even if the tcp_strict attribute is not explicitly specified.

PUT  https:///{ip address}//policy/api/v1/infra/domains/default/gateway-policies/rule001
{
    "resource_type": "GatewayPolicy",
    "category": "LocalGatewayRules",
    "rules": [
      {
        "resource_type": "Rule",
        "description": "test01rule",
        "display_name": "test01rule",
        "source_groups": [
          "ANY"
        ],
        "destination_groups": [
          "ANY"
        ],
        "services": [
          "/infra/services/DNS",
          "/infra/services/DNS-UDP",
          "/infra/services/HTTP",
          "/infra/services/HTTPS",
          "/infra/services/ICMPv4-ALL"
        ],
        "scope": [
          "/infra/tier-1s/T1-Gateway-01"
        ],
"direction": "IN_OUT",
"disabled": "False",
"ip_protocol": "IPV4",
"logged": "False",
"action": "ALLOW"
      }
    ]
  }

This PUT makes a gateway policy with TCP Strict = true without explicitly specifying the parameter

Get result:
===
 "resource_type": "GatewayPolicy",
    "id": "rule003",
    "display_name": "rule001",
    "path": "/infra/domains/default/gateway-policies/rule001",
    "relative_path": "rule001",
    "parent_path": "/infra/domains/default",
    "remote_path": "",
    "unique_id": "d36034ea-e126-4420-bff2-a7dda647b049",
    "realization_id": "d36034ea-e126-4420-bff2-a7dda647b049",
    "owner_id": "31b5e55d-ccc8-4e16-b0fa-f6e3780079ac",
    "marked_for_delete": false,
    "overridden": false,
    "sequence_number": 0,
    "internal_sequence_number": 50000000,
    "category": "LocalGatewayRules",
    "stateful": true,
    "tcp_strict": true,  <---   ※ tcp_strict = True is set automatically,
    "locked": false,
    "lock_modified_time": 0,
    "rule_count": 1,
    "is_default": false,
    "_create_time": 1744868853057,
    "_create_user": "admin",
    "_last_modified_time": 1744871515790,
    "_last_modified_user": "admin",
    "_system_owned": false,
    "_protection": "NOT_PROTECTED",
    "_revision": 1

2. Then change some parameters and update them with PATCH

PATCH https://{ip address}/policy/api/v1/infra/domains/default/gateway-policies/rule001

{
    "resource_type": "GatewayPolicy",
    "category": "LocalGatewayRules",
    "rules": [
      {
        "resource_type": "Rule",
        "description": "test01rule",
        "display_name": "test01rule",
        "source_groups": [
          "ANY"
        ],
        "destination_groups": [
          "ANY"
        ],
        "services": [
          "ANY",
         
        ],
        "scope": [
          "/infra/tier-1s/T1-Gateway-01"
        ],
"direction": "IN_OUT",
"disabled": "False",
"ip_protocol": "IPV4",
"logged": "False",
"action": "ALLOW"
      }
    ]
  }


When updating with PATCH without explicitly specifying the tcp_strict attribute, this parameter is set to null.

Get result:
====
 "resource_type": "GatewayPolicy",
    "id": "rule003",
    "display_name": "rule001",
    "path": "/infra/domains/default/gateway-policies/rule001",
    "relative_path": "rule001",
    "parent_path": "/infra/domains/default",
    "remote_path": "",
    "unique_id": "d36034ea-e126-4420-bff2-a7dda647b049",
    "realization_id": "d36034ea-e126-4420-bff2-a7dda647b049",
    "owner_id": "31b5e55d-ccc8-4e16-b0fa-f6e3780079ac",
    "marked_for_delete": false,
    "overridden": false,
    "sequence_number": 0,
    "internal_sequence_number": 50000000,
    "category": "LocalGatewayRules",}
                                          <-----  ※ tcp_strict is set to null.
    "stateful": true,      
    "locked": false,
    "lock_modified_time": 0,
    "rule_count": 1,
    "is_default": false,
    "_create_time": 1744868853057,
    "_create_user": "admin",
    "_last_modified_time": 1744871515790,
    "_last_modified_user": "admin",
    "_system_owned": false,
    "_protection": "NOT_PROTECTED",
    "_revision": 1

 

Environment

NSX Transformers
This issue applies to both the Gateway Firewall rule and the Distributed Firewall rule



Cause

During the Config update process, if tcp_strict is not explicitly specified for a stateful rule, this parameter is inadvertently removed.

Resolution

This issue will be fixed in VCF 9.1

The following two workarounds are available.

1. When updating the stateful firewall policy with PATCH, explicitly specify "tcp_strict": true and execute the publish.
2. From the NSX Manager UI, enable tcp_strict for the target stateful firewall policy and reapply the policy.

Powered by Wolken Software