DFW rule delete is failing following the revise action on the Policy.
search cancel

DFW rule delete is failing following the revise action on the Policy.

book

Article ID: 398656

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

You are creating DFW policies and rules via API in the sequence of applying a policy to a group and then applying rules to DFW, but facing a version mismatch error during rule deletion.

Error: The policy object Security Policy OR Gateway Policy ‘Test’ used in this operation, has a different version (1) than the current system version (2). Fetch the latest copy of the object and retry operation. (Error code: 500071)


PUT https://<Manager_ip>/policy/api/v1/infra/domains/default/security-policies/Test 
{
  "display_name": "Test",
  "scope": ["/infra/domains/default/groups/vm_abc"],
  "rules": [
      {
          "display_name": "Keep_Rule",
          "source_groups": ["/infra/domains/default/groups/vm_abc"],
          "logged": false,
          "destination_groups": ["/infra/domains/default/groups/vm_abc"],
          "scope": ["ANY"],
          "action": "ALLOW",
          "services": ["ANY"]
      }
  ]
}

POST https://<Manager_ip>/policy/api/v1/infra/domains/default/security-policies/Test/rules/Delete_DFW_rule?action=revise&operation=insert_bottom>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
{
          "display_name": "Delete_DFW_rule",
          "source_groups": ["/infra/domains/default/groups/vm_abc"],
          "logged": false,
          "destination_groups": ["/infra/domains/default/groups/vm_abc"],
          "scope": ["ANY"],
          "action": "DROP",
          "services": ["ANY"]
      }

Later, you are re-positioning this policy to the bottom using revise API: 
POST https://<Manager_ip>/policy/api/v1/infra/domains/default/security-policies/Test?action=revise&operation=insert_bottom

Although the created policy and rules are visible in the UI, attempting to delete a rule from the repositioned policy results in the error: "Has a different version (1) than the current system version (2). Fetch the latest copy of the object and retry operation." (Error code: 500071).

Environment

NSX 4.2.1

NSX 4.2.2

Cause

We have observed that when using the API call: /infra/domains/default/security-policies/<Policy-ID>?action=revise&operation=insert_bottom on a policy that has both a Group as a scope and associated rules, the TargetType is being cleared (set to null) in the backend database.

As a result, when attempting to delete a rule from this policy, the deletion itself succeeds. However, a subsequent internal operation tries to update the TargetType of the policy, which fails due to the TargetType being null. At this point, the policy revision number is incremented, leading to a version mismatch error on further operations.


2025-05-14T08:43:43.540Z DEBUG FirewallServiceUtils POLICY [nsx@6876 comp="nsx-manager" level="DEBUG" subcomp="manager"]
Existing target type is null and deduced targetType is [DFW] for map /infra/domains/default/security-policies/New_Policy-hVaOc599Pl and group /infra/domains/default/groups/vm_abc

This issue does not occur if any other operation (e.g., updating a rule or enabling logging) is performed on the policy prior to the deletion.

Resolution

Workaround: you can edit the rule by enabling logging and then publish the changes. After that, you should be able to delete the rule without encountering the version mismatch error.

Fix: This issue will be fixed in future release

Powered by Wolken Software