"Edit Rules" or "Rearrange" buttons are greyed out in Tenant Portal when using DCG Distributed Firewall or Edge Gateway Firewall
search cancel

"Edit Rules" or "Rearrange" buttons are greyed out in Tenant Portal when using DCG Distributed Firewall or Edge Gateway Firewall

book

Article ID: 401636

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Issue observed in VMware Cloud Director (VCD) Tenant Portal when using Data Center Groups (DCG) Distributed Firewall (DFW) or Edge Gateways Firewall.

  • Firewall rule rows are not visible in the UI.

  • The Edit Rules or Rearrange buttons are greyed out in the Tenant Portal when using DCG Distributed Firewall or Edge Gateway Firewall.

  • The DCG Distributed Firewall or Edge Gateway Firewall has more than 100 rules present.

  • Cannot edit the Default firewall rule.

Environment

  • VMware Cloud Director 10.5.x
  • VMware Cloud Director 10.6.x

Cause

This is a known issue where the Tenant Portal in VCD has a hard-coded UI limitation where only the first 100 firewall rules are manageable. Once this limit is exceeded, the Edit Rules button becomes unresponsive, even though all rules remain enforced at the NSX-T level.

Resolution

This issue is resolved in VMware Cloud Director 10.6.1 and later, as stated in the VMware Cloud Director 10.6.1 Release Notes.
After upgrading to 10.6.1 and later the Edit Rules or Rearrange buttons remain greyed out, however upgrading to version 10.6.1 or later removes the 100-rule limitation and introduces the following enhancements:

  1. A Position field during Edge Gateway Firewall rule creation or edit and Move To button in the Edge Gateway Firewall rule list, allowing users to specify exactly where the rule should be placed in the rule list.
  2. Improved pagination in the firewall rule grids, with page size options of 15, 50, 100, 200, and 400, and an input to jump directly to a specific page for easier navigation of large rule list.

To edit all of the Firewall rules, including the Default rule, the Cloud Director API can be leveraged for DCG Distributed Firewall and Edge Gateway Firewall respectively:

DCG Distributed Firewall
GET /cloudapi/1.0.0/vdcGroups/{vdcGroupId}/dfwPolicies/default/rules
PUT /cloudapi/1.0.0/vdcGroups/{vdcGroupId}/dfwPolicies/default/rules

Edge Gateway Firewall
GET /cloudapi/2.0.0/edgeGateways/{gatewayId}/firewall/rules
PUT /cloudapi/2.0.0/edgeGateways/{gatewayId}/firewall/rules

 

Workaround (for environments running versions prior to 10.6.1)
If you are unable to upgrade immediately, follow these steps to regain UI functionality by reducing the number of firewall rules below 100:

  • Log into NSX-T Manager as a provider admin.

  • Select the Edge Gateway and go to Firewall.

  • Identify and delete obsolete or low-priority rules to bring the total count below 100.

  • Click Publish to apply changes.

  • Refresh the Tenant Portal. The Edit Rules button should now be active again.

Powered by Wolken Software