DFW Default Layer 3 policy moved in the NSX-T UI
Article ID: 404348
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
- While checking the NSX-T UI user observes that the Default Layer 3 Section is no longer at the bottom of the "Application" tab.
- The user observes that the sequence number of the default policy has changed using API GET /policy/api/v1/infra/domains/default/security-policies/default-layer3-section
- Note that the default sequence value is "2147483647"
- As per the design, the sequence number and/or positioning of the Default Layer 3 Section should never change.
- Note that the default sequence value is "2147483647"
- The user is not be able to change the Default Layer3 Section using POST, PUT or PATCH API, receiving the below error:
{
"httpStatus": "BAD_REQUEST",
"error_code": 500215,
"module_name": "Policy",
"error_message": "Sequence number of default policy, path=[/infra/domains/default/security-policies/default-layer3-section] cannot be modified."
}
- The user may have used the POST API containing "revise&operation=insert_top" to create new DFW policies or regenerate sequence numbers that were previously duplicates.
- The user may have used a similar "revise&operation" API to try and anchor policies to a specific position.
NOTE: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment
Environment
VMware vDefend Firewall
Cause
- As per design in NSX-T, the user should not be able to move the Default Layer 3 Section positioning and/or sequence number using the UI or API
- Using the POST "revise&operation" API the User has found a "loop hole" to move the positioning of the policy and/or change the sequence number.
Resolution
If you notice that the sequence number of the Default Layer 3 Section has changed please open a support request with GSS.
This issue will be resolved in future releases of VMware NSX-T
Feedback
Yes
No
Powered by
