Gateway Firewall rules disabled prior to NSX upgrade are not realized after re-enabling post-3.2.1 upgrade
search cancel

Gateway Firewall rules disabled prior to NSX upgrade are not realized after re-enabling post-3.2.1 upgrade

book

Article ID: 405358

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

Disabled GFW rules are not realized on edge nodes if enabled post upgrade.

The example below shows that Rule ID 1007 and 1009 are enabled. Rule ID 1008 and 1010 are disabled.

As expected, only Rule ID 1007 and 1009 are realized on Edge nodes:

get firewall <UUID> ruleset rules 
Firewall rule count: 3
    Rule ID   : 1007
    Rule      : inout protocol tcp from any to any port 22 accept

    Rule ID   : 1009
    Rule      : inout protocol tcp from any to any port 443 accept

    Rule ID   : 1002
    Rule      : inout protocol any stateless from any to any accept

 

Then, disable Rule ID 1009 and enable Rule ID 1008 and 1010. The expected behavior is that Rule ID 1007, 1009, and 1010 are realized on Edge nodes.

Only Rule ID 1007 is realized. Rule ID 1008 and 1010 are not realized on Edge nodes.

get firewall <UUID> ruleset rules 
Firewall rule count: 2
    Rule ID   : 1007
    Rule      : inout protocol tcp from any to any port 22 accept

    Rule ID   : 1002
    Rule      : inout protocol any stateless from any to any accept

 

Environment

GFW rules were configured as disabled before NSX 3.2.1. Then, the same NSX infra was upgraded to one of 3.2.1-3.2.3 or 4.0 or 4.1.0-4.1.2.1. Enable these GFW rules.

Cause

The rule enabled/disabled flag was enhanced in 3.2.1. This problem is seen when disabled rules releases prior to NSX 3.2.1, upgraded to 3.2.1-3.2.3 or 4.0 or 4.1.0-4.1.2.1 and then enabled. Upgrade to affected NSX releases would copy value of the deprecated flags and sets the new enum. Only new enum is updated when a disabled rule is enabled in Gateway Firewall. However, Edge nodes still use the old deprecated flag when realizing rule configuration. Hence rules will not be realized on Edge nodes.

Resolution

This issue is fixed in 3.2.4 or 4.1.2.2 or 4.2.x and above releases

Notes: Any rules not realized on Edge nodes affected by this problem will be automatically enabled as expected after upgrading NSX to a fixed version.

Workaround:
Clone rules which do not realize on Edge nodes due to this problem and delete old rules.

Powered by Wolken Software