IDFW with Log Scraping - Rules Not Matched Intermittently Due to Time Sync Issue
Article ID: 412219
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
- IDFW rules are not matched intermittently.
- Affected users are missing from the Active User Sessions list in the NSX UI:
- Security > Security Overview > Configuration > Active User Sessions
*Search for the username
- Security > Security Overview > Configuration > Active User Sessions
- The following warnings are observed in /var/log/proton/nsxapi.log on NSX Manager:
2025-09-24T13:39:42.126Z WARN EventLogWatcher-147 ElsLoginLogoutMapper 3366357 FIREWALL [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Received ElsLoginLogoutEvent older than PT5M milli seconds, current time: 2025-09-24T13:39:42.126Z, event: LogonEvent{targetUserName='<username>', targetDomainName='<domain name>', logonType=3, ipAddress='10.160.##.###', ipPort=51573, logonID=0xd8e#####}
2025-09-24T13:45:32.208Z WARN EventLogWatcher-147 ElsLoginLogoutMapper 3366357 FIREWALL [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Received ElsLoginLogoutEvent older than PT5M milli seconds, current time: 2025-09-24T13:45:32.208Z, event: LogonEvent{targetUserName='<username>', targetDomainName='<domain name>', logonType=3, ipAddress='10.160.##.###', ipPort=59955, logonID=0xd90#####}
2025-09-24T13:45:32.223Z WARN EventLogWatcher-147 ElsLoginLogoutMapper 3366357 FIREWALL [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Received ElsLoginLogoutEvent older than PT5M milli seconds, current time: 2025-09-24T13:45:32.223Z, event: LogonEvent{targetUserName='<username>', targetDomainName='<domain name>', logonType=3, ipAddress='10.160.##.###', ipPort=63022, logonID=0xd90#####}
2025-09-24T14:10:35.414Z WARN EventLogWatcher-147 ElsLoginLogoutMapper 3366357 FIREWALL [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="manager"] Received ElsLoginLogoutEvent older than PT5M milli seconds, current time: 2025-09-24T14:10:35.414Z, event: LogonEvent{targetUserName='<username>', targetDomainName='<domain name>', logonType=3, ipAddress='10.160.##.###', ipPort=56813, logonID=0xd94#####}
Environment
VMware NSX - All Versions
IDFW w/Event Log Scraping configured
Cause
A time synchronization issue exists between the NSX Managers and the configured AD Event Log Servers. When the clocks drift apart, IDFW login/logout events are ignored as being older than the allowed time window (5 minutes).
Resolution
- Check the time on all 3 NSX Managers in the cluster using the 'date' command as root user
- Compare the time against all configured AD Event Log Servers.
- To identify the configured AD Event Log servers:
System > Identity Firewall AD > Expand AD Entry > Event Log Server hyperlink
- To identify the configured AD Event Log servers:
- Correct any discrepancies in system time:
- Ensure all NSX Managers and AD Event Log Servers are synced with the same reliable NTP source.
- Adjust system time as necessary and confirm NTP services are properly configured.
Feedback
Yes
No
Powered by
