Conditions Under Which Duplicate Sequence Numbers May Appear in vDefend DFW/GFW Policies on NSX Manager
search cancel

Conditions Under Which Duplicate Sequence Numbers May Appear in vDefend DFW/GFW Policies on NSX Manager

book

Article ID: 412243

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

Symptoms:

  • If no non-default policy with deny rule is configured, no datapath impact should be observed.
  • Datapath impact may occur only in specific scenarios where a non-default policy with deny rule exists and is moved to the top due to reordering caused by duplicate sequence numbers.

Environment

NSX-T

Cause

Duplicate sequence numbers can occur in policies when:

  • Policies are created using a mixed approach (UI and API).
  • A duplicate sequence number is unexpectedly assigned while creating a policy through the API.

Resolution

To prevent issues caused by duplicate sequence numbers, follow the recommendations below:

  1. Ensure that any existing duplicate sequence numbers are identified and resolved before making changes. Refer to KB 317518.
  2. Create policies using the NSX UI only.
  3. When updating policies via API, always fetch the latest policy configuration before applying changes as shown below:

GET https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies

  1. If using the API and a specific policy order is required, assign unique sequence numbers within the available range between upper and lower policies using below API.

PATCH https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/<Policy_name>

{

  // Payload as per policy creation API documentation and update only necessary fields and choose unique sequence numbers to avoide duplicates.

}

  1. 1 Using below API create policies with revise action and insert the new policy at specific position by providing the anchor points .

To Insert New Policy before a specific policy, e.g., policy-1:
PATCH https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/NewPolicy?action=revise&operation=insert_before&anchor_path=/infra/domains/default/security-policies/policy-1

{

  // Payload as per policy creation API documentation

}

To Insert New Policy after a specific policy, e.g., policy-1:

PATCH https://<NSX-Manager>/policy/api/v1/infra/domains/default/security-policies/NewPolicy?action=revise&operation=insert_after&anchor_path=/infra/domains/default/security-policies/policy-1

{

  // Payload as per policy creation API documentation

}

Additional Information

  • The sequence number field in a policy is optional.
  • When multiple policies share the same sequence number, the system applies secondary sorting: the policy with the lower UUID is placed higher.
  • Policies created through the API/script without a specified sequence number are automatically assigned sequence number = 0.
  • Policies created through the NSX UI are assigned a non-zero sequence number, with the required spacing automatically maintained.
  • Issues typically arise when:
    • Policies are created using a mixed method (UI and API).
    • A duplicate sequence number is manually assigned through the API.
  • If all policies are created exclusively via the NSX UI and no duplicate sequence numbers exist, this issue will not occur.
Powered by Wolken Software