Change to Group in NSX Impacted Communication and Needs to Be Reversed
Article ID: 415047
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
- Communication is disrupted after a modification to a group.
- The group in question is referenced by Distributed Firewall (DFW) or Gateway Firewall (GFW) rules.
- Administrator does not recall the original group membership or configuration prior to the change.
Environment
VMware NSX - All Versions
Resolution
- The previous group configuration can be recovered from the NSX Manager audit logs located under /var/log/nsx-audit.log
- You can find the previous config in the audit log in one of three ways:
- Gather a support bundle, extract it, then navigate to /var/log/
- Command: grep "UpdateGroupForDomain" nsx-audit* | grep "<insert group name here>"
- Command: grep "UpdateGroupForDomain" nsx-audit* | grep "<insert group name here>"
- SSH into the NSX Manager and then navigate to /var/log/nsx-audit.log
- Command: grep "UpdateGroupForDomain" nsx-audit* | grep "<insert group name here>"
- Command: grep "UpdateGroupForDomain" nsx-audit* | grep "<insert group name here>"
- If you export logs to Aria Operations for Logs, use the following search criteria
- text contains "UpdateGroupForDomain"
- text contains <Insert group name here>
- Gather a support bundle, extract it, then navigate to /var/log/
- The above will return the audit log entry for the configuration change.
- This entry includes both the old value (prior configuration) and new value (after the change).
- Use the old value as your reference to revert the group config in the UI.
Example:
The below audit log example shows a change where two subgroups were removed from the group called "Test_Group".
2025-10-20T15:19:45.613Z nsx-421-01 NSX 3710822 - [nsx@6876 audit="true" comp="nsx-manager" entId="Test_Group" level="INFO" reqId="bc78d378-e740-4386-8964-9ff51b1a8773" subcomp="manager" update="true" username="admin"] UserName="admin", Src="10.230.0.233", ModuleName="Policy", Operation="UpdateGroupForDomain", Operation status="success",
Old value = [{
"expression": [{
"paths": [
"/infra/domains/default/groups/Sub_Group_2", <---- Removed
"/infra/domains/default/groups/Sub_Group_3",
"/infra/domains/default/groups/Sub_Group_1" <---- Removed
],
"resource_type": "PathExpression",
"id": "3cf62f88-b9af-4787-8dcb-2334e235b273",
"path": "/infra/domains/default/groups/Test_Group/path-expressions/3cf62f88-b9af-4787-8dcb-2334e235b273",
"relative_path": "3cf62f88-b9af-4787-8dcb-2334e235b273",
"parent_path": "/infra/domains/default/groups/Test_Group",
"marked_for_delete": false,
"overridden": false,
"_protection": "NOT_PROTECTED"
}
],
"reference": false,
"has_change_restrictions": false,
"resource_type": "Group",
"id": "Test_Group",
"display_name": "Test_Group",
"path": "/infra/domains/default/groups/Test_Group",
"relative_path": "Test_Group",
"parent_path": "/infra/domains/default",
"unique_id": "6f19d8d3-a503-4951-a1bc-5b4a5fd5aa3f",
"realization_id": "6f19d8d3-a503-4951-a1bc-5b4a5fd5aa3f",
"owner_id": "d15a5794-d195-41b7-b7b9-1fa8124c1023",
"marked_for_delete": false,
"overridden": false,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_time": 1760973512583,
"_create_user": "admin",
"_last_modified_time": 1760973558702,
"_last_modified_user": "admin",
"_revision": 1
}
],
New value = [
"default" "Test_Group" {
"expression": [{
"paths": ["/infra/domains/default/groups/Sub_Group_3"], <---- Remaining group
"resource_type": "PathExpression",
"marked_for_delete": false,
"overridden": false
}
],
"reference": false,
"resource_type": "Group",
"display_name": "Test_Group",
"path": "/infra/domains/default/groups/Test_Group",
"marked_for_delete": false,
"overridden": false,
"_revision": 1
}
]
Feedback
Yes
No
Powered by
