Conflict Between NSX Network Introspection Driver vnetwfp and Silverfort Adapter on Domain Controllers
search cancel

Conflict Between NSX Network Introspection Driver vnetwfp and Silverfort Adapter on Domain Controllers

book

Article ID: 433558

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Network connectivity failures, intermittent RDP disconnects, and LDAP timeouts occur on Windows-based Domain Controllers when both the Silverfort Adapter and VMware Tools are active. The issue is characterized by the presence of the vnetwfp.sys driver (NSX Network Introspection) which conflicts with third-party WFP-based security solutions. Symptoms include packet drops and network stack instability.

Environment

VMware NSX, vSphere, VMware Tools, Windows Server (Domain Controllers).

Cause

A driver conflict exists between the NSX Network Introspection Driver (vnetwfp.sys) and the Silverfort Adapter. Both products utilize the Windows Filtering Platform (WFP) to inspect network traffic; simultaneous operation of these filter drivers can lead to packet injection failures and connectivity loss.

Resolution

If the target Domain Controller does not actively utilize NSX Identity Firewall (IDFW), NSX IDS/IPS, NSX Intelligence, or vDefend Advanced Threat Prevention (ATP), the architectural requirement is to remove the vnetwfp.sys component from the guest operating system.

Execute the following procedure during a scheduled maintenance window:

  1. Log in to the vSphere Client and mount the VMware Tools installer on the affected Domain Controller VM (Guest OS > Install VMware Tools > Interactive Install).

  2. Execute the setup package as Administrator within the Windows Server Guest OS.

  3. Select the Modify installation option.

  4. Expand the VMCI Driver section.

  5. De-select the NSX Network Introspection Driver to mark it for removal.

  6. Complete the installation wizard and reboot the Domain Controller VM to finalize the uninstallation.

If an immediate reboot is not feasible, manually halt and disable the driver via the command line to restore network traffic inspection to the Silverfort adapter:
   
     1. Open an elevated command prompt and run sc stop vnetwfp to immediately halt the driver.
     2. Run sc query vnetwfp to confirm the service state is STOPPED.
     3. To prevent the driver from loading on the next boot prior to the VMware Tools modification, update the Windows Registry to disable the service:
  • Key: HKLM\SYSTEM\CurrentControlSet\Services\vnetwfp\Start
  • Type: REG_DWORD
  • Data: 4

If the environment requires NSX Identity Firewall (IDFW), NSX IDS/IPS, NSX Intelligence, or vDefend Advanced Threat Prevention (ATP), contact Silverfort Support to verify compatibility or request a driver altitude adjustment to ensure the Silverfort adapter and vnetwfp.sys can coexist without intercepting the same traffic fragments.

Additional Information

How to cleanly remove the Network Introspection Driver (vnetwfp)
Post-installation of VMware Tools, the NSX Network Introspection driver (vnetwfp) causes network issues

Powered by Wolken Software