Stateless Gateway firewall rules behave as Stateful when NAT is in use
Article ID: 438757
Updated On:
Products
VMware NSX
VMware vDefend Firewall
Issue/Introduction
- The administrator has configured a Stateless Rule on the Gateway Firewall.
- The expected behavior of a Stateless Rule is to evaluate each individual packet rather than tracking a connection/state.
- See /var/run/log/firewallpkt.log on the active edge node
- Note for a Stateless Rule the packets will only be logged to the active edge node once logging is enabled.
- See /var/run/log/firewallpkt.log on the active edge node
- The expected behavior of a Stateless Rule is to evaluate each individual packet rather than tracking a connection/state.
2026-04-30T10:06:14.785Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:##############> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/58260->192.168.1.5/50001 S
2026-04-30T10:06:14.786Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:###############> INET reason-match PASS 5096 OUT 52 TCP 192.168.1.5/50001->192.168.2.2/58260 SA
2026-04-30T10:06:14.821Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:##################> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/58262->192.168.1.5/50001 S
2026-04-30T10:06:14.822Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:################> INET reason-match PASS 5096 OUT 52 TCP 192.168.1.5/50001->192.168.2.2/58262 SA
2026-04-30T10:07:53.638Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:#################> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/58264->192.168.1.5/50001 S
2026-04-30T10:07:53.639Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:#################> INET reason-match PASS 5096 OUT 52 TCP 192.168.1.5/50001->192.168.2.2/58264 SA
2026-04-30T10:07:53.661Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:###################> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/58266->192.168.1.5/50001 S
2026-04-30T10:07:53.668Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b:###################> INET reason-match PASS 5096 OUT 52 TCP 192.168.1.5/50001->192.168.2.2/58266 SA
- Since there is not connection being tracked by the Firewall the user will not see a flow in the connection table.
Edge01> get firewall 4df247b3-dd0b######################### connection
Wed Apr 30 2026 UTC 10:07:54.986
Connection count: 0- When the administrator configures a NAT rule the stateless rule will behave as a Stateful rule as NAT is Stateful by nature.
- For Stateful Rules only the TCP SYN packet will be logged.
- The administrator will observe packets being logged on both active and standby edge nodes in /var/log/firewall.log.
##edge 2(standby)
2026-04-30T10:08:19.975Z Edge02 NSX 17629 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5- 4df247b3dd0b451b###################> INET reason-match PASS 5096 IN 48 TCP 192.168.2.2/52556->192.168.1.5/50001 S
2026-04-30T10:08:19.977Z Edge02 NSX 17629 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5- 4df247b3dd0b451b####################> INET reason-match PASS 5096 IN 48 TCP 192.168.2.2/52554->192.168.1.5/50001 S
2026-04-30T10:08:31.024Z Edge02 NSX 17629 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" tname="dp-fw-purge9" level="INFO"] <5- 4df247b3dd0b451b##################> INET TERM RDR 536870913 IN TCP 192.168.2.2/52554->192.168.1.5/50001-OR 192.168.4.1/50001
2026-04-30T10:08:32.024Z Edge02 NSX 17629 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" tname="dp-fw-purge9" level="INFO"] <5- 4df247b3dd0b451b##################> INET TERM RDR 536870913 IN TCP 192.168.2.2/52556->192.168.1.5/50001-OR 192.168.4.1/50001
##edge 1 (active)
2026-04-30T10:08:10.431Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b######################> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/52554->192.168.1.5/50001 S
2026-04-30T10:08:10.461Z Edge01 NSX 3937 FIREWALL [nsx@6876 comp="nsx-edge" subcomp="datapathd" s2comp="firewallpkt" level="INFO"] <5 4df247b3dd0b451b#######################> INET reason-match PASS 5096 IN 52 TCP 192.168.2.2/52556->192.168.1.5/50001 S- When the administrator checks the firewall connection table on either active or standby edge they will observe a connection for the NAT/Stateless Rule.
- Note that the Stateless Rule "5096" and NAT rule "536870913" is highlighted in the below output.
- When the administrator checks the firewall connection table on either active or standby edge they will observe a connection for the NAT/Stateless Rule.
Edge01> get firewall 4df247b3-dd0b-451b################## connection
Thu Apr 30 2026 UTC 10:08:35.938
Connection count: 2
0x000000008200001d: 192.168.2.2:52556 -> 192.168.1.5:50001 (192.168.4.1:50001) dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5096:536870913
0x000000008200001e: 192.168.2.2:52554 -> 192.168.1.5:50001 (192.168.4.1:50001) dir in protocol tcp state ESTABLISHED:ESTABLISHED fn 5096:536870913Note: The preceding log excerpts are only examples which are taken from the lab for the purpose of explanation. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware NSX
vDefend Firewall
Resolution
There is no resolution as this is expected behavior by the gateway firewall.
Feedback
Yes
No
Powered by
