Traceflow drop reason FW

Products

VMware NSX VMware Cloud Foundation

Issue/Introduction

This traceflow drop reason imply the packet is dropped by the VCF firewall.The firewall here can be Distributed Firewall, Gateway Firewall, and Bridge Firewall.

Users noticed that the there is a traffic connectivity issue in the north-south or east-west traffic (e.g., the traffic between VM1 and VM2 in topology1 or topology2).

Try traceflow between the source and destination with the connectivity issues, we can spot observation with drop reason FW_RULE.

The possible traceflow UI outputs can be

The possible traceflow observations API (invoke API GET https://<manager-ip>/polcy/api/v1/infra/traceflows/<traceflow-id>/observations) outputs can be

Packet is dropped by DFW rule

{
"acl_rule_path" : "/infra/domains/default/security-policies/default-layer3-section/rules/default-layer3-rule",
"subnet_port_path" : "/orgs/default/projects/default/vpcs/vpc2/subnets/privSub/ports/default:<PORT_UUID>",
"resource_type" : "TraceflowObservationDroppedLogical",
"sequence_no" : 0,
"transport_node_id" : "<TRANSPORT_NODE_UUID>",
"transport_node_name" : "<TRANSPORT_NODE_IP>",
"transport_node_type" : "<TRANSPORT_NODE_NAME>",
"timestamp" : 1766735684605,
"timestamp_micro" : 1766735684605389,
"component_type" : "DFW",
"component_sub_type" : "UNKNOWN",
"component_name" : "Distributed Firewall",
"reason" : "FW_RULE",
"lport_id" : "<PORT_UUD>",
"lport_name" : "<VM_NAME>.vmx@<PORT_UUID>",
"acl_rule_id" : 2
}

Packet is dropped by gateway rule

{
"acl_rule_path" : "/infra/domains/default/gateway-policies/New_Policy-MawMSg0ZJp/rules/New_Rule",
"interface_path" : "/infra/tier-1s/T1_0",
"resource_type" : "TraceflowObservationDroppedLogical",
"sequence_no" : 1,
"transport_node_id" : "<TRANSPORT_NODE_UUID>",
"transport_node_name" : "<TRANSPORT_NODE_NAME>",
"transport_node_type" : "EDGE",
"timestamp" : 1766738759361,
"timestamp_micro" : 1766738759361679,
"component_type" : "EDGE_FW",
"component_sub_type" : "UNKNOWN",
"component_name" : "Edge Firewall",
"reason" : "FW_RULE",
"lport_id" : "<PORT_UUID>",
"lport_name" : "<PORT_NAME>",
"acl_rule_id" : <RULE_ID>
}

Environment

VMware Cloud Foundation (VMware Cloud Foundation)

VMware NSX (VMware NSX)

Cause

Packet is dropped by the firewall rule.

Packet is dropped by the gateway firewall rule.

Packet is dropped by the bridge firewall rule.

Resolution

Users need to check whether the configured DFW rule/Gateway Firewal rule/Bridge Firewal rule to drop the packet is reasonable.

By clicking the component for the traceflow drop observation, users can see the details of this drop observation as below

From this detail, users can know which specific DFW rule/Gateway Firewal rule/Bridge Firewal rule drop the packet. Also, users can be navigated to the DFW rule configuration page by clicking the value of the DFW rule/Gateway Firewal rule/Bridge Firewal rule rule.

For the traceflow API users:
From the corresponding Traceflow drop observation with the reason "FW_RULE", users can fetch the hit rule ID (acl_rule_id) and rule path (acl_rule_path). Users can then manually navigate to the corresponding firewall rule configuration page to confirm that the rule configuration is correct or invoke the corresponding DFW/Gateway Firewall/Bridge Firewall API to access the specific rule configuration.