VMware Networking Community
ZhouLiu
Contributor
Contributor
‎09-04-2018 05:14 AM

if a firewall rule is applied to a security group, which is composed of an ip set, this rule will not be implemented.

I have experienced that when a DFW rule is applied to a security group, it has strange behaviour.

I have an VM, 172.18.132.2. First I build up a security group, SG-test,  which is only consisted of 172.18.132.2.

sourcedestinationserviceactionapplied to
172.18.132.2anyanyallowSG-test
172.18.132.2anyanyrejectdfw

It works fine. The VM can communicate with others.

Then I modify the security group. First I build an ip set, IPSet-test, which is only composed by 172.18.132.2. Then I build a security group, SG-test, which is only consisted of IPSet-test. The firewall rules are the same. But now the VM cannot communicate with others anymore.

After more investigations I can conclude that a security group, which contains ip set, works fine as source and destination, but not as "applied to". Unfortunately it is exactly "applied to", where we have no possibility at choose ip set.

Reply
0 Kudos
15 Replies
ZhouLiu
Contributor
Contributor
‎09-04-2018 05:35 AM

sourcedestserviceactionapplied to
172.18.132.2anyanyallowSG-test
172.18.132.2anyanyrejectdfw

I have made a smaller table, so that alle columns can be shown.

Reply
0 Kudos
HassanAlKak88
Expert
Expert
‎09-04-2018 01:02 PM

Try to change the source to SG-test also instead of VM's IP.

and also keep the applied to as it "SG-test".

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
Reply
0 Kudos
ZhouLiu
Contributor
Contributor
‎09-05-2018 12:07 AM

Hi Hassan,

Thank you for your quick response.

I have tried to set the source to SG-test in stead of IP, it doesn't work, as long as "applied to" uses  security group which contains ip-sets.

Another try I did is to compose SG-test with the logical switch, where 172.18.132.2 is sitting. The firewall rule works fine, no matter whether I set both source and applied-to to SG-test or not. All combination I have tried can conclude that: if "applied to" is a security group, which contains ip-sets, the firewall rule will not be implemented.

But I would very much like to use security group containing ip-sets and placed in the column "applied to"

Best regards

Liu

Reply
0 Kudos
jamib
Contributor
Contributor
‎09-05-2018 09:15 AM

This is by design. Please reference the supported objects used by applied-to field:

Source or Destination

Applied To

  • cluster
  • datacenter
  • distributed port group
  • IP set
  • legacy port group
  • logical switch
  • resource pool
  • security group
  • vApp
  • virtual machine
  • vNIC
  • IP address (IPv4 or IPv6)
  • All clusters on which Distributed Firewall has been installed (in other words, all clusters that have been prepared for network virtualization)
  • All Edge gateways installed on prepared clusters
  • cluster
  • datacenter
  • distributed port group
  • Edge
  • legacy port group
  • logical switch
  • security group
  • virtual machine
  • vNIC
Reply
0 Kudos
ZhouLiu
Contributor
Contributor
‎09-05-2018 11:15 PM

Hi Jamib,

We agree with each other that one of the supported objects to  the column "applied to" is security group.

Security group can be constructed by ip sets, logical switch, VM etc.

When security group used by "applied to" contains ip set, the firewall rule will not be implemented.

I know that ip sets cannot be used directly to "applied to". That doesn't mean that security group in the column "applied to" should not have an ip set

Best regards

Liu 

Reply
0 Kudos
bayupw
Leadership
Leadership
‎09-06-2018 02:27 AM

I cannot find any public documentation on this

but my understanding is that the "Applied To" field if you are going to applied to a Security Group, it needs to be against an vCenter's objects as it performs calculation based on vCenter's inventory

not IP address which what IP Set is

DFW rules with "Applied To" set to a "Security Group" are not published to hosts (2148509)

The NSX Manager must determine which vSphere clusters the DFW rules are applied to.

It performs this calculation based on the inventory updates from vCenter and the entity specified in the "Applied To" field.

The "Applied To" in "Firewall Scope" documentation only allow objects such as cluste, datacenter, VM, vNIC, etc but not IP Set

Define the Firewall Scope

If the rule contains virtual machines/vNICS in the source and destination fields,

you must add both the source and destination virtual machines/vNICS to Applied To for the rule to work correctly.

To apply a rule to

Do this

All prepared clusters in your environment

Select Apply this rule on all clusters on which Distributed Firewall is installed. After you click OK, the Applied To column for this rule displays Distributed Firewall.

All NSX Edge gateways in your environment

Select Apply this rule on all the Edge gateways. After you click OK or SAVE, the Applied To column for this rule displays All Edges.

If both the above options are selected, the Applied To column displays Any.

One or more cluster, datacenter, distributed virtual port group, NSX Edge, network, virtual machine, vNIC, or logical switch

In the Available list, select one or more objects and click add.

If you want to be sure, you can open a case to VMware Support to clarify this.

I will update here in case I found any KB related to this

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
ZhouLiu
Contributor
Contributor
‎09-07-2018 01:20 AM

Hej Bayu,

Thank you for your input.

I think it is a bug. because security group is one of the choices for "applied to" column, the firewall rule should work, no matter how the security group is composed.  I will open a case. I wonder if I am the only one in this world, who would like to use security-group or ip-sets to "applied to" column. 

Best regards

Liu

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee
‎09-11-2018 10:04 PM

The objects which are used in the Applied To field of a DFW rule are used to resolve a set of vNICs for which the rule is to be applied to.

If the SG you use in the security group only contains IP Sets, there are no vNICs that resolve to IP Sets, and hence the rule will not get applied to any vNICs. This is the correct behaviour and NOT a bug.

To "visualise" this behaviour, you can query the translation API for an individual security group to list the resulting vNICs:

GET /api/2.0/services/securitygroup/{objectId}/translation/vnics

Reply
0 Kudos
ZhouLiu
Contributor
Contributor
‎09-11-2018 11:57 PM

Hi DaleCoghlan,

Thank you for your explanation. I understand what you mean.

What happened to me was that I applied a firewall rule to a security group containing ip-sets. My customer complained to me that it didn't work. It took me some days to find out. I hope that vmware team can get it fixed, at least give an online warning, so other people would not repeat the mistake.

Best regards

Liu

Reply
0 Kudos
ZhouLiu
Contributor
Contributor
‎09-12-2018 11:13 PM

Hi DaleCoghlan,

I have tried to put security group containing ip-sets to source/destination in the firewall rules. And it works.

But as you mentioned, the security group containing ip-sets cannot be resolved to vNIC, then the above firewall rules should not work.

BR

Liu

Reply
0 Kudos
IvarHome
Hot Shot
Hot Shot
‎02-21-2019 03:22 AM

When distributed firewall is only for east-west traffic and only for VM-s and vNIC-s, then why "applied to" field shows example "distributed portgroup" choice (that have nothing to do with VMs or vNICs), when its anyway dont work. I just tested this. It dont looks very proffessional design.

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee
‎02-25-2019 03:13 AM

Distributed PortGroup when used in the "applied to" is a valid choice. The NSX Manager will resolve all the vnics which are connected to the specified portgroup and apply the rule to resolved list of vnics.

Reply
0 Kudos
IvarHome
Hot Shot
Hot Shot
‎02-25-2019 04:08 AM

But then it applies to vNIC-s and not to portgroup. Its just logic.

Reply
0 Kudos
ashsevenuk80
Enthusiast
Enthusiast
‎02-25-2019 10:54 AM

Hi,

What if you created a security policy in the Service Composer and applied the firewall rule via that method?

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee
‎03-03-2019 01:25 PM

All the objects (apart from Edge) that are available to choose in the Applied To field eventually resolved to a vNic. This is the fundamentals of how the Distributed Firewall works. Even if you choose a Logical Switch, there is no construct that firewalls the logical switch itself. NSX Manager uses the chosen construct to resolve all the applicable vNics for which to program the rule into the appropriate dvFilter attached to the vNic.

Reply
0 Kudos