I have experienced that when a DFW rule is applied to a security group, it has strange behaviour.
I have an VM, 172.18.132.2. First I build up a security group, SG-test, which is only consisted of 172.18.132.2.
source | destination | service | action | applied to |
---|---|---|---|---|
172.18.132.2 | any | any | allow | SG-test |
172.18.132.2 | any | any | reject | dfw |
It works fine. The VM can communicate with others.
Then I modify the security group. First I build an ip set, IPSet-test, which is only composed by 172.18.132.2. Then I build a security group, SG-test, which is only consisted of IPSet-test. The firewall rules are the same. But now the VM cannot communicate with others anymore.
After more investigations I can conclude that a security group, which contains ip set, works fine as source and destination, but not as "applied to". Unfortunately it is exactly "applied to", where we have no possibility at choose ip set.
source | dest | service | action | applied to |
---|---|---|---|---|
172.18.132.2 | any | any | allow | SG-test |
172.18.132.2 | any | any | reject | dfw |
I have made a smaller table, so that alle columns can be shown.
Try to change the source to SG-test also instead of VM's IP.
and also keep the applied to as it "SG-test".
Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.
Cheers,
VCIX6-NV|VCP-NV|VCP-DC|
Hi Hassan,
Thank you for your quick response.
I have tried to set the source to SG-test in stead of IP, it doesn't work, as long as "applied to" uses security group which contains ip-sets.
Another try I did is to compose SG-test with the logical switch, where 172.18.132.2 is sitting. The firewall rule works fine, no matter whether I set both source and applied-to to SG-test or not. All combination I have tried can conclude that: if "applied to" is a security group, which contains ip-sets, the firewall rule will not be implemented.
But I would very much like to use security group containing ip-sets and placed in the column "applied to"
Best regards
Liu
This is by design. Please reference the supported objects used by applied-to field:
Source or Destination | Applied To |
---|---|
|
|
Hi Jamib,
We agree with each other that one of the supported objects to the column "applied to" is security group.
Security group can be constructed by ip sets, logical switch, VM etc.
When security group used by "applied to" contains ip set, the firewall rule will not be implemented.
I know that ip sets cannot be used directly to "applied to". That doesn't mean that security group in the column "applied to" should not have an ip set
Best regards
Liu
I cannot find any public documentation on this
but my understanding is that the "Applied To" field if you are going to applied to a Security Group, it needs to be against an vCenter's objects as it performs calculation based on vCenter's inventory
not IP address which what IP Set is
DFW rules with "Applied To" set to a "Security Group" are not published to hosts (2148509)
The NSX Manager must determine which vSphere clusters the DFW rules are applied to.
It performs this calculation based on the inventory updates from vCenter and the entity specified in the "Applied To" field.
The "Applied To" in "Firewall Scope" documentation only allow objects such as cluste, datacenter, VM, vNIC, etc but not IP Set
If the rule contains virtual machines/vNICS in the source and destination fields,
you must add both the source and destination virtual machines/vNICS to Applied To for the rule to work correctly.
To apply a rule to | Do this |
---|---|
All prepared clusters in your environment | Select Apply this rule on all clusters on which Distributed Firewall is installed. After you click OK, the Applied To column for this rule displays Distributed Firewall. |
All NSX Edge gateways in your environment | Select Apply this rule on all the Edge gateways. After you click OK or SAVE, the Applied To column for this rule displays All Edges. If both the above options are selected, the Applied To column displays Any. |
One or more cluster, datacenter, distributed virtual port group, NSX Edge, network, virtual machine, vNIC, or logical switch | In the Available list, select one or more objects and click . |
If you want to be sure, you can open a case to VMware Support to clarify this.
I will update here in case I found any KB related to this
Hej Bayu,
Thank you for your input.
I think it is a bug. because security group is one of the choices for "applied to" column, the firewall rule should work, no matter how the security group is composed. I will open a case. I wonder if I am the only one in this world, who would like to use security-group or ip-sets to "applied to" column.
Best regards
Liu
The objects which are used in the Applied To field of a DFW rule are used to resolve a set of vNICs for which the rule is to be applied to.
If the SG you use in the security group only contains IP Sets, there are no vNICs that resolve to IP Sets, and hence the rule will not get applied to any vNICs. This is the correct behaviour and NOT a bug.
To "visualise" this behaviour, you can query the translation API for an individual security group to list the resulting vNICs:
GET /api/2.0/services/securitygroup/{objectId}/translation/vnics
Hi DaleCoghlan,
Thank you for your explanation. I understand what you mean.
What happened to me was that I applied a firewall rule to a security group containing ip-sets. My customer complained to me that it didn't work. It took me some days to find out. I hope that vmware team can get it fixed, at least give an online warning, so other people would not repeat the mistake.
Best regards
Liu
Hi DaleCoghlan,
I have tried to put security group containing ip-sets to source/destination in the firewall rules. And it works.
But as you mentioned, the security group containing ip-sets cannot be resolved to vNIC, then the above firewall rules should not work.
BR
Liu
When distributed firewall is only for east-west traffic and only for VM-s and vNIC-s, then why "applied to" field shows example "distributed portgroup" choice (that have nothing to do with VMs or vNICs), when its anyway dont work. I just tested this. It dont looks very proffessional design.
Distributed PortGroup when used in the "applied to" is a valid choice. The NSX Manager will resolve all the vnics which are connected to the specified portgroup and apply the rule to resolved list of vnics.
But then it applies to vNIC-s and not to portgroup. Its just logic.
Hi,
What if you created a security policy in the Service Composer and applied the firewall rule via that method?
All the objects (apart from Edge) that are available to choose in the Applied To field eventually resolved to a vNic. This is the fundamentals of how the Distributed Firewall works. Even if you choose a Logical Switch, there is no construct that firewalls the logical switch itself. NSX Manager uses the chosen construct to resolve all the applicable vNics for which to program the rule into the appropriate dvFilter attached to the vNic.