VMware Networking Community
hardikpithadia
Contributor
Contributor

Distributed Firewall (DFW) packets hitting Default Rule instead of previous Rule allowing/blocking designated traffic

Hello All,

I have setup a lab of NSX-V to complete pre-defined use cases, successfully completed couple of PoCs and got stuck in the Micro-segmentation.

Configured a rule with service composer above default rule to allow communication with source and destination with service http and changed the default rule to blocked but still traffic is not going through configured rule.

I have checked from the flow monitoring it is getting blocked with default and not matching the configured rule.

Can anyone help me here.

Regards,

Hardik.

Reply
0 Kudos
5 Replies
SureshKumarMuth
Commander
Commander

Have you published the changes ? I hope the new rule will be on top of default one in the order list.

Regards,
Suresh
https://vconnectit.wordpress.com/
Reply
0 Kudos
singho
VMware Employee
VMware Employee

hardikpithadia
Contributor
Contributor

Hi Suresh,

Thanks for taking time.

Yes, I have configured custom rule well above default rule and also publish the changes but it is matching default rule.

Regards,

Hardik

Reply
0 Kudos
hardikpithadia
Contributor
Contributor

Hello Singho,

I have gone through KB article does it mean that we will not able to control TCS traffic between VMs if that is the case Micro-segmentation is not giving expected outcome.

I would like to know your view on this.

Regards,

Hardik.

Reply
0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Hi,

How have you configured the rule? Are you using objects?

When firewall rules are created using objects they have to be translated to IP addresses to actually be applied. Here VMTools plays an important part and if it is not present you might see the behavior you mention. Take a look at this: NSX Distributed Firewall Deep Dive – Route to Cloud

It has lots of good info on how this works.

Please check if you have VMTools in the VMs that you are trying to create a rule for and try to change the rule to use IP addresses instead of objects and let us know the results.

Reply
0 Kudos