VMware Networking Community
MRoushdy
Hot Shot
Hot Shot

NSX-T native Gateway firewall, not processing further rules

Hello,

I'm testing NSX-T in my lab, and I faced an obstacle with the Gateway firewall. I have four rules, one for DNS, one for DHCP, one for internet access, and the last one is a catch-all set to deny any other traffic, and I've found that it processes only one rule, and skips (or ignores) the rest, so, the VM would get an IP from the DHCP server, and fail to query DNS. this quote from a VMW article:

first rule that matches the packet has its configured action applied, and any processing specified in the rule's configured options is performed and all subsequent rules are ignored (even if a later rule is a better match).

So, does it mean what I understood? that this firewall is useless? .. How can I set a logical north-south firewall then please?

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
Reply
0 Kudos
4 Replies
A13xxx
Enthusiast
Enthusiast

I went through this nightmare a few days ago, gateway default deny, i then created a default deny in the application rules of the dfw (since the default seems to be allow!!!) and then used the other sections for infrastructure services. seems to work and deny all works.

I tried to use the GW for NS traffic and DFW for EW but that just ended up being a nightmare and a pain to diagnose since we do not have a paid for subscription to log intel. Now its deny all in all areas and the DFW to do the work

Reply
0 Kudos
MRoushdy
Hot Shot
Hot Shot

Thanks for responding back. So, what do you wan't me to do exactly? Smiley Happy

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
Reply
0 Kudos
bhatg
VMware Employee
VMware Employee

It should work but few questions to understand more about your setup.

- Can you share exact rules you have defined.  Static or Dynamic groups.

- Have you root caused why DNS query is failing.

      - Does DNSserver IP outside T1 GW (over its uplink).

      - Presume you have routes available for DNS server and back.

Reply
0 Kudos
MRoushdy
Hot Shot
Hot Shot

Hi again,

I'm sorry for my terrible drawing, but simply this is my network. I use only a Tier-0 GW. Everything is reachable as long as I don't use the GW firewall, once I enable the rules, only one of them works, and traffic sticks to it, meaning that no further rules process traffic. I fix this by disabling the "catch all" rule (I crated it), but I think traffic goes to the default NSX catch-all rule that is set to "Allow" and I am unable to edit it. Rule logging counts for the rules I set, sometimes not always, there's something wrong. The rules are here:

1- "Internet", source: any, destination: 0.0.0.0/0 (there's a static route for it and works fine if no firewall rule is enabled, I also use BGP ny the way), mode: allow.

2- "DNS", source: any, destination: DNS_IP, set to allow indeed.

3- "DHCP", source: any, destination: the cisco router.

4- "DenyAll", source; any, dest: any, and set to "drop".

pastedImage_1.png

vEXPERT - VCAP-DCV - Blog: arabitnetwork.com | YouTube: youtube.com/c/MohamedRoushdy
Reply
0 Kudos