NSX-T 2.4.1 Firewall Issue with VM object

jwaldrop · ‎06-18-2019

Hey, I am doing some testing with the NSX-T 2.4.1 DFW. I have a rule setup to only allow ICMP and RDP to a specific test VM. The only way the FW rules work is if I add the IPv4 address to the JUMP02-VM group, if I only add the VM object the rules do not apply and the default allow rule is hit.

I checked to make sure the VM Tools are update to date and running. If I look in the NSX-T Inventory at the VM it shows the correct IP.

Here are screen shots

hansroeder · ‎06-19-2019

Is this VM part of an Overlay or VLAN Transport Zone?

Also, what does the IP Discovery Segment Profile look like for the Segment this VM is running on? In this profile you can select which methods will be used to detect IP addresses (VMware Tools, DHCP Snooping, ARP Snooping).

mauricioamorim · ‎06-19-2019

Here are some troubleshooting steps, considering the VM is on an ESXi host:

1) On NSX manager go to Inventory -> Virtual Machines -> Advanced Configuration

2) Verify Source and VIF Attachment

3) SSH to the ESXi host the VM is on and enter nsxcli

4) Confirm the VIF you saw on NSX Manager appears with command "get firewall vifs""

5) Confirm the rules are applied correctly with command "get firewall <vifuuid> ruleset rules"

6) Confirm the IP addresses are mapped correctly with command "get firewall <vifuuid> addrsets"

Send us the screens if you need more help and don't forget to check IP Discovery profile.

The place you actually see on NSX Manager if the IPs are being correctly discovered is not on the screen shot you sent below, but actually on Advanced Networking and Security -> Switching -> Ports. When you click on the port the VM is attached to there is some information under Address Bindings. Look there to see if the IP address of the VM is learnt.

All

NSX-T 2.4.1 Firewall Issue with VM object