Within vShield Manager, we have a new VLAN created - for some reason we are unable to add a General (Layer 3) or Ethernet (Layer 2) App Firewall rule.
I have attached a screenshot that shows how the Add Rule button is disabled.
Can anyone shed any light on why this is not letting me add a rule?
May i know what version of VCNS you are using ? Have you ever added app rules or used vShield app in this set-up? Ensure that One vShield App is deployed per host in the cluster.
If you have added any rules via APP so far,it should certainly reflect there.VCD wont use vshield app for firewall rules,VCD will always use VShield edge firewall feature.Edge is a perimeter device and vShield App is used for East-West Trafic firewalling.So depending upon the use case at times we may be in need of both the solutions.Do you have a vshield app deployed on all 19 hosts in your cluster.As mentioned earlier when you install vshield app it will deploy a firewall appliance per host.
Page no: 26 ---> http://www.vmware.com/pdf/vshield_51_quickstart.pdf
OK, yes sorry the vCD is not the issue here, but surely I should be able to deploy Layer 2/3 rules without the need for the vShield app to be deployed.
Could there be an issue with version incompatibility across vCD/vSM/vCenter etc.?
You are correct,without even deploying VShield App you should be able to add VShield App Rules.Ideally no one will do like that,because for the rules to work we need APP installed on each and every host in the cluster.Are you logged in with full admin access to VCNS? Can you try rebooting VCNS if possible? There wont be any impact for existing rules or traffic,however no configuration changes would be accepted till the appliance is back.
Rebooting hasn't helped unfortunately and the problem appears to be across multiple customer clouds. Existing VLANs are fine, this is only an issue newly added VLANs. Any further suggestions?
Sorry for the late reply.I would request you to raise a ticket with VMware to check this further.Also i'm unsure when you say "Existing VLANs are fine, this is only an issue newly added VLANs".Please note,the screen shot you have attached doesn't have any rules captured.I hope you have rules populated over there?(Same ask in my third response in this thread). If you have configured rules earlier and it is not showing there,then it needs to be checked from DB perceptive OR if the issue is "You are not able to add any rules because + sign is grayed out" we have covered pretty much everything what we can discuss and Support can certainly help you further once they have access to the environment.