Building NSX DFW rules and trying to show only the flows that are hitting the default rule at the end of the firewall policy. vRNI is showing all flows that could hit the default rule but also that hit other rules. In reality, if a flow hits a particular rule in DFW, NSX will stop processing the flow and take the designated action. But vRNI is showing flows that hit on the default rule even when higher-level rules are hit too. In the output of vRNI, it shows a list of the firewall rules that each flow hits.
Is there a way to query vRNI to show only the flows that would ONLY hit the default rule?
There is. This search will show you the flows that only get hit by the default rule: flow where firewall rule = 'Default Rule'
The requirement here is that you have IPFIX being sent from NSX, as that's where the rule IDs are attached to the actual flows. If there's a higher level rule, preceding the default rule, the flow will get tagged with that higher rule. A flow will only have a single firewall rule attached.
Did I understand your question correctly?
Unfortunately, that query is what I was trying and it gives all flows that hit the "Default Rule" AND any other rules. The only solution I have found so far is to query "flows where firewall rule = 'Default Rule'" and then export the data to CSV. Then in Excel, filter on the rule column for ONLY the 'Default Rule'.
Additionally, the flows will show up with more than one firewall rule attached. It will show all firewall rules that match for that flow. That is why I have to use Excel to filter the CSV.